Reverse Engineering a D-Link Backdoor

All right. It’s Saturday night, I have no date, a two-liter bottle of Shasta and my all-Rush mix-tape…let’s hack.

On a whim I downloaded firmware v1.13 for the DIR-100 revA. Binwalk quickly found and extracted a SquashFS file system, and soon I had the firmware’s web server (/bin/webs) loaded into IDA:

Strings inside /bin/webs

Strings inside /bin/webs

Based on the above strings listing, the /bin/webs binary is a modified version of thttpd which provides the administrative interface for the router. It appears to have been modified by Alphanetworks (a spin-off of D-Link). They were even thoughtful enough to prepend many of their custom function names with the string “alpha”:

Alphanetworks' custom functions

Alphanetworks’ custom functions

The alpha_auth_check function sounds interesting!

This function is called from a couple different locations, most notably from alpha_httpd_parse_request:

Function call to alpha_auth_check

Function call to alpha_auth_check

We can see that alpha_auth_check is passed one argument (whatever is stored in register $s2); if alpha_auth_check returns -1 (0xFFFFFFFF), the code jumps to the end of alpha_httpd_parse_request, otherwise it continues processing the request.

Some further examination of the use of register $s2 prior to the alpha_auth_check call indicates that it is a pointer to a data structure which contains char* pointers to various pieces of the received HTTP request, such as HTTP headers and the requested URL:

$s2 is a pointer to a data structure

$s2 is a pointer to a data structure

We can now define a function prototype for alpha_auth_check and begin to enumerate elements of the data structure:

struct http_request_t
{
    char unknown[0xB8];
    char *url; // At offset 0xB8 into the data structure
};

int alpha_auth_check(struct http_request_t *request);

alpha_auth_check itself is a fairly simple function. It does a few strstr’s and strcmp’s against some pointers in the http_request_t structure, then calls check_login, which actually does the authentication check. If the calls to any of the strstr’s / strcmp’s or check_login succeed, it returns 1; else, it redirects the browser to the login page and returns -1:

alpha_auth_check code snippet

alpha_auth_check code snippet

Those strstr’s look interesting. They take the requested URL (at offset 0xB8 into the http_request_t data structure, as previously noted) and check to see if it contains the strings “graphic/” or “public/”. These are sub-directories under the device’s web directory, and if the requested URL contains one of those strings, then the request is allowed without authentication.

It is the final strcmp however, which proves a bit more compelling:

An interesting string comparison in alpha_auth_check

An interesting string comparison in alpha_auth_check

This is performing a strcmp between the string pointer at offset 0xD0 inside the http_request_t structure and the string “xmlset_roodkcableoj28840ybtide”; if the strings match, the check_login function call is skipped and alpha_auth_check returns 1 (authentication OK).

A quick Google for the “xmlset_roodkcableoj28840ybtide” string turns up only a single Russian forum post from a few years ago, which notes that this is an “interesting line” inside the /bin/webs binary. I’d have to agree.

So what is this mystery string getting compared against? If we look back in the call tree, we see that the http_request_t structure pointer is passed around by a few functions:

call_graph

It turns out that the pointer at offset 0xD0 in the http_request_t structure is populated by the httpd_parse_request function:

Checks for the User-Agent HTTP header

Checks for the User-Agent HTTP header

Populates http_request_t + 0xD0 with a pointer to the User-Agent header string

Populates http_request_t + 0xD0 with a pointer to the User-Agent header string

This code is effectively:

if(strncasecmp(header, "User-Agent:", strlen("User-Agent:")) != NULL)
{
    http_request_t->0xD0 = header + strlen("User-Agent:") + strspn(header, " \t");
}

Knowing that offset 0xD0 in http_request_t contains a pointer to the User-Agent header, we can now re-construct the alpha_auth_check function:

#define AUTH_OK 1
#define AUTH_FAIL -1

int alpha_auth_check(struct http_request_t *request)
{
    if(strstr(request->url, "graphic/") ||
       strstr(request->url, "public/") ||
       strcmp(request->user_agent, "xmlset_roodkcableoj28840ybtide") == 0)
    {
        return AUTH_OK;
    }
    else
    {
        // These arguments are probably user/pass or session info
        if(check_login(request->0xC, request->0xE0) != 0)
        {
            return AUTH_OK;
        }
    }

    return AUTH_FAIL;
}

In other words, if your browser’s user agent string is “xmlset_roodkcableoj28840ybtide” (no quotes), you can access the web interface without any authentication and view/change the device settings (a DI-524UP is shown, as I don’t have a DIR-100 and the DI-524UP uses the same firmware):

Accessing the admin page of a DI-524UP

Accessing the admin page of a DI-524UP

Based on the source code of the HTML pages and some Shodan search results, it can be reasonably concluded that the following D-Link devices are likely affected:

  • DIR-100
  • DIR-120
  • DI-624S
  • DI-524UP
  • DI-604S
  • DI-604UP
  • DI-604+
  • TM-G5240

Additionally, several Planex routers also appear to use the same firmware:

  • BRL-04R
  • BRL-04UR
  • BRL-04CW

You stay classy, D-Link.

