Security researcher Craig Heffner has found a serious vulnerability in D-Link routers wherein the firmware code contains a hardcoded backdoor which will allow access to the administrative settings of the router simply by changing the browser’s user agent string.
According to Heffner, if a user changes the browser’s user agent string to “xmlset_roodkcableoj28840ybtide” and then accesses any of the following routers DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+, or TM-G5240 loaded with firmware v1.13, the web interface would provide all the options normally visible by administrators only. If one reverses the second part after the underscore in the user agent string, it reads “edit by joel backdoor.”
It seems that Russians had knowledge of the string already as “A quick Google for the “xmlset_roodkcableoj28840ybtide” string turns up only a single Russian forum post from a few years ago, which notes that this is an “interesting line” inside the /bin/webs binary. I’d have to agree”, notes Heffner.
The repercussions of this backdoor are rather grim. Attackers will be able to quickly search all the internet connected devices through Shodan and then isolate all the models from D-Link and gain unauthorized access to administrative level interface of the routers. Attackers could potentially divert someone’s Internet traffic through one of their own servers and manage to intercept all unencrypted data.
The backdoored firmware may be used by more models from D-Link than those listed above and chances are that the vulnerability is already been exploited in the wild considering that Russian forum post is few years old.
