Old D-Link routers with coded backdoor

Published: 2013-10-14
Last Updated: 2013-10-14 19:58:28 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
3 comment(s)

A vulnerability appeared in old d-link routers which allows the attacker to gain admin privileges in the router. The following models are affected:

  • DIR-100
  • DI-524
  • DI-524UP
  • DI-604S
  • DI-604UP
  • DI-604+
  • TM-G5240
  • DIR-615

If your user agent is set to xmlset_roodkcableoj28840ybtide, you will be able to view and change settings in the device. As of today, D-Link has not posted a solution. If you have any wireless router matching the vulnerable models, you need to:

  • Avoid unauthorized access to the wireless network: Use WPA2 with a key longer than 10 bytes and random. That will lower the odds of a brute force attack to your router.
  • Make sure you give access to your wireless network to somebody you trust while DLINK publish a patch, as you cannot designate a single IP address for admin purposes ;)

When DLINK post a solution, you might want to ensure you are not using any default admin password. Check here for default wireless router passwords and look for DLINK reference. If you have the default password, check this page to look for information on how to access the admin tool to change the password.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
e-mail: msantand at isc dot sans dot org

3 comment(s)


FYI ... I just saw an attempt to use this exploit (around 09:00 GMT on 2013-10-14). I have no vulnerable router in the path so it made it was routed to my DMZ HTTP server and rejected there because of web server rules I have set up.
I tried this against my DIR-825 and it seemed to not be vulnerable, though who knows if there's a string it would respond too. I've turned off my internet facing management page (which I already had restricted to 'from work only' so I could turn on remote desktop passtrhough if I needed it).
D-Link has promised a firmware update to address this issue will be released by the end of October.

The updates will be listed on a security page on the D-Link website and in the download section of the support page for each affected product - http://www.dlink.com/uk/en/support/security

Diary Archives