D-Link DIR-600L Hardware Revision A1 (End-of-Life) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username "Alphanetworks" and the static password "wrgn35_dlwbr_dir600l" read from /etc/alpha_config/image_sign. The custom telnetd binary accepts a -u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches.
At system startup, the /bin/telnetd.sh script launches the telnet service (telnetd) with a predefined username 'Alphanetworks' and static password 'wrgn35_dlwbr_dir600l', which is read from the /etc/alpha_config/image_sign file. The non-standard telnetd binary accepts the -u user:password flag, and the non-standard login binary verifies credentials using strcmp() function, which compares strings without additional protective mechanisms. Because the password is hardcoded in the firmware (CWE-798) and cannot be changed by the user, any attacker knowing these credentials can gain access. Successful authentication grants the attacker a shell with root privileges and full administrative control over the device.
An unauthorized attacker present in the local network can obtain a root shell with full administrative control over the device, enabling configuration modification, network traffic interception, and use of the router as an entry point for further lateral movement in the network.
The manufacturer will not release patches as the device has reached End-of-Life (EOL) status. Immediate removal of the device and replacement with a supported model is recommended. Until replacement, the device must be isolated from untrusted network segments, telnet port access (default TCP 23) must be blocked at the firewall level, and access to the device must be restricted exclusively to trusted hosts.
D-Link DIR-600L in Hardware Revision A1 — device in End-of-Life (EOL) status
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDlink Dir 600l
HWDlinka1Dlink Dir 600l Firmware
OSDlinkwszystkie wersje
Related vulnerabilities
The miniigd SOAP service in Realtek SDK allows remote attackers to execute arbitrary code via a crafted NewInt...
Hardcoded backdoor telnet w D-Link DIR-600L — nieautoryzowany dostęp root
Buffer overflow w D-Link DIR600L – parametr curTime w formSetEnableWizard
Buffer overflow w D-Link DIR-600L przez parametr curTime
Buffer overflow w D-Link DIR-600L — podatność krytyczna RCE