D-Link DIR-600L Hardware Revision B1 (End-of-Life) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username "Alphanetworks" and the static password "wrgn61_dlwbr_dir600L" read from /etc/alpha_config/image_sign. The custom telnetd binary accepts a -u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches.
Every time the device starts, the /bin/telnetd.sh script automatically launches the telnet daemon with the username 'Alphanetworks' and static password 'wrgn61_dlwbr_dir600L' read from the /etc/alpha_config/image_sign file. The non-standard telnetd binary accepts the -u user:password flag, and the non-standard login binary verifies credentials using the strcmp() function, which is vulnerable to text comparison attacks. Because the credentials are hardcoded in the firmware, any attacker with access to the local network can log in without any additional knowledge of the device configuration.
The attacker gains unlimited access to the root shell with full administrative control over the device, enabling modification of configuration, network traffic interception, pivoting to the internal network, and persistent device takeover.
D-Link will not issue a patch because the device has reached End-of-Life (EOL) status. It is recommended to immediately withdraw the device from use and replace it with a supported model. Until replacement, the device must absolutely be isolated from untrusted network segments, telnet port access (23/TCP) must be blocked at the firewall level, and access to the local network must be restricted to trusted hosts only.
D-Link DIR-600L Hardware Revision B1 (End-of-Life status)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDlink Dir 600l
HWDlinkb1Dlink Dir 600l Firmware
OSDlinkwszystkie wersje
Related vulnerabilities
The miniigd SOAP service in Realtek SDK allows remote attackers to execute arbitrary code via a crafted NewInt...
D-Link DIR-600L A1: hardcoded backdoor telnet z dostępem root
Buffer overflow w D-Link DIR600L – parametr curTime w formSetEnableWizard
Buffer overflow w D-Link DIR-600L przez parametr curTime
Buffer overflow w D-Link DIR-600L — podatność krytyczna RCE