Backdoor in D-Link routers



| Updated: 2017-03-24
Risk Critical
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2013-6026
CWE-ID CWE-113
Exploitation vector Network
Public exploit This vulnerability is being exploited in the wild.
Vulnerable software
Brl-04ur
Hardware solutions / Routers & switches, VoIP, GSM, etc

Dsl-321B
Hardware solutions / Routers & switches, VoIP, GSM, etc

Dsl-320B
Hardware solutions / Routers & switches, VoIP, GSM, etc

Dir-865L
Hardware solutions / Routers & switches, VoIP, GSM, etc

Dir-845L
Hardware solutions / Routers & switches, VoIP, GSM, etc

Dir-815
Hardware solutions / Routers & switches, VoIP, GSM, etc

Dir-645
Hardware solutions / Routers & switches, VoIP, GSM, etc

Dir-615
Hardware solutions / Routers & switches, VoIP, GSM, etc

Dir-600
Hardware solutions / Routers & switches, VoIP, GSM, etc

Dir-300
Hardware solutions / Routers & switches, VoIP, GSM, etc

Dir-120
Hardware solutions / Routers & switches, VoIP, GSM, etc

Dir-100
Hardware solutions / Routers & switches, VoIP, GSM, etc

Di-524up
Hardware solutions / Routers & switches, VoIP, GSM, etc

Dir-524
Hardware solutions / Routers & switches, VoIP, GSM, etc

Vendor Planex
D-Link

Security Bulletin

This security bulletin contains one critical risk vulnerability.

1) Security bypass

EUVDB-ID: #VU4601

Risk: Critical

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]

CVE-ID: CVE-2013-6026

CWE-ID: CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to an error in the alpha_auth_check() function. By setting the user agent string to xmlset_roodkcableoj28840ybtide, an attacker can send an HTTP request to bypass authentication and obtain administrative access to the device.

Successful exploitation of the vulnerability results in full access to the vulnerable system.

Note: the vulnerability was being actively exploited.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Brl-04ur: 1.0.1

Dsl-321B: 1.02

Dsl-320B: 1.25

Dir-865L: 1.05b07

Dir-845L: 1.01b02

Dir-815: 1.03

Dir-645: 1.03

Dir-615: 1.03

Dir-600: 2.17b02

Dir-300: 1.06b05

Dir-120: 1.05b02

Dir-100: 1.14b02

Di-524up: 1.08b02

Dir-524: 5.13b01

CPE2.3 External links

http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.



###SIDEBAR###