I heard about a backdoor found recently in D-Link router firmware code that can modify a router's settings. Can you tell me what this means and how to mitigate the vulnerability?
Ask the Expert
Perplexed about network security? Send us your questions today! (All questions are anonymous)
This particular router backdoor, for which D-Link released a patch in December, pertains to a D-Link router vulnerability discovered by Craig Heffner at Tactical Network Solutions. As described in his blog, the vulnerability is created when the following string is entered in the user agent field of an HTTP packet:
After this string is entered, attackers can send the specially crafted HTTP packet to a vulnerable D-Link router, which would then allow access to the router's Web interface.
Let's delve into this a little further.
What is the user agent field? This HTTP header field tells Web servers how to communicate with incoming GET requests. Before the Internet boom of the 1990s, this was an important field to fill in correctly, and required some knowledge of computer science. Now, with the inception of the modern-day Web browser, this field is handled by the likes of Google Chrome, Apple Safari and other browsers, and is completely transparent to the end user.
A typical user agent field may look something like this:
User Agent: Chrome/31.0.1650.57
The field lets any Web server the end user is connecting with know that the end user is utilizing Chrome version 31.0.1650.57. This is very important information because in many cases it's how the Web server determines how to render certain pages.
Now, in the case of the above-mentioned router backdoor vulnerability, if it's unpatched, an attacker could create his own HTTP packet and user agent string. As Heffner noted, the string has the ability to manipulate the Web server of certain D-Link routers into allowing unauthorized access to it. This means that unauthorized individuals will essentially have management access to a wireless access point and can have a field day inside the network.
Any organizations using D-Link should obviously install the firmware updates, but just in case I would recommend turning off remote access to D-Link router Web servers, which, according to D-Link, should be turned off by default anyway. In a business environment, this type of feature usually isn't necessary on a router of any kind, so consider checking similar devices from other manufacturers to ensure it's disabled. If disabling it isn't possible due to operational reasons, I recommend placing D-Link routers behind a firewall that is capable of searching the contents of incoming packets and blocking the above-mentioned user agent string.
This was first published in February 2014