Tenda Wireless Routers Feature Backdoor

Some wireless router models produced by Chinese company Tenda Technology are vulnerable to remote attacks, says Craig Heffner, the researcher who also spotted the backdoor in D-Link routers.

Unpacking the firmware update for the Tenda networking kit, Heffner found “suspicious code” that enables an unauthorized person to highjack the router “by sending a UDP packet with a special string.”

Apparently the bug is in the httpd component, where the MfgThread() function deploys a backdoor that can execute commands from remote C&C centers. Basically, once a remote attacker gets into the local network, he can send commands with root privileges to the device.

“The backdoor only listens on the LAN, thus it is not exploitable from the WAN. However, it is exploitable over the wireless network, which has WPS enabled by default with no brute force rate limiting,” Heffner writes in an advisory.

According to Heffner`s research, the vulnerable router models are Tenda`s W302R and W330R along with the rebranded Medialink MWN-WAPR150N.

Early this year, Cisco-powered Linksys routers were also found vulnerable to unauthorized remote access, where an attack could seize root privileges on the device. The bug affected both new and older versions of Linksys firmware. In February, DIR-600 and DIR-300 of D-Link routers allowed hackers to redirect Internet traffic and even change users` device passwords.