D-Link Router Backdoor Vulnerability Allows Full Access To Settings

StealthHunter writes "It turned out that just by setting a browsers user-agent to 'xmlset_roodkcableoj28840ybtide' anyone can remotely bypass all authentication on D-Link routers. It seems that thttpd was modified by Alphanetworks who inserted the backdoor. Unfortunately, vulnerable routers can be easily identified by services like shodanHQ. At least these models may have vulnerable firmware: DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+, TM-G5240."

Tomato, DD-WRT, or OpenWrt

[seifried]

Because friends don't let friends run crappy firmware with back doors/known problems.

http://www.linuxpromagazine.com/Issues/2010/119/Security-Lessons-Linux-WAP/(tagID)/337

Re:A big problem

[viperidaenz]

Apparently IE might let you change the user agent
http://stackoverflow.com/questions/6995311/how-can-i-spoof-the-user-agent-of-a-javascript-get-request
You'd just need to work in some cross domain exploit somehow... or have a subdomain of your website resolve to 192.168.1.1

Re:Will this stupidity ever end?

[AliasMarlowe]

Read the user agent backwards, as indicated in the blog: "edit by 04882 joel back door". Stupidity indeed, even leaving a name.
Luckily, my D-Link router is not vulnerable to this attack (maybe the attack just needs to be tweaked). It's stacked behind a non-D-Link router, just in case.

Re:Idiot pruf

[JohnFen]

As a software engineer working on a large consumer product, I can attest that every single line of code coming from our team goes through code review. It does increase short term costs a bit (but not prohibitively), but results in great net savings over the long haul as most defects are found before shipping, when code fixes are cheap. Finding and fixing the same defects after shipping is horrendously expensive and results in angry customers.