An easily exploitable backdoor that provides full control over the device has been discovered in several routers made by D-Link, potentially putting networks and user data at risk.
Security researcher Craig Heffner of Tactical Network Solutions discovered the backdoor by disassembling the version 1.13 D-Link firmware for the DIR-100 and discovered the alpha_auth_check function inside it.
After some detective work Heffner, who specialises in embedded systems, worked out that the function opens up a backdoor into popular consumer DSL and wireless routers.
By setting the user-agent identifier in a web browser to the string "xmlset_roodkcableoj28840ybtide", anyone can access the administrative web interface on certain D-Link routers, without authentication.
Heffner tried on a DI-524UP wireless router and confirmed that setting the user-agent to the above string provides full control over the device.
Spelt backwards, the string reads "Edit by Joel 04882 backdoor". At this stage, it is not known who Joel is. According to Heffner, the firmware appears to have been modifled by D-Link spin-off Alpha Networks, but it isn't known if the company inserted the backdoor.
Heffner believes several D-Link devices have the backdoor in their firmware, and listed the below models as likely to be vulnerable:
- DI-604 +
Several of the above D-Link routers have been or are sold in Australia currently, and iTnews was able to replicate Heffner's findings on a Dl-604 router.
Two models from Japanese vendor Planex are also listed by Heffner as being vulnerable, namely the BRL-04UR and BRL-04CW routers, as they use the same D-Link firmware.
The exploit has been know since at least 2010, when it was mentioned in Russian Internet forums. It has also recieived a mention on the Russian Incontact or VK social network after Heffner's blog post.
VK has around 228 million users currently.
iTnews has sought comment from Heffner and D-Link on the backdoor discovery, and will update the story when it becomes available.