UPDATE:

The ever neighborly Travis Goodspeed pointed out that this backdoor is used by the /bin/xmlsetc binary in the D-Link firmware. After some grepping, I found several binaries that appear to use xmlsetc to automatically re-configure the device’s settings (example: dynamic DNS). My guess is that the developers realized that some programs/services needed to be able to change the device’s settings automatically; realizing that the web server already had all the code to change these settings, they decided to just send requests to the web server whenever they needed to change something. The only problem was that the web server required a username and password, which the end user could change. Then, in a eureka moment, Joel jumped up and said, “Don’t worry, for I have a cunning plan!”.

Also, several people have reported in the comments that some versions of the DIR-615 are also affected, including those distributed by Virgin Mobile. I have not yet verified this, but it seems quite reasonable.

UPDATE #2:

Arbitrary code execution is also possible, thanks to the backdoor. Proof of concept.

Bookmark the permalink.

301 Responses to Reverse Engineering a D-Link Backdoor

  1. Julien says:

    WOW,
    really works..
    tested against one of the ip listed in shodanHQ!

  2. Pingback: Ciekawa tylna furtka w kilku modelach ruterów D-Linka | Zaufana Trzecia Strona

  3. Vodka says:

    It’s said in the Russian forum post:
    Try to read the string backwards.

    xmlset_roodkcableoj28840ybtide

    ;)

  4. Equinoxe says:

    Wow, this is insane, changing your user-agent to backdoor will gain you access.
    I wonder on how many firmwares this (type of) backdoor is added.
    (maybe the same string “xmlset_roodkcableoj28840ybtide” or with any other string)

  5. Just for fun says:

    «xmlset_roodkcableoj28840ybtide» «editby04882joelbackdoor_teslmx»

    http://habrahabr.ru/post/197314/#comment_6843864

  6. Sfinx says:

    Why use this made-in-china crap at all ? I’ve stopped using more than 5 years ago after discovering the IP’s list of the DDOS network in one of the FXS devices firmware.

    • Moschops says:

      Because it’s cheap, easy and does the job most people need it to.

    • Ricardo says:

      Do you honestly think that anyone cares about the fact that you are not affected by this?

    • J says:

      Hear, hear! We should only use good ol’ Made-in-the-USA routers so we can be sure it’s just the NSA spying on us and not those dirty foreigners!

      ‘MERICA!

      • Sfinx says:

        Those that are afraid of NSA should make own routers and write own firmware – this is the only right jedi way

        • sfinx is a born again as$h0le says:

          “Those that are afraid of NSA should make own routers and write own firmware”

          oh I see, so it’s okay to trust NSA since it’s an american agency, but not country X? fuck u, u stupid american twat, fuck your usa internet backbone and fuck your nsa prism. no country should spy on anyone, got that retard.

    • dutch says:

      Joel doesn’t sound very chinese to me

      • Vinzent says:

        Neither does John, yet John Lee is the CEO.

        And a quick search also digs up a “Joel Liu” and a “Joel Lee”, who seem somewhat affiliated with alphanetworks. But that’s probably fake, because it is well known that Chinese parents always pick a Chinese name for their children.

        • Vinzent says:

          Sorry, wring link, try John Lee

        • Denis says:

          Not necessarily fake. These days, many chinese people adopt a western name (usually american) that they use when talking to foreigners. I guess foreigners’s pronunciation of chinese name is so bad that chinese people can barely notice you’re referring to them (happened to me when in china). That, or the guy think John’s a cool name.

      • Sam says:

        Stop thinking that English/Christian names are only for people in Europe, America or Australia. Christanity exists in all parts of the world, including China and India and hence the first names of some people from many countries are not what you want them to sound like.

    • Logix says:

      Who says the backdoor is placed by china? Could as well be placed there by a D-Link developer in the original image sent to production.

