A security researcher has discovered a back-door in D-Link routers which provides complete and unauthenticated access to the administrative control panel, simply by changing your browser's user agent string.
Analysing a firmware file for an older model of D-Link router, security researcher Craig Heffner of Tactical Network Solutions discovered something very interesting: a hard-coded string in the authentication system, reading 'xmlset_roodkcableoj28840ybtide.' Analysing the code in the firmware, Heffner discovered that when that peculiar string was used as a user agent - a field provided by a web browser which usually provides make and version number information - the router provided full access to the web interface with no username or password required.
While that could be the result of an unfortunate coding gaffe, the access seems deliberate: backwards, the string after the underscore reads 'edit by 04882 joel backdoor' - suggesting that a D-Link programmer called Joel inserted the back-door access deliberately in a sanctioned code edit.
'
My guess is that the developers realized that some programs/services needed to be able to change the device’s settings automatically,'
writes Heffner. '
Realising that the web server already had all the code to change these settings, they decided to just send requests to the web server whenever they needed to change something. The only problem was that the web server required a username and password, which the end user could change. Then, in a eureka moment, Joel jumped up and said, “Don’t worry, for I have a cunning plan!”'
The code has been discovered in numerous older models of D-Link router, including the DIR-100, DI-524 and DI-524UP, DI-604S, DI-604UP and DI-604+, and TM-G5240, as well as selected third-party routers based on D-Link hardware and software. Comments on Heffner's discovery have also suggested that the DIR-615, a newer device which is provided in customised form by selected ISPs, is also vulnerable. Other, newer routers may also include the back-door, but edited to trigger on a different and so-far undiscovered user agent string.
D-Link has yet to respond to a request for comment on Heffner's discovery, but for now users of D-Link routers are advised to ensure that remote access to the administrative control panel is disabled.
UPDATE:
D-Link has confirmed that the flaw exists, but has neglected to provide comment on how it was inserted into its products. '
D-Link will be releasing firmware updates to address the security vulnerabilities in affected D-Link routers by the end of October,' a company spokesperson explained, but did not comment on why an apparently deliberate back-door inserted by a D-Link employee into numerous products and undetected for years is only now being treated as a 'security vulnerability.' We have asked D-Link for clarification on the back-door code - in particular how it got there, why it was put there in the first place, and what it's doing to ensure the same or substantially similar vulnerability isn't to be found in its other products - and will update this post as and when we receive a reply.
UPDATE 2013-10-16:
D-Link has responded to our questions,
defending the back-door code while stating its use is restricted to '
a very early software platform.'
Want to comment? Please log in.