Security researcher Craig Heffner of Tactical Networking Solutions found a backdoor in several D-Link router models that enables complete and unauthenticated access to the device's administrative control panel simply by changing the browser's user agent string. When analysing a D-Link router firmware file, Heffner found an interesting hard-coded string in the authentication system. Basically, by changing a browser's user agent string to "xmlset_roodkcableoj28840ybtide" you can get full access to the router's web interface with no username or password required. The backdoor is present in numerous older model of D-Link routers, but can be circumvented by disabling remote access to the device's control panel.
While that could be the result of an unfortunate coding gaffe, the access seems deliberate: backwards, the string after the underscore reads 'edited by 04882 joel backdoor' - suggesting that a D-Link programmer called Joel inserted the back-door access deliberately in a sanctioned code edit.
'My guess is that the developers realized that some programs/services needed to be able to change the device’s settings automatically,' writes Heffner. 'Realising that the web server already had all the code to change these settings, they decided to just send requests to the web server whenever they needed to change something. The only problem was that the web server required a username and password, which the end user could change. Then, in a eureka moment, Joel jumped up and said, “Don’t worry, for I have a cunning plan!”'
The code has been discovered in numerous older models of D-Link router, including the DIR-100, DI-524 and DI-524UP, DI-604S, DI-604UP and DI-604+, and TM-G5240, as well as selected third-party routers based on D-Link hardware and software. Comments on Heffner's discovery have also suggested that the DIR-615, a newer device which is provided in customised form by selected ISPs, is also vulnerable. Other, newer routers may also include the back-door, but edited to trigger on a different and so-far undiscovered user agent string.