D-Link routers found to contain backdoor

Simply change one HTTP header and many D-Link routers will allow an attacker to walk in, without any authentication checks.
Written by Michael Lee, Contributor

Security researcher Craig Heffner has discovered a backdoor within the firmware found in a number of D-Link routers.

Heffner, who usually works as a vulnerability researcher for Tactical Networks Solutions, wrote on /dev/ttyS0 that he discovered the backdoor by reverse engineering the web server software contained in the device's firmware while having nothing to do on a dateless Saturday night.

After extracting the web server binary using Binwalk and examining it in IDA, Heffner found that it was an implementation of an open-source HTTP server from ACME Laboratories, Thttpd, that had been modified by developers from D-Link spinoff Alphanetworks.

Version 2.23 of Thttpd appears to be used, which already contains a number of vulnerabilities, some of which can be used in certain circumstances to allow for remote code execution. However, Heffner points out another purposefully introduced hole that makes exploitation of these vulnerabilities unnecessary.

One of the modifications to Thttpd includes a function called alpha_auth_check, even though there is already a native function check_login to verify whether the user is logged in. The custom function instead checks for certain information in the user's request and determines whether to skip native authentication checks.

These include legitimate requests to graphic and public directories, presumably to allow the display of D-Link-branded pages asking users to log in, or to access information that doesn't require the user to be logged in.

However, it also examines the browser user agent, and if it matches "xmlset_roodkcableoj28840ybtide", authentication checks are again skipped.

The string, read backwards, provides some hint as to who might be responsible — "edited by 04882 joel backdoor".

It is a relatively trivial matter to modify the user-agent header that is sent as part of HTTP requests, and this would allow D-Link devices running the firmware and facing the internet to be accessed without any authentication checks.

A simple check on Shodan shows over 3,200 devices running the Alphanetworks version of thttpd.

The backdoor's intended use is revealed in another binary contained within the firmware, /bin/xmlsetc, which will send requests with the string in the user-agent header and then modify the device's configuration for legitimate reasons.

"My guess is that the developers realised that some programs/services needed to be able to change the device's settings automatically; realising that the web server already had all the code to change these settings, they decided to just send requests to the web server whenever they needed to change something. The only problem was that the web server required a username and password, which the end user could change. Then, in a eureka moment, Joel jumped up and said, 'Don't worry, for I have a cunning plan!'," Heffner wrote.

Hefner believes the following D-Link and Planex (which use the same firmware) devices are affected:

  • DIR-100

  • DI-524

  • DI-524UP

  • DI-604S

  • DI-604UP

  • DI-604+

  • TM-G5240

  • BRL-04UR

  • BRL-04CW

D-Link has told PCWorld that it will release patches for affected devices by the end of this month.

"We are proactively working with the sources of these reports, as well as continuing to review across the complete product line to ensure that the vulnerabilities discovered are addressed," the company wrote on its support pages. It noted that users should disable remote access to their devices if it is not required, and that this feature is disabled by default.

Editorial standards