D-Link router backdoor vulnerability discovered

By on

DLink

A rather worrying security vulnerability has been discovered which is affecting several D-Link branded modem routers. Posted on a website dedicated to Embedded Device Hacking, /dev/ttyS0, the vulnerability was discovered when one of its writers reverse engineered a firmware update from D-Link.

The security vulnerability will allow full access into the configuration page of the router without knowing the username and password. According to the blog post, when you set your user-agent on your browser to a certain string, the modem will skip the authentication functions and simply log you straight into the router – allowing you to configure anything at your leisure.

At the moment, there is no way to protect yourself from this

Of course, you do need to be connected to the particular router whether by Ethernet or Wireless to access the page – unless the router’s configuration page is publicly accessible. A quick web search can uncover hundreds of publicly accessible D-Link router configuration pages. TechGeek has independently verified the vulnerability on one of the affected models. At the moment, there is no way to protect yourself from this – just ensure you’re running the latest firmware on your router and you don’t have your routers configuration interface publicly accessible. According to the blog post, the firmware version 1.13 is affected and as well a small amount of known D-Link products:

  • DIR-100
  • DI-524
  • DI-524UP
  • DI-604S
  • DI-604UP
  • DI-604+
  • TM-G5240

Most of the routers above are end-of-life routers and most likely not supported by D-Link anymore. We have asked D-Link Australia to comment, however, at the time of writing this article, a response has not been made. You can read up on the technical details of the backdoor by visiting the website. Do you own a D-Link modem? Let us know in the comments.

Thanks @timeimp for the tip

Updated 14/10/2013: Post was amended to include information on which firmware version is affected.

Join the Conversation

  • uhClem

    Shouldn’t turning the web interface off be enough to stop this, even from compromised hosts on the local network?

    • 0ut4t1m3

      @uhClem The web interface option is specifically for access from internet side, local side access is always allowed otherwise you would loose all access to the config pages. Some modems allow a whitelist to be configured, this would allow only certain MACs or IPs to access the page, that would prevent local side attacks.

  • hegotego

    That actualyl does make a LOT of sense dude.

    AnonWonders.tk