Tactical Network Solutions vulnerability researcher Craig Heffner, who specializes in wireless and embedded systems, recently discovered a security vulnerability in seven D-Link network routers after reverse engineering a recent firmware update. This vulnerability grants full access into the configuration page without the need for a username and password.
Heffner discovered that if a browser's user agent string is set to "xmlset_roodkcableoj28840ybtide," hackers can gain access to these routers if connected to the network via Ethernet or wireless, or if the router's configuration page is publicly accessible. When reversed and the numbers removed, this string actually reads "edit by joel backdoor" as if the "backdoor" in the routers' firmware was intentionally placed.
"My guess is that the developers realized that some programs/services needed to be able to change the device's settings automatically," Heffner writes. "Realizing that the web server already had all the code to change these settings, they decided to just send requests to the web server whenever they needed to change something."
"The only problem was that the web server required a username and password, which the end user could change. Then, in a eureka moment, Joel jumped up and said, 'Don't worry, for I have a cunning plan!'" he adds.
According to Heffner, the affected models include D-Link's DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+ and TM-G5240. Also on the list are the BRL-04UR and BRL-04CW routers from Planex that appear to use the same firmware.
Obviously, this exploit could allow "hackers" to make unauthorized changes to the settings. As an example, the Domain Name System server addresses could be altered to direct users to rogue websites when they try to access legitimate versions. The risk for unauthorized access is even higher for routers that are configured for remote management.
D-Link now reports that the company will address the issue by the end of the month. "Security and performance is of the utmost importance to D-Link across all product lines," the company states. "This is not just through the development process but also through regular firmware updates to comply with the current safety and quality standards. We are proactively working with the sources of these reports as well as continuing to review across the complete product line to ensure that the vulnerabilities discovered are addressed."
D-Link suggests that customers ignore unsolicited emails that relate to security vulnerabilities and prompt them to action. Customers should also make sure their network is secure, and disable remote access to the router if it's not required.
Stay on the Cutting Edge
Join the experts who read Tom's Hardware for the inside track on enthusiast PC tech news — and have for over 25 years. We'll send breaking news and in-depth reviews of CPUs, GPUs, AI, maker hardware and more straight to your inbox.
Or you could just install a 3rd party firmware and not deal with D-Link's horrible firmware in the first place.Reply
Explaim to me like i was 5y old, how this kind of backdoor was not intentionally placed on the firmware?Reply
this is why we do not use any D-Link switches at work. Anyone can create loopbacks on them, or access parts of a network they aren't supposed to access with D-Link's backdoors.Reply
f-link sucks, locks their stuff down, overchanges, get a $30 open and go dd-wrt . voila, more business and home features than you'll ever use.Reply
It also works on DIR-615 :(Reply
Somewhere, a person named Joel is updating his resume.Reply
Better get an album cover. =)Reply