This week started with news titled D-Link Router backdoor vulnerability discovered and Back door found in D-Link routers. This rather worrying security vulnerability on several D-Link branded modem routers made me to check my system because I use D-Link firewall. But let’s start from the basics. Because D-Link device was on news, where is a tear-down pictures of DI-604 for you:
Inside the box looks pretty much what you would expect to see in this kind of small networking device. There are somewhat more ICs than in a basic Ethernet switch.
On the bottom of the picture you can see the shielded RJ-45 connectors (4 for LAN in one block and 1 for WAN). The black component with marking H50601DR is Ethernet connection isolation transformer block that contains the isolation transformers for all five Ethernet ports. The DL1005C looks to be five port Ethernet switch that connects to LAN ports and the main processor. The DL7300 IC is the main CPU of this firewall device, it runs the operating system. The other ICs around it are Flash memory EN29LV040, EM35165TS-7 RAM, two regulators and one 74LVC144.
If you are looking for details on firmware, read Reverse Engineering a D-Link Backdoor blog posting.
Now to the Back door found in D-Link routers. The security vulnerability will allow full access into the configuration page of the router without knowing the username and password. According to the blog post, when you set your user-agent on your browser to a certain string, the modem or firewall device will skip the authentication functions and simply log you straight into the router. It means that D-secret is D-logon string allowing access to everything. All to get through the security checks is to change the user agent string of your web browser tool to a special value to access the router’s Web interface with no authentication.
This just makes me to wonder why so many security devices have this kind of hidden back doors in them. Whey the manufacturers all the time put those hard-coded passwords that pass all the checks to their devices that are supposed to be secure. This kind of secrets will be revealed all too often. In this case the the secret was in firmware update packet in plain text inside the code.
According to the blog post, the firmware version 1.13 is affected and as well a small amount of known D-Link products: The flaw means an attacker could take over all of the user-controllable functions of the popular home routers, which includes the DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+ and TM-G5240 units (and some Planex routers). Most of those routers above are end-of-life routers and most likely not supported by D-Link anymore.
At this point, there’s no defence against the backdoor. The way to protect yourself is to disable WAN-port access to the administrative interfaces of affected products. If you have a D-Link product that is mentioned on this article, check your settings that administrative interface can’t be accessed from WAN interface.