Backdoor discovered in D-Link routers


By Andrew Collins
Tuesday, 15 October, 2013

Backdoor discovered in D-Link routers

Several D-Link router models contain a vulnerability that would give an interloper complete administrative access over the devices, according to one vulnerability researcher.

According to researcher Craig Heffner, an unauthorised user can gain administrative access to routers running v1.13 of D-Link’s DIR-100 revA firmware by simply changing the user agent on their web browser.

“If your browser’s user agent string is ‘xmlset_roodkcableoj28840ybtide’ (no quotes), you can access the web interface without any authentication and view/change the device settings,” Heffner wrote in a blog entry.

Several users commenting on the post claim to have verified the exploit on their own router, or that of a stranger, via the internet.

Interestingly, the user agent string used in the exploit, when spelt backwards, reads: “editby04882joelbackdoor_teslmx” - or, when cleaned up, “Edit by Joel backdoor”.

Speculating on the possible reason for such a backdoor’s existence, Heffner wrote: “The ever neighbourly Travis Goodspeed pointed out that this backdoor is used by the /bin/xmlsetc binary in the D-Link firmware. After some grepping, I found several binaries that appear to use xmlsetc to automatically re-configure the device’s settings (example: dynamic DNS).”

Heffner continued: “My guess is that the developers realized that some programs/services needed to be able to change the device’s settings automatically; realizing that the web server already had all the code to change these settings, they decided to just send requests to the web server whenever they needed to change something. The only problem was that the web server required a username and password, which the end user could change. Then, in a eureka moment, Joel jumped up and said, ‘Don’t worry, for I have a cunning plan!’”

According to Heffner, the vulnerability likely affects the following D-Link routers:

DIR-100
DI-524
DI-524UP
DI-604S
DI-604UP
DI-604+
TM-G5240

Several Planex routers - namely the BRL-04UR and the BRL-04CW - also appear to use the same firmware, he said. As such, they may also be affected.

“It is unknown if this exploit has previously been discovered or not; if so, it was certainly not publicised,” Heffner is quoted as saying on ITnews.

Users wanting to protect an affected router should disable remote administration on the device and make sure strong encryption is enabled on its wireless network, Heffner advised.

Related Articles

How the explosion of non-human identities is changing cybersecurity

A surge in machine‍-‍to‍-‍machine communication and non‍-‍human...

Building stronger critical infrastructure with Zero Trust

Zero Trust provides a way to stay ahead of cyber attacks by assuming breaches will happen and...

Happy birthday, Active Directory!

Active Directory is a technology that has proved its staying power and has shaped enterprise IT...

Content from other channels on our network

Feeling the future: wearable tech simulates realistic touch

Novel method to extend lifecycle of Li-ion batteries

Single transistor used to implement neuromorphic behaviour

Enhancing stability in bioelectronic materials for computing

Mouser Electronics: Powering Innovation for Australian Engineers

Aust solar farms to deploy Canadian anti-hail tech

Praise for Senate committee report into electrification

Endeavour Energy launches new community battery program

WBT's New Ducting Catalogue Is Now Available!

Tackling EV misinformation at Everything Electric

5G mmWave extended to 14 km in nbn field trials

Mavenir and Terrestar achieve NTN Voice over NB-IoT call

GNSS technique helps pedestrians navigate 'urban canyons'

S1 Pro: Redefining Conventional Radio Design for Enhanced Usability and Performance

Adapting drones for Army cargo delivery

  • All content Copyright © 2025 Westwick-Farrow Pty Ltd