Reverse Engineering a D-Link Backdoor

Here’s one true hack (Google cache link) for our dear Hackaday readers. On a Saturday night, as [Craig] didn’t have anything else to do, he decided to download the firmware of an old D-Link DIR-100 router (because who wouldn’t?). His goal was to see what interesting things he could find in it. He fired up binwalk to extract the SquashFS file system, then opened the router webserver on the multi-processor disassembler/debugger IDA. [Craig] discovered that the webserver is actually a modified version of thttpd, providing the administrative interface for the router. As you can see in the picture above, it seems Alphanetworks (a spin-off of D-Link) performed the modifications.

Luckily for [Craig], the guys at Alphanetworks were kind enough to prepend many of their custom function names with the string “alpha”. Looking at the disassembly of the http identification functions revealed that a backdoor is implemented on the firmware. If one malicious user has the string “xmlset_roodkcableoj28840ybtide” as his browser user agent, no authentication is required to gain access to the router. One of the comments on the reddit thread points out that reading that string backwords results in: “edit by (04882) joel backdoor”.

Comments

  1. Lloyd says:

    Very interesting, surprised such a backdoor was added to it.

  2. lloydjatkinson says:

    Interesting. I wonder why such a backdoor was added, and also, why anyone would put their name into it?

  3. Andrew says:

    Let those not using OpenWRT suffer!

    • kommune78 says:

      What is OpenWRT? The article is about a D-link Router, did you even read it?

      • jpa says:
        • Jeff Nichols says:

          Note how the router isn’t on that list?

          • ChalkBored says:

            Note that it doesn’t excuse you from suffering.

          • Therefore he shouldn’t have bought it. Lack of OpenWRT compatibility is a dealbreaker

          • Blue Footed Booby says:

            @Krzysztof Września
            Eh, I’m more a Tomato guy.

          • Andrew says:

            So, what? Do it like true hardcore men do: Buy the router, port OpenWRT, submit patches… PROFIT!

          • fluffy says:

            @Andrew.

            Nah, real men use 2900 series routers snagged from the local university’s surplus store.

          • Quin says:

            No one is going to notice that, or notice that most of the routers involved in this problem are 11g or even pre-G devices. OpenWRT has so much bloat that it wouldn’t even fit in the 1 to 2 megs of firmware space that these older devices used. Instead, someone will insist that ‘real hackers would port it’ (oh, someone did that already) instead of porting it themselves because they know the words but don’t understand the device that the article is talking about.

      • ACID RAIN says:

        OpenWRT is a community-based custom router firmware used on consumer devices made by D-Link, Netgear, Linksys and several others. I use tomato, personally.

        Let me rephrase Andrew’s comment:
        Let those not using a superior option suffer!

        Since you are not aware of this option for many consumer routers, maybe you should look into it rather than flying off the handle at the mention of something you are not aware of. A 10 second Google search could have helped you a bit.

        • fartface says:

          Exactly. PFsense or other REAL firewall, none of this low end consumer grade junk in my home.

          Watchguard Firebox 700 running pfsense for real protection. anything else is just kiddie stuff.

          • kaidenshi says:

            So what is your upgrade path if you ever get fiber or some other service greater than 100Mbps? Serious question, not trolling; while I’m not expecting fiber in my area any time soon, I have a gigabit network within the house and if Comcast makes good on their promise of 100Mb+ speeds here next year, I’ll be in the market for a GigE firewall.

          • h4x0rface says:

            Please provide more intel on your home security setup as well as your external IP address. =P

          • fluffy says:

            @kaidenshi

            Gigabit capable security appliances are still incredibly expensive. Even fancy enterprise level networks do not generally have any proper firewalls on Gb core networks. The traffic is often filtered in distribution or access, which just doesn’t need that kind of speed.

            The only reasonable option for an individual that needs a firewall that can handle that sort of speed is to roll their own out of an old system. Even then, unless the machine is powerful and dedicated, there will be significant latency.