    • sfinx is a born again as$h0le says:

      D-link is a taiwanese company imbecile. So it’s made-in-taiwan crap.

  7. Chip says:

    I wonder if this succeeds from outside even if outside management is disabled ?

    • Spyda says:

      Are you serious? If RMGMT is disabled, any outside attempt to even connect to the interface is rejected, so of course not.

      • Bear says:

        Have you tried to connect with remote management disabled? I agree that in theory you should not be able to but….

      • Raptors will eat you says:

        Also, if a password is enabled, all attempts without passwords are rejected, so this backdoor doesn’t exist.

        • lol…i don’t think you understand the meaning of BACK DOOR…if password is enabled it goes into that LOOP and if it sees an agent string…poof

          Interesting question about RMGMT though

  8. josh says:

    a lot of these d-link routers are facing the web and have an “admin admin” login. you can enable telnet on em too.

  9. Pingback: Une backdoor dans les routeurs D-Link « Korben Korben

  10. Pingback: Une backdoor dans les routeurs D-Link- Dépannage Informatique PC à domicile Limoges haute vienne 87

  11. Pingback: Une backdoor dans les routeurs D-Link « Mes idées HIGH TECH

  12. Pingback: Une backdoor dans les routeurs D-Link | Blog de tout et de rien

  13. K.Alexander says:

    You just seriously pissed of the NSA

  14. Scott Arciszewski says:

    Nice find!

    On a sidenote, how did you go about downloading your router’s firmware? I can only seem to find articles about updating firmware when I search, nothing about downloading it.

    • Jens says:

      To update the router’s firmware, you usually have to download it from the vendor’s support website. And that file can be reverse engineered like explained above.

      • Lex says:

        So to block this backdoor, we need to patch the firmware binary to set that string (in two places) to some other random string, and patch it to pass bootup checksum (or just disable checksum checking).
        I’m good with the first part, but the second part I don’t have yet. Anyone?

  15. RForeman says:

    All the more reason to start adopting openwrt/ddwrt/tomato etc. Hard to believe this slid under the radar so long.. dir100 did you say? Ha!

    Nice work Craig.

  16. paztek says:

    And appending “public/” somewhere in the URL (like in the querystring), does that bypass the authentication too ?

    • Craig says:

      No, as far as I can tell the “public/” and “graphic/” strings have to be in the URL itself, not in the query string. IIRC, the server checks for directory traversal too.

  17. Pingback: Reverse Engineering a D-Link Backdoor | Boardmad

  18. Pingback: Reverse Engineering a D-Link Backdoor | Enjoying The Moment

  19. Mantas says:

    My DSL-2650U seems to be unaffected by this specific one, fortunately.

    • playaspec says:

      You unit probably has an updated string, but still has this vulnerability. It would be worth capturing your current firmware and running this same analysis on it.

  20. Pingback: codescaling | D-Link Backdoor badness

  21. Frank says:

    Well, if this was a plot by Kevin to frame Joel so he could become tech lead when the backdoor was found, he surely was playing a loooong game.

  22. Andrew says:

    Also works on the DIR-615. Just checked.

  23. alois says:

    Is there anything about this in the supplied sources?

  24. ccpz says:

    Also find some clues at DLink’s GPL source code:
    http://tsd.dlink.com.tw/downloads2008list.asp?t=1&OS=GPL&SourceType=download

    For example, the GPL code of DI-524UP contains config.log,
    which includes these magic strings DBACKDOOR_SIGNATURE & DXMLSET_BACKDOOR_USER_AGENT

    https://gist.github.com/ccpz/6960941

    • ollie says:

      Knowing now what to look for, both the backdoor key and Joel (judging by the source code comments, obviously a developer at Alphanetworks) can be found all over that source package

  25. amir says:

    couldn’t confirm this on d-link 655

  26. Joe says:

    This is most likely a backdoor for the installer CD, though it’s a mystery as to why they don’t use simple HTTP authentication.

    • Craig says:

      That was my first thought too, but after some searching it looks like a lot of the affected devices don’t come with those “auto-setup wizard” tools.

  27. orthello says:

    Also the Dlink DIR-655 is conformeren to be vulnerable for this type of attack.

  28. Matt says:

    Excellent article. Makes me want to dig into some binaries.

  29. Deepak says:

    Holy shit!

    Good job, man! That’s one heck of reverse engineering. Wondering if D-Link updates their firmware soon in response to this.

  30. Shane says:

    Just changed the name of my neighbors router to “bigblackdix”.

