9:30 ET, 5 December 2013

D-Link company has recently released a new version of firmware to fix backdoor vulnerability in various network device models.

Last October the security expert Craig Heffner discovered a backdoor inside different D-Link routers. Craig published an interesting blog post on “/dev/ttyS0″ on the reverse engineering of the backdoor (CVE-2013-6027) present in many D-Link devices, it described how an attacker was able to alter a router setting by passing the authentication mechanism.

Craig reverse engineered the D-Link Backdoor, discovering that if attacker browser user agent string is xmlset_roodkcableoj28840ybtide, he can access the web interface of the D-Link device bypassing authentication procedure and view/change the device settings.

Reading the string xmlset_roodkcableoj28840ybtide backwards it appears as “Edit by 04882 joel backdoor“.

Last week, D-Link has issued a new release of firmware for the vulnerable router models, the new software includes a fix to prevent unauthorized administrator access. D-Link has released the updates for the following models:

  • DIR-100
  • DIR-120
  • DI-524
  • DI-524UP
  • DI-604UP
  • DI-604+
  • DI-624S
  • TM-G5240

dlink

 

The security advisory issued by D-Link suggests users to do not enable the Remote Management feature to avoid being a victim of a cyber attack that exploits the backdoor.  Below the recommendation provided by the D-Link Company to its customers:

  • Do not enable the Remote Management feature since this will allow malicious users to use this exploit from the internet.  Remote Management is default disabled on all D-Link Routers and is included in customer care troubleshooting if useful and the customer enables it.
  • If you receive unsolicited e-mails that relates to security vulnerabilities and prompt you to action, please ignore it. When you click on links in such e-mails, it could allow unauthorized persons to access your router. Neither D-Link nor its partners and resellers will send you unsolicited messages where you are asked to click or install something.
  • Make sure that your wireless network is secure.

If you are interested to find vulnerable devices within your organization you can use the NMAP script written in Python and published on pastebin.

Pierluigi Paganini

(Security Affairs –  Backdoor, D-Link)
rsa-logo