D-Link has released an important security update for some of its older Internet routers. The patch closes a backdoor in the devices that could let attackers seize remote control over vulnerable routers.
The update comes roughly seven weeks after researcher Craig Heffner discovered and blogged about a feature or bug built into at least eight different models of D-Link routers that could allow an attacker to log in as administrator and change the router’s settings. Although the router models affected are fairly old, there are almost certainly plenty of these still in operation, as routers tend to be set-it-and-forget-it devices that rarely get replaced or updated unless they stop working.
According to Heffner, an attacker who identified a vulnerable router would need merely to set his browser’s user agent string as “xmlset_roodkcableoj28840ybtide”, and he could log in to the router’s administrative interface without any authentication. Heffer later updated his blog post with a proof-of-concept illustrating how attackers also could use the bug to upload arbitrary code to the vulnerable devices.
On Nov. 28, D-Link released a series of updates to fix the problem. Updates are available for the following models:
- DI-524
- DI-524UP
- DIR-100
- DIR-120
- DI-604UP
- DI-604+
- DI-624S
- TM-G5240
It’s not clear exactly why or how this backdoor found its way into the D-Link routers, but Heffer said a suggestion by fellow researcher Travis Goodspeed points to one likely explanation: “My guess is that the developers realized that some programs/services [such as dynamic DNS] needed to be able to change the device’s settings automatically,” he wrote. “Realizing that the web server already had all the code to change these settings, they decided to just send requests to the web server whenever they needed to change something. The only problem was that the web server required a username and password, which the end user could change.”
Updating an Internet router can be tricky, and doing so demands careful attention; an errant click or failure to follow closely the installation/updating instructions can turn a router into an oversized paperweight in no time. Normally when it comes to upgrading router firmware, I tend to steer people away from the manufacturer’s firmware toward alternative, open source alternatives, such as DD-WRT or Tomato. Most stock router firmware is fairly clunky and barebones (or includes undocumented “features” like the one discussed in this post); I have long relied on DD-WRT because it comes with comes with all the bells, whistles and options you could ever want in a router firmware, but it generally keeps those features turned off by default unless you switch them on.
Unfortunately, none of the models listed above appear to be compatible with either firmware. Also, some of these routers are old enough that they don’t support the more secure wireless encryption protocols, such as WPA-2; others may even require users to administer the router using Internet Explorer (not much of an option for Mac users).
For these reasons, I would suggest that anyone with a vulnerable router consider upgrading to a newer device. Asus, Buffalo and Linksys make many routers that are broadly compatible with DD-WRT and Tomato, but you may want to check their respective compatibility pages (linked in this sentence) prior to purchasing a new one.
Update, 8:43 a.m. ET: Updated list of routers affected, per the official D-Link advisory on this (H/T @William_C_Brown).
Okay, the backdoor is a cool find, but how many of these devices really have the web server enabled on the Internet interface? I believe by default most devices only have this web admin interface enabled on the LAN?
Yes, but this could make you vulnerable to an attack through the WiFi interface.
Except that the samples in the wild were using malvertisement injected Javascript to access the web interface on the internal network.
http://wepawet.iseclab.org/view.php?hash=ab6ba66274172ac79b731886df4c05f0&t=1385306042&type=js
Just a note, the UK DLink web site has updates for more models than are listed in the article (it may have been updated). So, you need to check there to see if there is an update for your router.
Great article, Brian, with good info. Thanks very much for this!
Backdoor build in by who ? NSA ? or Chinese ?
Strange ,that this rooter has been around for some time and only now they manage to find this backdoor .My question is — WHAT took them so long ?
“I have long relied on DD-WRT because it comes with comes with all the bells”
It’s said in the Russian forum post:
Try to read the string backwards.
xmlset_roodkcaBleoJ28840ybtide turns into
Edit By 04882 JoelBackdoor
heh, this one has been out for a while. About a month or so.
