December 03, 2013
D-Link company has recently released a new version of firmware to fix backdoor vulnerability in various network device models.
Craig reverse engineered the D-Link Backdoor, discovering that if attacker browser user agent string is xmlset_roodkcableoj28840ybtide, he can access the web interface of the D-Link device bypassing authentication procedure and view/change the device settings.
Reading the string xmlset_roodkcableoj28840ybtide backwards it appears as “Edit by 04882 joel backdoor“.
- DIR-100
- DIR-120
- DI-524
- DI-524UP
- DI-604UP
- DI-604+
- DI-624S
- TM-G5240
The security advisory issued by D-Link suggests users to do not enable the Remote Management feature to avoid being a victim of a cyber attack that exploits the backdoor. Below the recommendation provided by the D-Link Company to its customers:
- Do not enable the Remote Management feature since this will allow malicious users to use this exploit from the internet. Remote Management is default disabled on all D-Link Routers and is included in customer care troubleshooting if useful and the customer enables it.
- If you receive unsolicited e-mails that relates to security vulnerabilities and prompt you to action, please ignore it. When you click on links in such e-mails, it could allow unauthorized persons to access your router. Neither D-Link nor its partners and resellers will send you unsolicited messages where you are asked to click or install something.
- Make sure that your wireless network is secure.
If you are interested to find vulnerable devices within your organization you can use the NMAP script written in Python and published on pastebin.
(Security Affairs – Backdoor, D-Link)
