Q

Analyzing the risks of the D-Link router backdoor

Even though a patch was released for a recently discovered D-Link router backdoor, the flaw highlights a product feature that poses unnecessary risk.

I heard about a backdoor found recently in D-Link router firmware code that can modify a router's settings. Can

you tell me what this means and how to mitigate the vulnerability?

Ask the Expert

Perplexed about network security? Send us your questions today! (All questions are anonymous)

This particular router backdoor, for which D-Link released a patch in December, pertains to a D-Link router vulnerability discovered by Craig Heffner at Tactical Network Solutions. As described in his blog, the vulnerability is created when the following string is entered in the user agent field of an HTTP packet:

xmlset_roodkcableoj28840ybtide

After this string is entered, attackers can send the specially crafted HTTP packet to a vulnerable D-Link router, which would then allow access to the router's Web interface.

Let's delve into this a little further.

What is the user agent field? This HTTP header field tells Web servers how to communicate with incoming GET requests. Before the Internet boom of the 1990s, this was an important field to fill in correctly, and required some knowledge of computer science. Now, with the inception of the modern-day Web browser, this field is handled by the likes of Google Chrome, Apple Safari and other browsers, and is completely transparent to the end user.

A typical user agent field may look something like this:

User Agent: Chrome/31.0.1650.57

The field lets any Web server the end user is connecting with know that the end user is utilizing Chrome version 31.0.1650.57. This is very important information because in many cases it's how the Web server determines how to render certain pages.

Now, in the case of the above-mentioned router backdoor vulnerability, if it's unpatched, an attacker could create his own HTTP packet and user agent string. As Heffner noted, the string has the ability to manipulate the Web server of certain D-Link routers into allowing unauthorized access to it. This means that unauthorized individuals will essentially have management access to a wireless access point and can have a field day inside the network.

Any organizations using D-Link should obviously install the firmware updates, but just in case I would recommend turning off remote access to D-Link router Web servers, which, according to D-Link, should be turned off by default anyway. In a business environment, this type of feature usually isn't necessary on a router of any kind, so consider checking similar devices from other manufacturers to ensure it's disabled. If disabling it isn't possible due to operational reasons, I recommend placing D-Link routers behind a firewall that is capable of searching the contents of incoming packets and blocking the above-mentioned user agent string.

This was first published in February 2014

Dig deeper on Network Firewalls, Routers and Switches

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close