D-Link patches "Joel's Backdoor" security hole in its SoHo routers

Filed Under: Featured, Vulnerability

About six weeks ago we wrote about an amusingly alarming security hole in various D-Link routers.

Simply by configuring your browser's User Agent setting to a not-terribly-secret string of characters, you could skip the router's login page and thus administer the router without knowing the password.

The alarming part of the hole is that the string is comparatively easy to find in the firmware of all affected routers:

    xmlset_roodkcableoj28840ybtide

The amusing part is what happens if you ignore the xmlset part and reverse the rest:

    Edit by 04882 Joel: Backdoor

We were never quite sure if this was a cheap trick by D-Link so that its own command line utilities could work what you might call "frictionless magic" with your router - look Ma! no password required! - or if it was the accidental aftermath of debugging code that got forgotten.

We never found out who Joel was, either, and we have no idea if 04882 was his D-Link staff number, his nickname, or even some kind of curious date-and-time marker.

The immediate workaround for "Joel's Backdoor" was to make sure that your router wasn't accepting admininstrator connections (known as remote management) from the WAN interface, i.e. from traffic coming directly from the internet.

Fortunately, remote management from outside is blocked on D-Link routers by default, thus greatly reducing the risk to most devices.

→ With or without a security hole like this, you almost certainly don't want remote administration enabled on a SoHo router. Attackers will spot your router at home, and they will regularly and routinely be probing for holes, known and unknown, that could get them into your network. (Check your logs for proof.) Never rely on being "too small and uninteresting" for the crooks.

Nevertheless, it's still a pretty big risk if anyone on your network can tweak, or be tricked into tweaking, your router settings.

Even if you only let trustworthy friends or family onto your LAN, they might be infected with malware that gives cybercrooks a foothold inside your network and thus direct access to your router.

Or they could be tricked into clicking on a link that was served up from outside, but which points to an internal configuration page on your router.

So the good news is that D-Link has just published firmware upgrades for the routers affected by "Joel's Backdoor," namely the following models:

DIR-100  Rev A1     Upgrade 1.13        -> 1.14/1.14B01
DIR-120  Rev A1     Upgrade 1.03/1.04RU -> 1.05B01
DI-524   Rev E3/E4  Upgrade 5.12        -> 5.13B01
DI-524UP Rev A1/A2  Upgrade 1.07        -> 1.08B01
DI-604UP Rev A1	    Upgrade 1.03        -> 1.04B01
DI-604+  Rev A1     Upgrade 1.10        -> 1.11B02 
DI-624S  Rev B1/B2  Upgrade 1.11        -> 1.12B01 
TM-G5240 Rev A1     Upgrade 4.00B29     -> 4.01B01

You can find out more about the hole that was patched (and hear our advice to programmers on avoiding this sort of vulnerability) in this Sophos podcast:


(Audio player above not working for you? Download to listen offline, or listen on Soundcloud.)

Our discussion of the D-Link hole starts at 2'56".

, , , , , , , , , , ,

You might like

7 Responses to D-Link patches "Joel's Backdoor" security hole in its SoHo routers

  1. Jim · 321 days ago

    Funny they should fix it in firmware: The last time I installed firmware on a D-Link router, it turned by $300 router into a sophisticated brick. And, they refused to even discuss how to fix it.

    So, I swore off D-Link. Now I'm doubly glad.

    Keep up the good work!

    • Paul Ducklin · 321 days ago

      What's a "sophisticated" brick? One than can build itself into a wall?

      • Jim · 254 days ago

        Or "boat anchor". Essentially, "bricked" is the term I use for hardware that's been fried somehow. It becomes the functional equivalent of a brick: not very useful any more.

        • Paul Ducklin · 254 days ago

          No, no, not "boat anchor"! (The analogy doesn't work in respect of size, mass or shape.)

          "Brick" *does* work metaphorically, since most routers - older, less trendy ones, anyway- are shaped and sized like a brick, even if they lack the mass and compressive strength of a real brick.

          My comment was a joke - the function of bricking a router makes it *unsophisticated*, does it not? So I asked, "What's a *sophisticated* brick."

          Evidently the joke wasn't terribly funny, or even, indeed, actually detectable as a joke. Sorry about that.

          • Jim · 232 days ago

            I thought it might have been a language thing. No worries! And, you're right, it's not a boat anchor. Brick fits, although maybe I could put some grass seed on it and call it a Chia Brick?

            By the way, the "Enter your comment here" text in this field doesn't disappear any more when you click in the field. You might want to tell the web guys about it.

            • Paul Ducklin · 231 days ago

              It vanishes as soon as you start typing, rather than merely when you click it it. (At least, it does for me in Firefox.)

              • James Burke · 229 days ago

                Greetings,

                The "technical term" here is "glorified paper-weight".

                Kindest regards,

                James

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog