Reverse Engineering a D-Link Backdoor

Here’s one true hack (Google cache link) for our dear Hackaday readers. On a Saturday night, as [Craig] didn’t have anything else to do, he decided to download the firmware of an old D-Link DIR-100 router (because who wouldn’t?). His goal was to see what interesting things he could find in it. He fired up binwalk to extract the SquashFS file system, then opened the router webserver on the multi-processor disassembler/debugger IDA. [Craig] discovered that the webserver is actually a modified version of thttpd, providing the administrative interface for the router. As you can see in the picture above, it seems Alphanetworks (a spin-off of D-Link) performed the modifications.

Luckily for [Craig], the guys at Alphanetworks were kind enough to prepend many of their custom function names with the string “alpha”. Looking at the disassembly of the http identification functions revealed that a backdoor is implemented on the firmware. If one malicious user has the string “xmlset_roodkcableoj28840ybtide” as his browser user agent, no authentication is required to gain access to the router. One of the comments on the reddit thread points out that reading that string backwords results in: “edit by (04882) joel backdoor”.

47 thoughts on “Reverse Engineering a D-Link Backdoor

    1. I read someone’s assumption that it’s for automated patching, and since users can change the login name and password on the box, that would make maintenance more difficult.. this way they can just make a windows .exe that does it all for you.

      1. His name is Joel Backdoor, obviously.

        Oops, accidentally clicked “report” instead of “reply”. Nothing to report here, will now press the nurse button.

          1. No one is going to notice that, or notice that most of the routers involved in this problem are 11g or even pre-G devices. OpenWRT has so much bloat that it wouldn’t even fit in the 1 to 2 megs of firmware space that these older devices used. Instead, someone will insist that ‘real hackers would port it’ (oh, someone did that already) instead of porting it themselves because they know the words but don’t understand the device that the article is talking about.

      1. OpenWRT is a community-based custom router firmware used on consumer devices made by D-Link, Netgear, Linksys and several others. I use tomato, personally.

        Let me rephrase Andrew’s comment:
        Let those not using a superior option suffer!

        Since you are not aware of this option for many consumer routers, maybe you should look into it rather than flying off the handle at the mention of something you are not aware of. A 10 second Google search could have helped you a bit.

        1. Exactly. PFsense or other REAL firewall, none of this low end consumer grade junk in my home.

          Watchguard Firebox 700 running pfsense for real protection. anything else is just kiddie stuff.

          1. So what is your upgrade path if you ever get fiber or some other service greater than 100Mbps? Serious question, not trolling; while I’m not expecting fiber in my area any time soon, I have a gigabit network within the house and if Comcast makes good on their promise of 100Mb+ speeds here next year, I’ll be in the market for a GigE firewall.

          2. @kaidenshi

            Gigabit capable security appliances are still incredibly expensive. Even fancy enterprise level networks do not generally have any proper firewalls on Gb core networks. The traffic is often filtered in distribution or access, which just doesn’t need that kind of speed.

            The only reasonable option for an individual that needs a firewall that can handle that sort of speed is to roll their own out of an old system. Even then, unless the machine is powerful and dedicated, there will be significant latency.

            Another thing to consider is practical threats. If everything is configured well including your infrastructure, a firewall isn’t going to do much. It is like having a bulletproof front door and installing a picket fence.

          3. @kaidenshi

            pfSense runs on regular x86 hardware too so you can get a small form factor system w/ gigabit ethernet support built in or as PCIe cards.

          4. There is the $99 Ubiquiti EdgeRouter Lite that can route a full 1Gbps
            traffic. Smallnetbuilder has a review of it. It is low power and silent
            alternative to a PC based solution. It is running a fork of Vyatta 6.3.

  1. makes me wonder if other (d-link) routers have the same kind of backdoor.
    sometimes i use a portscanner in the “home user ip range” of my provider.
    i’m always impressed by how many router admin-interfaces are accessable from the web.
    the default logins don’t always work ;) a backdoor like this would make things a lot more “interesting” ….

      1. Justin means that the “backdoor” wasn’t supposed to be in the final shipped product, was supposed to just be used for development and debugging before being removed but someone forgot.

  2. Haven’t had a chance to read the article in full, but I’m fairly sure that binwalk is only used for finding filesystems and the like, and not for doing the actual reading. At least that’s how I use it. If I’m right you might wanna change the description.

  3. Very interesting. I’ve a D-Link IP webcam, DSCG-900, that I’ve been messing around with. Does anybody have any insight into this webcam? I can’t find any custom ROM’s for it, which is a pity because it seems to be quite a capable device hardware-wise.

  4. DIR-100 is a slow prehistoric non-WiFi model, so probably only have 256
    or 512K FLASH and limited RAM and not have the resource to run ucLinux
    based firmware. i.e. no OpenWRT, TOmato etc.

    If that backdoor is only accessible on the LAN and not WAN side, it
    might not be as bad. The intruder would need either physical access or
    another hack to inject packet into LAN. If that happens, your LAN would
    be a greater concern.

  5. “The same string has been found to work on seven D-Link routers (DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+ and the TM-G5240) and two from Planex (BRL-04UR and BRL-04CW).”
    -[http://www.bbc.co.uk/news/technology-24519307]

  6. 1) thanks for helping me guys, now i willknow where to start on breaking your security ;)
    (brand/model of firewall always helps/nessesary in “getting past” it)

    2) if internet link is 200ms then what the heck will going from 200+10 to 200+1 goin to do?
    aka gigabit instead of 100mb is useless, unless you have 500$/month+ to spend on friber ???
    last i checked thats how much residential fiber costs, oh plus the installation, THOUSANDS!

    3) a back door in a home router? THAT IS ILLEGAL IN GERMANY !!!
    (unsecured wifi)
    dlink will loose previlege to sell in germany, or at least get scrutinized
    and newer models get inspected for more spyware.
    hey that might even open a huge can of worms…

    4) (redacted)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s