Hello,
This is my first post here in a long time, but I felt this issue is important enough to let people know.
A security researcher found that if you set your browser's User-Agent string to "'xmlset_roodkcableoj28840ybtide" (no quotes) and access the Web interface of some D-Link routers, you will be authenticated successfully without having to input a username and password, even if a username and password are configured and normally required to access the interface.
In reverse, this User-Agent string value reads "edit by 04882 joel backdoor" and seems to be something D-Link or one of its programmers implemented in the firmware for an yet unknown reason. The researcher speculates:
"After some grepping, I found several binaries that appear to use xmlsetc to automatically re-configure the device’s settings (example: dynamic DNS). My guess is that the developers realized that some programs/services needed to be able to change the device’s settings automatically; realizing that the web server already had all the code to change these settings, they decided to just send requests to the web server whenever they needed to change something. The only problem was that the web server required a username and password, which the end user could change. Then, in a eureka moment, Joel jumped up and said, 'Don’t worry, for I have a cunning plan!'."
A more technical explanation
in the original source.
Obviously, regardless of the reason, this is a very bad thing security-wise.
Routers with remote administration enabled -- routers with the Web interfaced exposed to the Internet -- are in immediate danger. However, having the Web interface accessible from the internal network without authentication though this bug is also bad, especially in cases where visitors are frequently connecting to the Wi-Fi or when a computer on the network is infected with malware.
Affected devices: DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+, TM-G5240, DIR-615 (reportedly) and possibly others that haven't been tested yet.
D-Link
said it plans to release firmware updates to address this issue until the end of October so be on the lookout for updates.
Until then, disable remote management if possible and secure your Wi-Fi networks. Avoid letting strangers onto your network as much as possible.
Some other things to point out:
- Changing the browser User-Agent string is easy. There are extensions to do this for Firefox, Chrome and other browsers.
- Attackers can easily locate vulnerable routers that have their Web interface exposed to the Internet by using the SHODAN search engine and searching for a particular string.
I suggest a moderator -- FurryNutz maybe? -- re-post this security notice on other topics for other affected router models.
If you have a router that's not yet know to be vulnerable and test this successfully on it, please let people know in this thread.
Best regards.
Author
Topic: Admin backdoor in multiple D-Link routers, DIR-615 possibly affected (Read 7891 times)