Hidden Backdoor in Digicom Router?
In this article, let us take a close look into the Digicom router DG-M342T. First, let us view the technical specifications of the router. It's a 2.4 GHz router with 1 WAN Port and 4 LAN Port. Nothing fancy, but it's a decent router for use as a secondary Wi-Fi router.
The box of the router points to the official website i.e. digicom.com.hk. Upon opening the website, we are greeted with this maintenance screen.
Performing some background checks on the website via archive.org, it is found that the website has been in maintenance mode since 2016. So we are not off to a good start here.
Looking into the router setup page of the router, the pages are a close resemblance to that of dlink router. Initially, I thought that this router might be running modified firmware of dlink router. This claim was kind of verified when I found a javascript file "menu.js" on the page, the js code had a function openSupport() that opens D-Link's website.
While checking the router page, I found an interesting page that was accessible without login i.e. "status.htm" which gave some basic information about the router.
Looking further and deeper into the router, I came across telnet enable/disable page of the router
I enabled it and performed a quick port scan to verify that the port was open.
Then, I tried to connect to the telnet using the router credentials that I had set via the setup page. It worked and I was in.
The list of available commands inside the telnet session was as follows:
Most of the commands were for providing debug information. The particular command that piqued my interest was "login". Upon running the command I found out that, it accepted arguments.
I was interested in the show argument and I ran it. To my surprise, instead of it showing a single account detail I set on the router, it showed two accounts: one that I set and another one which probably is a backdoor account. What seems even more interesting is that the priority of the account is higher than that of my own.
I opened a new terminal and try to telnet to the router using the new credentials i.e. admin:3EF4airocon. The login was successful. Upon login, I immediately noticed that the list of commands this account could access was higher than that of a normal account.
I also tested the credentials on the router setup page.
But instead of it working like a normal account, I landed on a 404 page.
Even the login page was no longer accessible
The page was inaccessible even via curl.
With no other choice, I had to restart my router to restore it back to the previous working state.
In conclusion, the particular digicom router seems very suspicious and full of suprises. From the official website to the backdoor account, everything about the router seems pretty eccentric. With this blog, I hope to raise some awareness among the users of Digicom routers.