Remote access to a DSL-2750U ADSL Router (a sort-of hack)

Usually I use a SSH connection forwarded through my ADSL router to one of my home servers for remote access to my network. The server in question though had become un-responsive so I had no way remotely into my network.

For fun I nmap’d the public IP of my ADSL router and found the following interesting port open:

80/tcp   open   http

I thought I had switched off all the “remote” control methods on my router but clearly not, visiting the page gave me the following (scary) login screen.

D-Link Remote Support Login

A bit of googling shows that this router has a special ‘support’ login for remote troubleshooting by Telkom built into the firmware (for the South Africa firmware anyway) the default password for this account is ‘TelkomDlink12345’

The setup web-interface that loads when logged in as ‘support’ is a little more limited than the standard one you get logged in as Admin, unfortunately one of the features that was not available in support mode was the port-forwarding rules which is what I wanted access too.

I used the site map link at the top of the page to show a list of all the features that were accessible in ‘support’ mode. My curiosity got the better of me and I right-clicked and viewed the frame source. A quick search for ‘forward’ and I found the following html/javascript code:

<script type='text/javascript'>
if (VirtualServers=='1')
 document.write('<LI><A href="scvrtsrvview.html">Port Forwarding</A>');

The only ‘security’ to stop a support user performing admin commands appears to be a javascript if statement. A quick change of /index.html to /scvrtsrvview.html in the URL and I could access the port-forwarding rules and change the IP of the server my ssh connection forwarded too.

How to fix this?

Change all the passwords for the default accounts (admin, support and user) and disable the remote admin interface if you don’t need it.