D-Link has patched a backdoor present in a number of its routers that was publicized almost two months ago and could allow an attacker to remotely access the administrative panel on the hardware, run code and make any number of changes.
The Thanksgiving patch parade addressed the issue in a number of affected routers, most of them older versions that are still in circulation and largely untouched by consumers in particular.
Customer premise equipment such as wireless routers, modems and other set-top devices pose a real security issue because patches require a firmware update that are often ignored. There’s plenty of research too that examines the risks posed not only by buggy routers, but by other home and small business networking equipment.
Using available tools and online search engines such as Shodan, attackers can easily find Internet-facing equipment that’s vulnerable, and target those boxes with any number of exploits or scripts focusing on weak or default credentials, giving someone remote access to the gear.
The D-Link issue is much more serious given the access it could afford a remote attacker. Researcher Craig Heffner reported finding the vulnerability in October; he said that an attacker using a certain string “xmlset_roodkcableoj28840ybtide” could access the Web interface of a number of different D-Link routers without credentials.
D-Link routers DIR-100, DIR-120, DI-624S, DI-524UP, DI-604S, DI-604UP, DI-604+ and TM-G5240, along with Planex routers BRL-04R, BRL-04UR and BRL-04CW also use the same firmware, Heffner said. The firmware revisions issued last Thursday are for DI-524, DI-524UP, DIR 100 and DIR-120 routers, D-Link said in its advisory.
“Various D-Link routers allow administrative web actions if the HTTP request contains a specific User-Agent string,” the company’s original advisory said. “This backdoor allows an attacker to bypass password authentication and access the router’s administrative web interface.”
Backdoors in hardware such as networking gear are generally for remote administration purposes. Researcher Travis Goodspeed told Heffner that this backdoor is used by a particular binary in the firmware enables an administrator to use this particular string to automatically reconfigure the device’s settings.
“My guess is that the developers realized that some programs/services needed to be able to change the device’s settings automatically; realizing that the web server already had all the code to change these settings, they decided to just send requests to the web server whenever they needed to change something,” Heffner wrote. “The only problem was that the web server required a username and password, which the end user could change.”