D-Link Router Backdoor Vulnerability Allows Full Access To Settings

StealthHunter writes "It turned out that just by setting a browsers user-agent to 'xmlset_roodkcableoj28840ybtide' anyone can remotely bypass all authentication on D-Link routers. It seems that thttpd was modified by Alphanetworks who inserted the backdoor. Unfortunately, vulnerable routers can be easily identified by services like shodanHQ. At least these models may have vulnerable firmware: DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+, TM-G5240."

Will this stupidity ever end?

[gweihir]

Are these people too stupid to know that eventually, somebody _will_ analyze their firmware and find this? I think it is time to make them liable for a bit more than the device when things like these get found. Say, 10x the new value of the device to any customer that wants to give it back.

Re:Will this stupidity ever end?

[DigitAl56K]

Well, as an ex D-Link customer, I'm glad to see someone is analyzing their firmware.

Re:Will this stupidity ever end?

How about a Prison Sentence. These ego maniacs are putting people's bank account at risk. It is no different from writing a virus. In fact it is worse.

Re:Will this stupidity ever end?

[Samantha+Wright]

I might propose targeting the software review board that didn't catch the flaws, or perhaps the management who decided such a review board was unnecessary. Security-critical hardware should have at least some QC and/or validation at the firmware code level, y'know?

Re:Will this stupidity ever end?

[girlintraining]

How about a Prison Sentence. These ego maniacs are putting people's bank account at risk. It is no different from writing a virus. In fact it is worse.

Sorry man, but this isn't an ego maniac. It's worse than that. 04882 is an oblique reference to the product ID used by Revell. Revell produces hobby scale models of various things. In this case... of the USS Enterprise, as seen in the worst trek movie ever -- Star Trek: Into Darkness. Which means, we're not dealing with an ego maniac: We're dealing with a guy who is utterly devoid of ego. This particular model probably sits on his desk in his cube, providing both inspiration to one 'Joel' in D-Link's software development team for a password, and simultaniously functioning as the strongest prophylactic known to man.

The good news though is that firmware released by D-Link prior to May of 2013 shouldn't be affected, unlike Joel's employment situation.

Re:Will this stupidity ever end?

[TapeCutter]

Hell, may have even just been one rogue developer who nobody gave permission to put it there.

It's a safe bet their law team already have that at the top of the whiteboard.

Re:Will this stupidity ever end?

[mcgrew]

The law is only for little people. Who went to prison when Sony rooted and vandalized thousands of computers with their XCP malware? Nobody. You have to hack a rich person's or organization's computers to go to jail. You and I don't count.

Many routers subject to UPnP vulnerability anyway

[DigitAl56K]

PDF link, published earlier this year, shows how many manufacturers use a stack with a UPnP vuln that gives root, even from the WAN side:

http://www.defensecode.com/public/DefenseCode_Broadcom_Security_Advisory.pdf

Point is, you probably weren't as safe as you thought you were, even before this new disclosure.

I think a huge problem with consumer-grade wifi routers today is that as manufacturers race to support new models with new wifi standards and new competitive feature sets, older models quickly become abandonware. There's very little guarantee around firmware updates for critical vulnerabilities, and end users are mostly oblivious to being at risk. By the time you pick up that $80 model from the store it's probably borderline EOL already.

Re:Backwards: edit by 04882 Joel backdoor

[ibsteve2u]

And the post points out (in 2010) that if you reverse the string it was "edit by 04882 Joel Backdoor" so it was clearly a backdoor.

The big scandal here is how can a backdoor be known since 2010 and not revealed??!!!

Somebody found it profitable enough to make an effort to stifle the spread of knowledge about the backdoor?

"Profit" can be anything of value, of course.

Re:Did the NSA have a hand in this too?

[Frosty+Piss]

How to bury your company's reputation with one password.

D-link's rep was buried long ago.

Re:Backwards: edit by 04882 Joel backdoor

The big scandal here is how can a backdoor be known since 2010 and not revealed??!!!

Seriously? That's not a scandal, that's the way the world works. People that LOOK for stuff like that want to keep those exploits to themselves because they want to USE THEM. If you reveal the damn thing, it'll get patched.

Not many people want to do all the work of looking through binaries figuring out obscure shit like this just for fun.

A big problem

[AndrewStephens]

This is NOT a small, obscure problem for users of DLINK routers. Although it does not open up Wifi access or anything like that, having access to the configuration panel of your router is bad news even from inside the network. I can't think of anyway to automatically exploit it via a browser (XSS-style) but a small executable (or trusted Java applet, for instance) could do it.

Additionally, I wonder how many small establishments are offering free wifi using DLINK equipment. Those networks are now vulnerable.

If I was a bad(er) guy, the first thing I would change would be the DNS settings. Forcing all computers behind the router to use a DNS I control opens up all sorts of interesting ways to mess with people.

Yes they did, TAO

Read it and weep:
http://www.washingtonpost.com/world/national-security/us-spy-agencies-mounted-231-offensive-cyber-operations-in-2011-documents-show/2013/08/30/d090a6ae-119e-11e3-b4cb-fd7ce041d814_story_1.html

"Much more often, an implant is coded entirely in software by an NSA group called Tailored Access Operations (TAO). As its name suggests, TAO builds attack tools that are custom-fitted to their targets. "

"Tailored Access Operations has software templates to break into common brands and models of “routers, switches and firewalls from multiple product vendor lines,” according to one document describing its work."

So on the one hand they're supposed to defend US networks from attack, while on the other hand they have detailed knowledge of these backdoors and use them for their own use while keeping them secret.

So yes, the NSA did have a hand in it, at the minimum it kept it secret while exploiting it.

Re:edited by 04882 Joel backdoor

[_merlin]

It might have nothing to do with anyone called Joel. When I was far younger and quite bored, I graffiti'd "Patrick Tang was here" (in a place where a Patrick Tang had been). Patrick Tang had nothing to do with the use of his name, but when he discovered it, he went to considerable effort to obscure it, believing he would likely be blamed.

Re:edited by 04882 Joel backdoor

[girlintraining]

s this the guy behind it? http://www.joesdata.com/executive/Joel_Liu_421313008.html Assuming good will, it seems like debugging code left in the final firmware release.

Regardless of how strong the evidence may be, uniquely identifying someone on the internet is dangerous and may even expose you to a slander/libel/defamation case. You may recall not long ago the witch hunt on reddit for the Boston Bomber. Over a dozen 'suspects' were named and shamed on the forums, none of whom turned out to be the actual person. Those people's lives crumbled into dust after, and police had to devote valuable resources at the time to protecting those individuals from vigilantes. Don't go the extra step of naming someone -- no matter how confident you are, the odds are very high that you're wrong. I know you think you're being edgy, smart, whatever and showing off your google-fu here, but you've actually rather accomplished the reverse -- you've demonstrated a reckless abandon and an inability to consider the consequences of your actions, or at least favoring momentary glory and recognition at the expense of another. Neither scores high marks in internet ethics.

On the internet, a loaded finger is a bigger threat than a loaded gun.

Idiot pruf

[TiggertheMad]

As a software engineer who has worked on some larger projects, I can tell you that you are in fantasy land if you think that every line of code can be vetted without spending a small fortune on code review. Those costs might be justifiable for a project like a space shuttle guidance system, where the cost of failure is billions of dollars and multiple lives, but nobody is going to shell out that kind of budget for a sub $100 consumer router.

Re:Idiot pruf

nobody is going to shell out that kind of budget for a sub $100 consumer router.

except such routers are the first line of defense, in many cases, of such things as a space shuttle guidance system....

(don't blame me for what nasa engineers have running at home...)