D-Link DIR-600L Hardcoded Telnet Backdoor Vulnerability

A hardcoded telnet backdoor has been identified in the D-Link DIR-600L router, specifically in Hardware Revision B1, which is now End-of-Life. The device activates a telnet daemon at boot, using the username 'Alphanetworks' and a static password 'wrgn61_dlwbr_dir600L', both of which are hardcoded and stored in plaintext within the firmware. This backdoor allows an unauthenticated attacker on the same local network to gain root access and full administrative control over the device.

Impact

Exploitation of this vulnerability provides an unauthenticated user on the local network with root access to the router, allowing complete control over the device. This includes the ability to execute arbitrary commands, modify router settings, intercept and alter network traffic, and install persistent malware.

Reproduction

The vulnerability can be reproduced by connecting to the router's telnet service on TCP port 23 using the default LAN IP address. After establishing a connection, the hardcoded username 'Alphanetworks' and the static password 'wrgn61_dlwbr_dir600L' must be entered at the login prompt. Successful authentication grants immediate access to a root shell.

Remediation

Users are advised to replace the device with a currently supported router model. As a temporary measure, the telnet daemon can be terminated and port 23 blocked, although this will be reset after a reboot.