Categories: exploit, vuln
Detects a firmware backdoor on some D-Link routers by changing the User-Agent to a "secret" value. Using the "secret" User-Agent bypasses authentication and allows admin access to the router.
The following router models are likely to be vulnerable: DIR-100, DIR-120, DI-624S, DI-524UP, DI-604S, DI-604UP, DI-604+, TM-G5240
In addition, several Planex routers also appear to use the same firmware: BRL-04UR, BRL-04CW
See the documentation for the slaxml library.
- http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent
See the documentation for the http library.
- smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.
- vulns.short, vulns.showall
See the documentation for the vulns library.
nmap -sV --script http-dlink-backdoor <target>
PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-dlink-backdoor: | VULNERABLE: | Firmware backdoor in some models of D-Link routers allow for admin password bypass | State: VULNERABLE | Risk factor: High | Description: | D-Link routers have been found with a firmware backdoor allowing for admin password bypass using a "secret" User-Agent string. | | References: |_ http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/
License: Same as Nmap--See https://nmap.org/book/man-legal.html