An easily exploitable backdoor that provides full control over the device has been discovered in several routers made by D-Link, potentially putting networks and user data at risk.
Security researcher Craig Heffner of Tactical Network Solutions discovered the backdoor by disassembling the version 1.13 D-Link firmware for the DIR-100 and discovered the alpha_auth_check function inside it.
After some detective work Heffner, who specialises in embedded systems, worked out that the function opens up a backdoor into popular consumer DSL and wireless routers.
By setting the user-agent identifier in a web browser to the string "xmlset_roodkcableoj28840ybtide", anyone can access the administrative web interface on certain D-Link routers, without authentication.
Heffner tried on a DI-524UP wireless router and confirmed that setting the user-agent to the above string provides full control over the device.
Spelt backwards, the string reads "Edit by Joel 04882 backdoor". At this stage, it is not known who Joel is. According to Heffner, the firmware appears to have been modified by D-Link spin-off Alpha Networks, but it isn't known if the company inserted the backdoor.
Heffner said he did not contact D-Link or Alpha Networks about the exploit, and that the string has no special meaning to him.
"Clearly, whoever put it in knew that they were creating a backdoor, and [the person] possibly was named Joel," Heffner told iTnews.
The security researcher would like to clarify that while the string was mentioned in a Russian forum in 2010, there's no indication that the members knew how to use it by setting the browser user agent to it.
"Thus it is unknown if this exploit has previously been discovered or not; if so, it was certainly not publicised," Heffner says.
To protect against the exploit, Heffner advises to turn off remote administration on routers and to make sure that there is strong encryption enabled on the wireless network.
Heffner believes several D-Link devices have the backdoor in their firmware, and listed the below models as likely to be vulnerable:
- DI-604 +
Several of the above D-Link routers have been or are sold in Australia currently, and iTnews was able to replicate Heffner's findings on a Dl-604 router.
Two models from Japanese vendor Planex are also listed by Heffner as being vulnerable, namely the BRL-04UR and BRL-04CW routers, as they use the same D-Link firmware.
The exploit has been know since at least 2010, when it was mentioned in Russian Internet forums. It has also recieived a mention on the Russian Incontact or VK social network after Heffner's blog post.
VK has around 228 million users currently.
iTnews has sought comment from D-Link on the backdoor discovery, and will update the story when it becomes available.