bit-tech.net

D-Link routers contain back-door code, claims researcher

D-Link routers contain back-door code, claims researcher

A back-door in selected D-Link routers, apparently inserted deliberately by the company, allows for unauthenticated access to the router's administrative control panel.

A security researcher has discovered a back-door in D-Link routers which provides complete and unauthenticated access to the administrative control panel, simply by changing your browser's user agent string.

Analysing a firmware file for an older model of D-Link router, security researcher Craig Heffner of Tactical Network Solutions discovered something very interesting: a hard-coded string in the authentication system, reading 'xmlset_roodkcableoj28840ybtide.' Analysing the code in the firmware, Heffner discovered that when that peculiar string was used as a user agent - a field provided by a web browser which usually provides make and version number information - the router provided full access to the web interface with no username or password required.

While that could be the result of an unfortunate coding gaffe, the access seems deliberate: backwards, the string after the underscore reads 'edit by 04882 joel backdoor' - suggesting that a D-Link programmer called Joel inserted the back-door access deliberately in a sanctioned code edit.

'My guess is that the developers realized that some programs/services needed to be able to change the device’s settings automatically,' writes Heffner. 'Realising that the web server already had all the code to change these settings, they decided to just send requests to the web server whenever they needed to change something. The only problem was that the web server required a username and password, which the end user could change. Then, in a eureka moment, Joel jumped up and said, “Don’t worry, for I have a cunning plan!”'

The code has been discovered in numerous older models of D-Link router, including the DIR-100, DI-524 and DI-524UP, DI-604S, DI-604UP and DI-604+, and TM-G5240, as well as selected third-party routers based on D-Link hardware and software. Comments on Heffner's discovery have also suggested that the DIR-615, a newer device which is provided in customised form by selected ISPs, is also vulnerable. Other, newer routers may also include the back-door, but edited to trigger on a different and so-far undiscovered user agent string.

D-Link has yet to respond to a request for comment on Heffner's discovery, but for now users of D-Link routers are advised to ensure that remote access to the administrative control panel is disabled.

UPDATE:
D-Link has confirmed that the flaw exists, but has neglected to provide comment on how it was inserted into its products. 'D-Link will be releasing firmware updates to address the security vulnerabilities in affected D-Link routers by the end of October,' a company spokesperson explained, but did not comment on why an apparently deliberate back-door inserted by a D-Link employee into numerous products and undetected for years is only now being treated as a 'security vulnerability.' We have asked D-Link for clarification on the back-door code - in particular how it got there, why it was put there in the first place, and what it's doing to ensure the same or substantially similar vulnerability isn't to be found in its other products - and will update this post as and when we receive a reply.

UPDATE 2013-10-16:
D-Link has responded to our questions, defending the back-door code while stating its use is restricted to 'a very early software platform.'

9 Comments

Discuss in the forums Reply
mi1ez 14th October 2013, 12:05 Quote
If you reverse the string it says "edit by [...]" rather than "edited by [...]"
Gareth Halfacree 14th October 2013, 12:09 Quote
Hah! I'd written 'edit' the first time around, then when I was giving the article a final scan-through before publication I automatically corrected the grammar without a second thought. Fixed, ta!
Gareth Halfacree 14th October 2013, 14:34 Quote
I've updated the article with a brief comment from D-Link announcing that it will be patching the back-door by the end of the month, which fails to actually address any of the questions raised. I've pressed for clarification.
jrs77 14th October 2013, 14:56 Quote
I'd guess that any modern device, be it a computer, a router or whaterver has a backdoor implemented these days.
Gareth Halfacree 14th October 2013, 14:58 Quote
Quote:
Originally Posted by jrs77
I'd guess that any modern device, be it a computer, a router or whaterver has a backdoor implemented these days.
Trufax, but there are clever backdoors - "let's stick a cryptographic public key in there, and if our private key knocks open up a hole" - and dumb backdoors - "hey, let's open a hole when someone uses a plaintext string that appears in our easily-analysed and publicly-available firmware files as their user agent. THAT WON'T GO WRONG AT ALL."

(Although, in D-Link's defence, it took a fair few years for anyone to publicise the vulnerability - which isn't to say it hasn't been discovered and exploited by ne'er-do-wells clever enough to keep their new toy quiet in the past, of course.)
Krikkit 14th October 2013, 15:37 Quote
Blimey, that's a pretty embarrassing gaffe for such a major player in the router market these days. Could be very useful for people trying to open up their ISP's routers though.
Alecto 14th October 2013, 22:14 Quote
Quote:
Originally Posted by jrs77
I'd guess that any modern device, be it a computer, a router or whaterver has a backdoor implemented these days.

Well there's always the (free) alternative that works with a number of routers (and to be honest, those that are tied down by the manufacturers should be avoided anyway):

http://wiki.openwrt.org/doc/howto/build

You can build your own version after auditing the code.
sp4nky 14th October 2013, 22:49 Quote
Funnily enough, I've just taken delivery of a D-Link NAS. It's getting sent back now. Also, power cable was faulty but still, I'm now asking for a full refund instead of a replacement.
Gareth Halfacree 16th October 2013, 10:56 Quote
D-Link has responded to my questions with a defence of the back-door code. There are still some outstanding issues to be addressed, however, including its apparent presence in DIR-615 routers - which aren't on the list of devices getting a firmware update it provided this morning.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums