The Channel logo


By | Richard Chirgwin 13th October 2013 22:23

Control panel backdoor found in D-Link home routers

D-secret is D-logon string allowing access to everything

A group of embedded-device hackers has turned up a vulnerability in D-Link consumer-grade products that provides unauthenticated access to the units' admin interfaces.

The backdoor means an attacker could take over all of the user-controllable functions of the popular home routers, which includes the DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+ and TM-G5240 units. According to the post on the /DEV/TTYS0 blog, a couple of Planex routers are also affected, since they use the same firmware.

A Binwalk extract of the D-Link DIR-100 firmware revealed that an unauthenticated user needs only change their user agent string to xmlset_roodkcableoj28840ybtide to access the router's Web interface with no login required.

The /DEV/TTYS0 researcher found the user agent string inside a bunch of code designed to run simple string comparisons. For one of those comparisons, “if the strings match, the check_login function call is skipped and alpha_auth_check returns 1 (authentication OK)”, the author notes.

Some commentards to that post claimed to have successfully tested the backdoor against devices visible to the Shodan device search engine.

The /DEV/TTYS0 author, Craig, says the backdoor exists in v1.13 of the DIR-100revA products.

At this point, there's no defence against the backdoor, so users are advised to disable WAN-port access to the administrative interfaces of affected products. ®

comment icon Read 73 comments on this article alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


Suit-and-tie-wearing man tries to meditate, take deep breaths in faux yoga pose. Photo by Shutterstock
Emotional intelligence, not tech skills, is the way to woo suits
League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe