Easy to exploit backdoor found in several D-Link router models

by Mark Tyson on 15 October 2013, 11:00

Tags: D-Link (TPE:2332)

Quick Link: HEXUS.net/qab3z5

Add to My Vault: x

It has been found that seven domestic router models, made by well-known networking firm D-Link, can be easily controlled remotely via a back door. Researcher Craig Heffner found the exploit by reverse engineering some D-Link router software. This process revealed a character string which can be used to get full access to the admin page of these routers. D-Link has promised a fix for this vulnerability by the end of October.

Heffner speculates that the backdoor was used by D-Link to provide remote firmware updates. He noted that a hard-coded string in the authentication system, ‘xmlset_roodkcableoj28840ybtide’, provides full access to the router web interface with no username or password required when it is used as the ‘user agent’ string. If we look at that string of characters and reverse it we can read it as ‘edit by 04882 joel backdoor’. So it looks like a programmer called ‘Joel’ put this back door in the router software deliberately.

The list of affected D-Link routers is as follows:

  • DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+ and the TM-G5240
  • Also Planex, a Japanese networking company, has two router models which are equally vulnerable; the BRL-04UR and BRL-04CW.

D-Link has published an update on this “router security issue” on its support pages. The firm says that “Security and performance is of the utmost importance to D-Link across all product lines”. D-Link also said it was currently working with the sources of the back door reports “to ensure that the vulnerabilities discovered are addressed”.

While the networking hardware firm readies updates for the affected routers it has recommended that users do the following:

  • Ignore unsolicited emails about security vulnerabilities that prompt you to action. These could allow unauthorised access to your network
  • Make sure that your wireless network is secure.
  • Disable remote access to your router if it is not required (this is disabled by default).

As mentioned in the introduction, D-Link hopes to have updates available to apply to the affected router models by the end of October. Planex is yet to respond to the news.



HEXUS Forums :: 18 Comments

Login with Forum Account

Don't have an account? Register today!
Hmmm.

Re: the “advice” from DLink, ….
  • Ignore unsolicited emails about security vulnerabilities that prompt you to action. These could allow unauthorised access to your network
  • Make sure that your wireless network is secure.
  • Disable remote access to your router if it is not required (this is disabled by default).

The first is good, standard advice, but I struggle to see how it helps address a remote-access backdoor.

The second is again good, standard advice, but again, relevant how?

The third, if and I stress IF some other reports on this are accurate, is utterly disingenuous, if not deceitful, because those reports have pointed out that IF you have backdoor access to the router admin panel , you can simply re-enable remote access.

I'm glad I don't have a Dlink router, and certainly not one of the affected models, but if I did, I want clarification on that issue.

But more worryingly, if Dlink have such a security breach in their firmware, then either it was deliberate and authorised, or control over code is pretty poor, and that is inexcusable in a product like this. If a lone programmer can sneak a backdoor in router firmware, what else could a rogue lone wolf sneak a backdoor into? Windows? Firewalls? Your bank's software? Nuclear launch systems? Okay, the last is a tad extreme, maybe, but it does highlight one point I've long believed …. if you want to be sure your systems and data are safe from net intrusion to your network, the ONLY way to do it is to not have a net connection to your network.

And most worryingly of all, if an apparently reputable company like DLink can screw up like this, the rest of us that don't have affected models can't be smug about it, because it may be that other backdoors in other makes (or models) just haven't been spotted yet.
If information in article are correct it seems that this backdoor was put there deliberately by a D-Link. I really doubt it was done by some rouge ‘lone wolf’ programmer from D-Link.
Saracen
The third, if and I stress IF some other reports on this are accurate, is utterly disingenuous, if not deceitful, because those reports have pointed out that IF you have backdoor access to the router admin panel , you can simply re-enable remote access.

But if admin panel access from the WAN interface is disabled, ie, the web daemon isn't listening on 80/tcp on the WAN interface, how can someone get into it to enable it?
I think the assumption is that if remote access is disabled and wifi is secure, then you need to either break the wifi or gain physical network access in order to use the user-agent exploit, after which you can re-enable remote access.

The first bit of advice… you could follow a link that used XSS to then enable remote access on the router.

The second and third are explained in my first paragraph.

Still, here's another reason why Open Source software is good - this would not have slipped past.

Also, poor Joel.
burble
But if admin panel access from the WAN interface is disabled, ie, the web daemon isn't listening on 80/tcp on the WAN interface, how can someone get into it to enable it?
It all depends how a backdoor works, doesn't it? If the router isn't listening on 80, then fine. But if the code merely dumps anything that arrives on 80, then it could be that the backdoor bypasses that process just as it bypasses username/password routines.