Slashdot Mirror

← Back to Stories (view on slashdot.org)

D-Link Router Backdoor Vulnerability Allows Full Access To Settings

Posted by samzenpus on from the protect-ya-neck dept.

StealthHunter writes "It turned out that just by setting a browsers user-agent to 'xmlset_roodkcableoj28840ybtide' anyone can remotely bypass all authentication on D-Link routers. It seems that thttpd was modified by Alphanetworks who inserted the backdoor. Unfortunately, vulnerable routers can be easily identified by services like shodanHQ. At least these models may have vulnerable firmware: DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+, TM-G5240."

3 of 228 comments (clear)

  1. Backwards: edit by 04882 Joel backdoor by Anonymous Coward · · Score: 5, Interesting

    And the post points out (in 2010) that if you reverse the string it was "edit by 04882 Joel Backdoor" so it was clearly a backdoor.

    The big scandal here is how can a backdoor be known since 2010 and not revealed??!!!

  2. The home router market is a an ongoing disaster by mtaht · · Score: 5, Interesting
    It's not just simple backdoors like the dlink one that are a problem.

    There is a systemic complete and total regard for basic tenets of security in nearly the entire home router/cpe market.

    Start with crypto - no hwrng and a known "less than ideal" version of /dev/random to feed your "secure" wpa and ssh sessions.

    Worse:

    There is no privilege separation in most routers, which was ok when they were single function devices - BUT: not ok, when vulnerability via services like samba can be used to root most of the top 10 current home routers:

    http://securityevaluators.com/content/case-studies/routers/soho_service_hacks.jsp

    Once an attacker p0wns your home gateway they can change your dns to malicious sites, as dnschanger did:

    http://www.dcwg.org/

    or have it participate in botnets, or inflict further attacks on unsuspecting devices both inside and outside your firewall, or sniff your traffic - there is no security when your front door is left wide open.

    What nearly every home router and cpe manufacturer is shipping is **rotware**, running 4-7 year old kernels with known CVEs, and 10 year old versions of critical services like dnsmasq. You'd think that new 802.11ac devices available for this christmas might have some modern software on it, but just to pick out a recent example - the "new" netgear nighthawk router runs Linux 2.6.36.4 and dnsmasq 2.15, according to their R7000 gpl code drop -

    http://kb.netgear.com/app/answers/detail/a_id/2649

    Brand new hardware - 4+ and 10 year old software respectively.

    It's unfair of me to pick on Netgear, every router I've looked at this christmas season has some major issues.

    Right now, the only current hope for decent security in home routers is in open, modern, and maintained firmware. And I wish the manufacturers (and ISPs, AND users, and governments) understood that, and there was (in particular) a sustainable model for continuous updates and upgrades as effective as android's in this market. I don't care if it came from taxation, isp fees, or built into the price of the device - would you willingly leave your networks' front door open if you understood the consequences?

    Rotten routers with closed source code, and no maintenance, are a huge security risk, and they are holding back the ipv6 transition, (and nearly all current models have bufferbloat, besides)

    How can the dysfunctional edge of the Internet be fixed?

  3. Re:Will this stupidity ever end? by girlintraining · · Score: 5, Interesting

    The DI-524 is, what, 8 years old? The firmware for it hasn't been updated since 2006. How, then is it listed as vulnerable?

    This is some guy on a blog. It's a mixture of fact and wild speculation. This isn't an official security notification on something like Bugtraq or CERT, etc. He tested the DI-100 firmware, v1.13. The FTP link he provided lists the timestamp for the file as "02/19/2013 11:09AM", not 2006.

    He doesn't even have a DI-100, he just downloaded it at random. He thinks, based on "the source code of the HTML pages and some Shodan search results", that the devices listed are affected. There was no actual testing, it's just rampant speculation based on Sir Bloggy McBlogs google-fu. Now, that said, I have been doing some additional research and the company Revell is based out of Germany -- which is also where D-Link's software development team is. Revell's website indicates the model went on sale about the same time as the movie release -- May 2013. The timestamp is February. It's not enough to bust my theory that 04882 is a reference to the model... it's just possible the website is wrong, or he got one early from a friend who works at said company. It does happen; Maybe they handed them out at special screenings.

    Such is the nature of speculating on these things; it's interesting, but it's nearly impossible to get positive verification of a theory.

    --
    #fuckbeta #iamslashdot #dicemustdie