As a couple of reddit commenters point out, the user agent string that bypasses auth (according to the post) can be read backwards as "Edit by 04882 Joel Backdoor", and one possible Joel is CTO Alpha Networks, whose thttpd this appears to be.

I've no security expertise, but this seems cataclysmically bad!

He's not the CTO.

Specific title: Senior Director-Chief Technology Office

Via: http://www.joesdata.com/executive/Joel_Liu_421313008.html

Sigh. Should never have trusted that reddit comment!

CTO of Alpha Networks is named Kang Ting-Kan.

http://www.bloomberg.com/quote/3380:TT/profile

Where did you get "Joel"?

I hope Joel doesn't get in trouble :( He was kind enough to leave his employee number in there.

And if he did, I wonder which door they've shown him on the way out.

Apart from the backdoor, this code seems completely ridden with bugs. E.g.

    if(strstr(header, "User-Agent:") != NULL)
    {
        http_request_t->0xD0 = header + strlen("User-Agent:") + strspn(header, " \t");
    }

Note how you could have a header some includes 'User-Agent:' somewhere back in the value, and the arrive with an entirely incorrect pointer to what you think is the value - strstr just finds the needle anywhere in the haystack, not necessarily at the beginning. This particular piece (AFAICT) cannot be exploited for e.g. overruns or similar, maybe just for a subsequent crash or unexpected behaviour due to lack of input sanitization, but still, crazy strstr juggling on untrusted user input? oh oh.

If the rest of this code looks like that, this should never, ever be exposed to the wild wild web.

So while you're right that the strstr() is lazy (should probably be a strncmp() or something), it's probably not that big of a deal in this particular case. The worst an attacker could do here is get a weird user agent string, which they could already do by just setting the User-Agent field to something weird...

I wonder why they didn't remove the debug symbols from the released firmware?

I wonder the same. It's probably by mistake. I remember some Wii games kept symbols, some other had .svn (or was it other vcs?) directories on disk.

This type of negligence should really be illegal.

Or you could just, you know, not buy their products.

The problem is I suffer when other people buy products like this.

Please point me to a backdoor-free option.

Running own software (this leaves you open to hardware backdoors).

i trust you evaluate all software for backdoors before purchase

Doesn't this mean if '/admin/factory_reset' normally requires authentication, requesting '/admin/factory_reset?_=graphic/' would bypass this without the need for custom headers...

The check seems to happen in the path portion of the url, and the parameters part isn't checked.

No, the query string is not part of the URL.

I wonder if '/admin/graphic/../factory_reset' woud work?

Or /admin;graphic/factory_reset (URI path parameters)

Does anyone know how to view this page in desktop mode on any Android browser? The pictures are not fully visible, and I've tried AOSP, Chrome, Firefox, Phony Firefox extension. Nothing works...

What is this backdoor for?

I would guess for both good and evil.

The good reason being able to login to the router to reset the password if the customer forgot it (I remember some home/small office routers don't reset the admin password when you use the reset button).

The evil reason being able to login remotely to any router and snoop around.

But itn’t the web interface usually not accessible from WAN?

Well, I have a router that has remote-WAN-access disabled[1] ....and yet, if you type that (blurred out) IP:PORT into your browser you STILL get the prompt for user/pass. And if you type it correctly, you STILL access my router!!!!! So if my router has the same kind of UserAgent:roodkcabvogasn backdoor, I'm screwed.

I really should get a new router... like...very soon.

Also, I'm a conspiracy-nut and I think a significant amount of these "bugs" happen on purpose.

1. http://i.imgur.com/W06W1oB.png

Sure, but all the adversary needs is for the user to visit a webpage that makes his/her browser contact the router (i.e. from within the LAN). If the adversary has to take into account defeating the user's password, this becomes an impractical attack. With the backdoor, however…

Might be hard to set the user-agent for a JavaScript cross-origin request though...

flash allows you to generate UPNP requests, just generate one to forward the web server port to the internet, and you have an easy solution.

Any statement from D-Link regarding this vulnerability?