D-link firewall teardown and vulnerability

This week started with news titled D-Link Router backdoor vulnerability discovered and Back door found in D-Link routers. This rather worrying security vulnerability on several D-Link branded modem routers made me to check my system because I use D-Link firewall. But let’s start from the basics. Because D-Link device was on news, where is a tear-down pictures of DI-604 for you:



Inside the box looks pretty much what you would expect to see in this kind of small networking device. There are somewhat more ICs than in a basic Ethernet switch.


On the bottom of the picture you can see the shielded RJ-45 connectors (4 for LAN in one block and 1 for WAN). The black component with marking H50601DR is Ethernet connection isolation transformer block that contains the isolation transformers for all five Ethernet ports. The DL1005C looks to be five port Ethernet switch that connects to LAN ports and the main processor. The DL7300 IC is the main CPU of this firewall device, it runs the operating system. The other ICs around it are Flash memory EN29LV040, EM35165TS-7 RAM, two regulators and one 74LVC144.

If you are looking for details on firmware, read Reverse Engineering a D-Link Backdoor blog posting.

Now to the Back door found in D-Link routers. The security vulnerability will allow full access into the configuration page of the router without knowing the username and password. According to the blog post, when you set your user-agent on your browser to a certain string, the modem or firewall device will skip the authentication functions and simply log you straight into the router. It means that D-secret is D-logon string allowing access to everything. All to get through the security checks is to change the user agent string of your web browser tool to a special value to access the router’s Web interface with no authentication.

This just makes me to wonder why so many security devices have this kind of hidden back doors in them. Whey the manufacturers all the time put those hard-coded passwords that pass all the checks to their devices that are supposed to be secure. This kind of secrets will be revealed all too often. In this case the the secret was in firmware update packet in plain text inside the code.

According to the blog post, the firmware version 1.13 is affected and as well a small amount of known D-Link products: The flaw means an attacker could take over all of the user-controllable functions of the popular home routers, which includes the DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+ and TM-G5240 units (and some Planex routers). Most of those routers above are end-of-life routers and most likely not supported by D-Link anymore.

At this point, there’s no defence against the backdoor. The way to protect yourself is to disable WAN-port access to the administrative interfaces of affected products. If you have a D-Link product that is mentioned on this article, check your settings that administrative interface can’t be accessed from WAN interface.


  1. Tomi Engdahl says:

    D-Link to padlock router backdoor by end of October
    The backdoor lets attackers change a router configuration without authenticating

    D-Link will address by the end of October a security issue in some of its routers that could allow attackers to change the device settings without requiring a username and password.

    The issue consists of a backdoor-type function built into the firmware of some D-Link routers that can be used to bypass the normal authentication procedure on their Web-based user interfaces.

    “If your browser’s user agent string is ‘xmlset_roodkcableoj28840ybtide’ (no quotes), you can access the web interface without any authentication and view/change the device settings,”

    When read in reverse, the last part of this hard-coded value is “edit by 04882 joel backdoor.”

    D-Link will release firmware updates to address the vulnerability in affected routers by the end of October, the networking equipment manufacturer said via email.

    According to Heffner, the affected models likely include D-Link’s DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+, TM-G5240 and possibly DIR-615.

  2. Tomi Engdahl says:

    Reverse Engineering a D-Link Backdoor

    He fired up binwalk to extract the SquashFS file system, then opened the router webserver on the multi-processor disassembler/debugger IDA. [Craig] discovered that the webserver is actually a modified version of thttpd, providing the administrative interface for the router. As you can see in the picture above, it seems Alphanetworks (a spin-off of D-Link) performed the modifications.


Leave a Comment

Your email address will not be published. Required fields are marked *