[liberationtech] D-Link Backdoor
Pranesh Prakash
pranesh at cis-india.org
Fri Nov 1 08:10:29 PDT 2013
<http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/>
"In other words, if your browser’s user agent string is
“xmlset_roodkcableoj28840ybtide” (no quotes), you can access the web
interface without any authentication and view/change the device settings".
It seems it was put in through stupidity, rather than malice. Though,
it could be used for malicious purposes too, as seen in this
proof-of-concept code:
<http://pastebin.com/vbiG42VD>
~ Pranesh
--
Pranesh Prakash
Policy Director
Centre for Internet and Society
T: +91 80 40926283 | W: http://cis-india.org
PGP ID: 0x1D5C5F07 | Twitter: @pranesh_prakash
--------------------
Postgraduate Associate & Access to Knowledge Fellow
Information Society Project, Yale Law School
T: +1 520 314 7147 | W: http://yaleisp.org
More information about the liberationtech
mailing list