            Another thing to consider is practical threats. If everything is configured well including your infrastructure, a firewall isn’t going to do much. It is like having a bulletproof front door and installing a picket fence.

          • M says:

            @kaidenshi

            pfSense runs on regular x86 hardware too so you can get a small form factor system w/ gigabit ethernet support built in or as PCIe cards.

          • tekkieneet says:

            There is the $99 Ubiquiti EdgeRouter Lite that can route a full 1Gbps
            traffic. Smallnetbuilder has a review of it. It is low power and silent
            alternative to a PC based solution. It is running a fork of Vyatta 6.3.

  4. ACID RAIN says:

    What I’m wondering now is if the backdoor is still there in modern devices.

  5. Slurm McKenzie says:

    makes me wonder if other (d-link) routers have the same kind of backdoor.
    sometimes i use a portscanner in the “home user ip range” of my provider.
    i’m always impressed by how many router admin-interfaces are accessable from the web.
    the default logins don’t always work ;) a backdoor like this would make things a lot more “interesting” ….

  6. Justin Shipe says:

    Looks more like a forgotten maintenance hook than a true backdoor. Either way, it’s a good find and a nice hack.

  7. v00 says:

    Haven’t had a chance to read the article in full, but I’m fairly sure that binwalk is only used for finding filesystems and the like, and not for doing the actual reading. At least that’s how I use it. If I’m right you might wanna change the description.

  8. polossatik says:

    I never found a good reason to leave the router admin interfaces to be accessible from the web.

  9. greenbacks says:

    Thanks Joel for ruining for everyone!

  10. Wretch says:

    Very interesting. I’ve a D-Link IP webcam, DSCG-900, that I’ve been messing around with. Does anybody have any insight into this webcam? I can’t find any custom ROM’s for it, which is a pity because it seems to be quite a capable device hardware-wise.

  11. tekkieneet says:

    DIR-100 is a slow prehistoric non-WiFi model, so probably only have 256
    or 512K FLASH and limited RAM and not have the resource to run ucLinux
    based firmware. i.e. no OpenWRT, TOmato etc.

    If that backdoor is only accessible on the LAN and not WAN side, it
    might not be as bad. The intruder would need either physical access or
    another hack to inject packet into LAN. If that happens, your LAN would
    be a greater concern.

  12. Gdogg says:

    Coincidentally, the CTO of Alphanetworks is named joel. http://www.joesdata.com/executive/Joel_Liu_421313008.html

  13. Alpha Networks or ALFA Networks?

  14. Frank says:

    I know Joel’s brother, Luke Backdoor. Nice guy. Owns the domain backdoor.com and has the email address luke@my.backdoor.com.

  15. S21 says:

    Actually, I happen to be working with Alpha developing network equipment.
    Somebody’s going to face the firing squad here.

  16. M8R says:
  17. HomelyPoet says:

    “The same string has been found to work on seven D-Link routers (DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+ and the TM-G5240) and two from Planex (BRL-04UR and BRL-04CW).”
    -[http://www.bbc.co.uk/news/technology-24519307]

  18. NewCommentor1283 says:

    1) thanks for helping me guys, now i willknow where to start on breaking your security ;)
    (brand/model of firewall always helps/nessesary in “getting past” it)

    2) if internet link is 200ms then what the heck will going from 200+10 to 200+1 goin to do?
    aka gigabit instead of 100mb is useless, unless you have 500$/month+ to spend on friber ???
    last i checked thats how much residential fiber costs, oh plus the installation, THOUSANDS!

    3) a back door in a home router? THAT IS ILLEGAL IN GERMANY !!!
    (unsecured wifi)
    dlink will loose previlege to sell in germany, or at least get scrutinized
    and newer models get inspected for more spyware.
    hey that might even open a huge can of worms…

    4) (redacted)

  19. Joel Severin says:

    Heh, http://blog.erratasec.com/2013/10/that-dlink-bug-masscan.html
    A company that is committing a crime all over the Internet, nice for them when lil NSA bangs on the door.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 94,651 other followers