I looked over and saw my D’Link DIR-615 router and thought with myself – “Why not !?”
Let’s quickly analyze:
This particular model doesn’t have Telnet enabled by default. So, I’ve enabled Telnet and logged in. When checking existing users I saw two users “Admin”, one was mine and the other… well, the other I had no ideia who was.
It is important to say that this user doesn’t have access via web interface and also no visible. In the configuration file, you can see the existence of two “admin” accounts, the second account with the attribute BACKDOOR set with the value 0x1.
The backdoor password is generated dynamically using the last four numbers of the MAC address of the router. I bought another router and also noted the use of the last digits of the MAC address to generate the backdoor password.
D’link did not have the Telnet access enabled by default, but that did not matter, even disabling telnet on the web interface, he was committing to work underneath the clothswhich, I reported to D’Link about the case. The first contact occurred on 11/05/2016 via Dlink’s website, I was answered on 12/05/2016 by a D’link representative who said that he had forwarded the report for analysis in Taiwan because he did not have this Model in the United States.
I followed the email where the D’Link representative made me aware that the problem would be present in another version of firmware (v20.11) where the Telnet feature is active, regardless of the option chosen in the web interface:
I thanked the contact and asked when I could make the discovery public and I received the following response:
Anyway, the problem was reported and recognized, after that I had some news, but what about correction? After the email above 6/16/2016 I did not have any news for a long time, I sent several emails but no answers until 08/06/2017. That’s is it, one year later, I received an e -mail from D’link contact with a link to download the firmware with the correction of my report.
After updating the router it was possible to observe that the backdoor user was removed and the password is no longer in “clear text”:
The update is available at http://support.dlink.com/
, D’link has published a note correcting and acknowledging some of the vulnerabilities in this report:
I regret D’Link’s delay in taking action against the reported problem.