November 26, 2014

Backdoor found for several D-Link routers

d-link-dir-615An intentional backdoor designed into some of D-Links home routers has been found by security researcher Craig Heffner. Having reversed engineered the firmware used in a D-Link DIR-100 router Craig discovered that by setting a browser’s user agent string is “xmlset_roodkcableoj28840ybtide” (without the quotes) he could gain full access to the router without entering a username and password.

If exploited an attacker would be able to change any of the settings on the router and gain access to the network. During his research Craig discovered that the browser string was only mentioned once on the Internet in a Russian forum post from a few years ago that noted that the string was probably significant. As such there are no reports of this backdoor being used in the wild, D-Link has acknowledged the existence of the backdoor and said a fix would be available by the end of October.

“Various media reports have recently been published relating to vulnerabilities in network routers, including D-Link devices. Security and performance is of the utmost importance to D-Link across all product lines. This is not just through the development process but also through regular firmware updates to comply with the current safety and quality standards,” said D-Link in a statement. “We are proactively working with the sources of these reports as well as continuing to review across the complete product line to ensure that the vulnerabilities discovered are addressed.”

It is thought that the backdoor was intentionally programmed into the web server so that the router could be automatically configured when used with services like dynamic DNS. Since the web server contained all the code necessary to alter the routers settings, the programmers by-passed the authentication mechanism with the hard-coded browser string. This in turn allowed them to set the parameters for legitimate reason. It was likely they didn’t think that the string would ever be discovered.

Based on string searches Heffner says it can be reasonably concluded that the following D-Link devices are affected:

  • DIR-100
  • DIR-120
  • DI-624S
  • DI-524UP
  • DI-604S
  • DI-604UP
  • DI-604+
  • TM-G5240

Additionally, several Planex routers also appear to use the same firmware:

  • BRL-04UR
  • BRL-04CW

D-Link already has new firmware available for several of the affected models, some of which aren’t listed in Heffner’s original list:

  • DIR-300
  • DIR-600
  • DIR-615
  • DIR-645
  • DIR-815
  • DIR-845L
  • DIR-865L
  • DSL-320B
  • DSL-321B