D-Link Router Backdoor Vulnerability Leaves System Settings Wide Open
A hacker (“Craig”) on a site devoted to embedded device hacking posted a lengthy entry detailing how he, on a whim and armed with boredom and too much Shasta cola, reverse-engineered a firmware update and found a backdoor to certain D-Link routers that allows one to access the devices’ web interface by bypassing authentication.
Once you’ve bypassed the authentication process, you can change or access any of the router’s settings. For obvious reasons, this is a serious security problem. This happens if your browser has a certain user agent string.
“This is performing a strcmp between the string pointer at offset 0xD0 inside the http_request_t structure and the string ‘xmlset_roodkcableoj28840ybtide’; if the strings match, the check_login function call is skipped and alpha_auth_check returns 1 (authentication OK),” wrote Craig.
He discovered the vulnerability in firmware update v.1.13, which he says likely affects the DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+, and TM-G5240 D-Link routers as well as two Planex router models, the BRL-04UR and BRL-04CW.
Once you’ve bypassed the authentication process, you can change or access any of the router’s settings. For obvious reasons, this is a serious security problem. This happens if your browser has a certain user agent string.
“This is performing a strcmp between the string pointer at offset 0xD0 inside the http_request_t structure and the string ‘xmlset_roodkcableoj28840ybtide’; if the strings match, the check_login function call is skipped and alpha_auth_check returns 1 (authentication OK),” wrote Craig.
He discovered the vulnerability in firmware update v.1.13, which he says likely affects the DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+, and TM-G5240 D-Link routers as well as two Planex router models, the BRL-04UR and BRL-04CW.
