CVE-2013-3367
📋 TL;DR
CVE-2013-3367 is a critical authentication bypass vulnerability in TRENDnet TEW-691GR and TEW-692GR routers. It allows unauthenticated attackers to access an undocumented TELNET service via a specific backdoor web page with a hardcoded password, potentially leading to full device compromise. This affects all users of these router models with vulnerable firmware.
💻 Affected Systems
- TRENDnet TEW-691GR
- TRENDnet TEW-692GR
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete router takeover allowing attacker to intercept all network traffic, modify DNS settings, install malware, pivot to internal network devices, and maintain persistent access.
Likely Case
Router configuration compromise leading to traffic interception, DNS hijacking, credential theft, and potential lateral movement to connected devices.
If Mitigated
Limited impact if router is behind firewall with strict inbound rules, though internal network compromise remains possible if attacker gains initial access.
🎯 Exploit Status
Exploitation requires only HTTP request to specific URL with hardcoded password parameter; trivial to automate.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown specific version - check TRENDnet support for latest firmware
Vendor Advisory: Not publicly available - check TRENDnet support portal
Restart Required: Yes
Instructions:
1. Log into router admin interface
2. Navigate to firmware update section
3. Download latest firmware from TRENDnet support site
4. Upload and apply firmware update
5. Reboot router after update completes
🔧 Temporary Workarounds
Disable remote administration
allPrevent external access to router administration interface
Block TELNET service
linuxUse firewall rules to block TELNET port 23 inbound and outbound
iptables -A INPUT -p tcp --dport 23 -j DROP
iptables -A OUTPUT -p tcp --dport 23 -j DROP
🧯 If You Can't Patch
- Replace affected routers with newer models from different vendors
- Place routers behind dedicated firewall with strict inbound/outbound rules blocking all unnecessary ports
🔍 How to Verify
Check if Vulnerable:
Attempt HTTP GET request to router IP: http://[router-ip]/backdoor?password=j78G¬DFdg_24Mhw3 - if returns 200 OK, device is vulnerableCheck Version:
Check router web interface admin page or use: telnet [router-ip] 23 (if accessible) and check bannerVerify Fix Applied:
Same check should return 404 or access denied after patching; also verify TELNET service is not accessible on port 23📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /backdoor with password parameter
- Unexpected TELNET connections from WAN interface
- Multiple failed login attempts followed by successful access
Network Indicators:
- Port 23 (TELNET) traffic to/from router
- HTTP requests containing 'backdoor' and 'password=j78G¬DFdg_24Mhw3' in URL
SIEM Query:
source_ip=router_ip AND (url_path="/backdoor" OR dest_port=23)🔗 References
- https://www.ise.io/casestudies/exploiting-soho-routers/
- https://www.ise.io/soho_service_hacks/
- https://www.ise.io/wp-content/uploads/2017/07/soho_techreport.pdf
- https://www.ise.io/casestudies/exploiting-soho-routers/
- https://www.ise.io/soho_service_hacks/
- https://www.ise.io/wp-content/uploads/2017/07/soho_techreport.pdf
