D-Link Router Backdoor Vulnerability

The US-CERT, a part of the Department of Homeland Security,  has issued a warning that certain D-Link routers have firmware that contains a backdoor for remote users to access router administrative functions without entering the administrator password.  Besides D-Link, Planex and Alpha Networks devices may also contain this firmware.

According to D-Link, the following D-Link routers are affected:

  • DIR-100
  • DIR-120
  • DI-624S
  • DI-524UP
  • DI-604S
  • DI-604UP
  • DI-604+
  • TM-G5240

For more detailed up-to-date information go to this D-Link page on this issue.

According to the original vulnerability report, the following Planex routers are likely affected:

  • BRL-04R
  • BRL-04UR
  • BRL-04CW

If you have one of these routers, check to make sure that the remote configuration from the Internet is not allowed (default setting).  This may have been changed by ISPs that remotely administer customers Internet connections.

Security researcher Craig Heffner found these routers’ internal web server will accept and process any HTTP requests that contain the User-Agent string “xmlset_roodkcableoj28840ybtide” without checking if the connecting host is authenticated.