Monday, 14 October 2013 18:21

Some D-Link Routers Have Flaw In Embedded Webserver that Allows Remote Control

Written by

Reading time is around minutes.

Remember the issue with IP Cameras where users were able to by-pass security and view camera input all thanks to a flaw in the way the internal webserver was setup? Well it looks like a similar flaw is showing up in some D-Link routers. The first news of the flaw popped up on a blog dedicated to hacking embedded devices. The post was interesting in that it followed the same pattern used for the hack that allowed access to a number of IP cameras.


After downloading a commonly used firmware version from D-Link Craig Heffner then bug into it using Binwalk. It did not take too long to find and load the webserver into a disassembler to find the weaknesses in how it presents to the world. Heffner then found a variable named “alpha_auth_check” Further investigation into this showed that the variable would return a value of 1 if a user was authenticated. This makes this little line of code a very important part of the security of D-Link’s routers. Because the firmware looks for a specific string in response to the authentication request it was not too hard to find out what the proper string was. By changing your browser’s user-agent string to “xmlset_roodkcableoj28840ybtide” you can appear to be an authenticated user and get around any security someone has put in place. After that, the malicious individual has open access to everything on your router.

The method of “hacking” an embedded website and the magic authentication string are not really new and have been discussed before. What makes this new is that this appears to be the first time that anyone has really put everything together in one place. So far the affected routers from D-Link are the DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+, TM-G5240 as well as the DIR-615 from certain carriers.  This is not a good thing for D-Link or indeed any consumer edge product.

Although there is no full count on the number of devices that are affected more than one company is rushing to get a full count by searching for the exploit string. What we wonder is; was Craig Heffner the first person to find this or has this been out in the wild and in use by malicious individuals to gain access to systems protected by the affect models of D-Link hardware. As of right now there is no response from D-Link about this incident. That means, no word at all on a way to fix this. For now if you have a D-Link router that is listed as affected we would recommend reaching out to D-Link and asking them when they plan on fixing this, or start looking into buying another router to protect your network.

Tell us what you think in our Forum


Read 2445 times Last modified on Monday, 14 October 2013 18:25

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.