I am not a big fan of wireless IP networks – even to this day. Its another “matter of convenience” and cosmetic appeal. To my tastes there is still too much wrong with it, and not enough right. No I don’t care to elaborate.
To each their own. isc.sans.edu had an article about a vacuum that had a chip it it, from china of course, that would look for a hot spot and the vacuum would spit forth spam. I can only these new garbage gadgets from the Big Red Spam machine are in retaliation for us catching them hacking some of our larger websites. Now, devices that are wireless enabled – even the LG TV’s – call home, and that feature even if turned off, its reported that it will continue to provide info with the “feature” disabled.
Oh joy. New items under the Christmas tree that are willing to silently eat up your bandwidth. What a bunch of Ho Ho Horseshit.
This is why network security, information security, CNA and CND will probably never go away.
“To each their own. isc.sans.edu had an article about a vacuum that had a chip it it, from china of course, that would look for a hot spot and the vacuum would spit forth spam. ” See: https://isc.sans.edu/diary/Is+your+vacuum+cleaner+sending+spam%3F/16958 .
“The story claimed that appliances like tea kettles, vacuum cleaners and iron(y|ing) irons shipped from China and sold in Russia were discovered to contain rogue, WiFi enabled chip sets.”
I think that article was a bit of tongue-in-cheek for SANS. The original report at The Register leaves ample room for doubt. N.B. the final paragraph, and “Nonsense” in the Reader Comments section. http://www.theregister.co.uk/2013/10/29/dont_brew_that_cuppa_your_kettle_could_be_a_spambot/
I’m looking at the age of these models and thinking, “Who in the heck ever gets a D-Link router to last that long anyway?”
I use Buffalo Tech N router, (WPA-PSK2) and it’s a excellent unit with outstanding tech support however it’s not as good as say a Sonic Wall unit
I actually just replaced a DI-604 router that my father has been using since 2005. Looks like it was just in time. That router was so old it wouldn’t even be worth updating the firmware since it didn’t even support WPA-2.
From the D-Link forum on dslreports.com
Most of these models were only marketed in the EU region. Only effects those model routers.
From the dlink page:
Immediate Recommendations for all D-Link router customers
Do not enable the Remote Management feature since this will allow malicious users to use this exploit from the internet. Remote Management is default disabled on all D-Link Routers and is included for customer care troubleshooting if useful and the customer enables it.
If you receive unsolicited e-mails that relates to security vulnerabilities and prompt you to action, please ignore it. When you click on links in such e-mails, it could allow unauthorised persons to access your router. Neither D-Link nor its partners and resellers will send you unsolicited messages where you are asked to click or install something.
Make sure that your wireless network is secure.
So it appears that if the remote management feature is not enabled, it is not a problem.
I don’t feel confident enough to do
a D-link Router firmware upgrade…
BUT…
The “Remote Management” setting
in my DI-524 D-Link Router,
has been [X] DISabled,
for the last 7 years.
Am I safe from this exploit?
Brian? Anybody?
Maybe they can fix yet another critical bug :
http://seclists.org/fulldisclosure/2013/Dec/6
D-Link routers authenticate administrative access using specific User-Agent string
– http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10001
Last updated: Dec 3, 2013
Rev -9-
– https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6026 – 10.0 (HIGH)
“… as exploited in the wild in October 2013.”
.
Hi Brian,
thanks a lot for your blog which I enjoy for several years now.
I might have something interesting to add to this post. There are severe vulnerabilities on D-Link’s DSR small business router models.
http://www.exploit-db.com/exploits/30062/
http://www.exploit-db.com/papers/30061/
Patches are available via http://tsd.dlink.com.tw
Intriguing: neither http://securityadvisories.dlink.com/security/ nor http://www.dlink.com/uk/en/support/security are announcing them – so how will users learn about the patches?
This is why I’m posting here.
Thanks!
— nu11
Also some of dlink routers have strange unknown users in /etc/shadow. In dsr1000 for example.