Back door found in D-Link routers D-secret is D-logon string allowing access to everything
A group of embedded device hackers has turned up a vulnerability in D-Link consumer-level devices that provides unauthenticated access to the units' admin interfaces.
The flaw means an attacker could take over all of the user-controllable functions of the popular home routers, which includes the DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+ and TM-G5240 units. According to the post on /DEV/TTYS0, a couple of Planex routers are also affected, since they use the same firmware.
A Binwalk extract of the DLink DIR-100 firmware revealed that an unauthenticated user needs only change their user agent string to xmlset_roodkcableoj28840ybtide to access the router's Web interface with no authentication.
The /DEV/TTYS0 researcher found the user agent string inside a bunch of code designed to run simple string comparisons. For one of those comparisons, “if the strings match, the check_login function call is skipped and alpha_auth_check returns 1 (authentication OK)”, the author notes.
Some commentards to that post claimed to have successfully tested the backdoor against devices visible to the Shodan device search engine.
The /DEV/TTYS0 author, Craig, says the backdoor exists in v1.13 of the DIR-100revA products.
At this point, there's no defence against the backdoor, so users are advised to disable WAN-port access to the administrative interfaces of affected products
The best router firmware is DD-WRT but whether you can completely lock it down requires experience in other words if you have an infected machine on a network and it loves to connect to other devices and capture them there passwords. Then even if you do everything right unless you started freaking war driving like back in the day used some completely anon ISP connection and a brand new or known clean laptop then I can not see a way to completely secure a network from consistent instrusion attacks plus monkey in the middle type network infections especially if it comes from the nextdoor neighbor or something.
This topic has been closed due to inactivity. If you would like to discuss this topic further, please start a new post.
You can reference this topic in your post by adding this link:
Visit the Community
Check our Forums or How-to & FAQs for advice or answers
View User Guides
Refer to our getting started guides and product manuals
Talk to our Support agents and get answers to your questions