A vulnerability appeared in old d-link routers which allows the attacker to gain admin privileges in the router. The following models are affected:

• DIR-100
• DI-524
• DI-524UP
• DI-604S
• DI-604UP
• DI-604+
• TM-G5240
• DIR-615

If your user agent is set to xmlset_roodkcableoj28840ybtide, you will be able to view and change settings in the device. As of today, D-Link has not posted a solution. If you have any wireless router matching the vulnerable models, you need to:

• Avoid unauthorized access to the wireless network: Use WPA2 with a key longer than 10 bytes and random. That will lower the odds of a brute force attack to your router.
• Make sure you give access to your wireless network to somebody you trust while DLINK publish a patch, as you cannot designate a single IP address for admin purposes ;)

When DLINK post a solution, you might want to ensure you are not using any default admin password. Check here for default wireless router passwords and look for DLINK reference. If you have the default password, check this page to look for information on how to access the admin tool to change the password.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org