D-Link is in the process of developing a patch for a serious security vulnerability in some of its older routers that essentially functions as a backdoor. The bug, discovered by a security researcher and publicized over the weekend, enables a remote user to log into an affected router as an administrator and take whatever actions he pleases.
The vulnerability is about as serious as they come, especially considering that the routers affected by it are consumer-grade devices that likely are plugged in and then left alone for years at a time. The security researcher who discovered the flaw, Craig Heffner, was reverse engineering a version of the D-Link firmware and came across an interesting string in the code. After looking at the code for a while and researching what it could possibly be doing, he discovered that if an attacker had his user agent set to a certain string, he could log into the router’s admin panel and make any number of changes.
“In other words, if your browser’s user agent string is “xmlset_roodkcableoj28840ybtide” (no quotes), you can access the web interface without any authentication and view/change the device settings,” Heffner wrote in a blog post about the bug.
Why the backdoor is present in the routers is a major question. Hardware manufacturers in the past, when confronted with similar questions, have said that they sometimes include such functionality for remote support or as a debugging mechanism during the development process and then mistakenly forgot to remove it. Heffner said that another researcher, Travis Goodspeed, suggested a possible reason for the presence of the D-Link backdoor.
“The ever neighborly Travis Goodspeed pointed out that this backdoor is used by the /bin/xmlsetc binary in the D-Link firmware. After some grepping, I found several binaries that appear to use xmlsetc to automatically re-configure the device’s settings (example: dynamic DNS). My guess is that the developers realized that some programs/services needed to be able to change the device’s settings automatically; realizing that the web server already had all the code to change these settings, they decided to just send requests to the web server whenever they needed to change something,” Heffner said.
The affected D-Link routers are:
- DIR-100
- DIR-120
- DI-624S
- DI-524UP
- DI-604S
- DI-604UP
- DI-604+
- TM-G5240
The company reportedly is working on a firmware patch for the vulnerability that will be available by the end of the month. D-Link manufacturers a wide variety of wireless routers for home and small office environments. Until a new version of the firmware is available, security experts recommend that users with affected models ensure that their wireless networks have WPA2 enabled and use random passwords.
Image from Flickr photos of Mark Turnauckas.