Backdoor in D-Link routers

1) Security bypass

EUVDB-ID: #VU4601

Risk: Critical

CVSSv3.1: 9.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C]

CVE-ID: CVE-2013-6026

CWE-ID: CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to an error in the alpha_auth_check() function. By setting the user agent string to xmlset_roodkcableoj28840ybtide, an attacker can send an HTTP request to bypass authentication and obtain administrative access to the device.

Successful exploitation of the vulnerability results in full access to the vulnerable system.

Note: the vulnerability was being actively exploited.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Brl-04ur: 1.0.1

Dsl-321B: 1.02

Dsl-320B: 1.25

Dir-865L: 1.05b07

Dir-845L: 1.01b02

Dir-815: 1.03

Dir-645: 1.03

Dir-615: 1.03

Dir-600: 2.17b02

Dir-300: 1.06b05

Dir-120: 1.05b02

Dir-100: 1.14b02

Di-524up: 1.08b02

Dir-524: 5.13b01

External links

http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.