  31. Barry Kelly says:

    Your server, or page, is ignoring user requests for desktop view on mobiles – tested with Firefox and AOSP on Android 4.3.

    Your articles have forcibly disabled zoom, so the images are not entirely visible from phones.

    • youdontneedthat says:

      just double click the images
      if you double click the code windows you can scroll to the side

      • eekee says:

        On my phone in any browser, double-clicking images scales them, but does not scale them to useful sizes. Most of the images on this page (for example) are shown in a choice of 1/4 screen width or full screen width. The screen is 2.25 inches wide.

    • eekee says:

      On the desktop with Firefox 24.0, ctrl+ and ctrl- work here.

      On my Android phone I can confirm your problem in Opera. Even in mobile view, pinch-zooming isn’t working.

  32. Denis says:

    Please could someone check with your devices, seems you do not need to use any ‘backdoor’ feature there.
    Seems it is enough to have ‘public/’ or ‘graphic/’ substring in the URL, something like:

    IP/public/..

    or perhaps

    IP/?public/

    • Craig says:

      I don’t think this will work. The ‘graphic/’ and/or ‘public/’ strings need to be in the requested URL (not the query string), and the server checks for directory traversal elsewhere in the http request parser. I did some preliminary (but not complete) testing without any luck.

  33. Neal Krawetz says:

    Just checked on a DI-604 (not 604S, 604UP, 604+…) — it does NOT work on the plain DI-604.

  34. bob says:

    can anyone recommend a nix debugger that I could play around with the dlink firmware? Looks like there is an IDA version for linux, but you really need the pro which costs a ton.

  35. darkkal says:

    Great work!

  36. akp says:

    Good analysis. Does this remain in subsequent firmwares? (v1.13 was deprecated in 2006)

  37. leoj says:

    $ unsquashfs 9DB90.squashfs /tmp/9DB90/

    Reading a different endian SQUASHFS filesystem on 9DB90.squashfs
    Parallel unsquashfs: Using 4 processors
    gzip uncompress failed with error code -3
    read_block: failed to read block @0xfe1c5
    read_fragment_table: failed to read fragment table block
    FATAL ERROR aborting: failed to read fragment table

    :'(

  38. jmp says:

    Good job man, openwrt is the only way.

  39. DJ says:

    These are all Phased Out routers, accept for the DIR-100 in EU and is not sold in the USA, that are no longer in development nor marketed and may not see any fixes for this. I notice also that there are no newer gen routers listed or tested for this hack either. IF your concerned about this, I recommend that you phone contact your regional D-Link support office and inquire to check to see if your model router is actually effected by this.

    • Craig says:

      Yes, the affected routers all appear to be older models. Probably no longer supported, so they won’t be getting firmware updates.

      I guess you could try contacting D-Link. I doubt they will know what devices are affected though. They don’t write the firmware anyway, and based on my previous interactions they have no way of tracking which devices use the same, or similar, firmware.

  40. Phil says:

    I’m trying to duplicate your work found that the SquashFS filesystem is compressed with LZMA (not LZMA2/XZ), which is no longer supported. I cannot find a way to decompress it. How did you do mount it?

  41. Pingback: Wenig überraschend, finden sich Backdoors nicht nur in TP-Link, sondern auch in… | Die wunderbare Welt von Isotopp

  42. Pingback: Une backdoor dans les routeurs D-Link | Lepuil Lepuil

  43. Pingback: Una puerta trasera en equipos D-Link al estilo NSA

  44. Pingback: ste williams – Back door found in D-Link routers

  45. Pingback: Reverse Engineering a D-Link Backdoor – /dev/ttyS0 | Boardmad

  46. Pingback: d-link router users - security issue - Pelican Parts Technical BBS

  47. Pingback: Backdoor found in D-Link router firmware code

  48. Pingback: rushengine.com | Backdoor found in D-Link router firmware code

  49. James says:

    Good work.
    Checking:
    DIR-615 Hardware Version: E3 Firmware Version: 5.10

    Does not appear to have this vulnerability.

  50. Pingback: D-Link router 'backdoor' - www.hardwarezone.com.sg

  51. Jasen says:

    for an internal-use backdoor they should have checked the
    IP-address of the client.

    It’s much harder to fake 127.0.0.1

    • Joe Whitehead says:

      Yes, this is why there’s the concept of Bind. Say for example you have a FTP server on a machine with 2 network adapters (say, a router…). You just bind it to 192.168.0.1 and prevent the WAN from accessing. Or you can specify localhost (127.0.0.1) in most applications, and it’ll only accept loopback connections.

      Technically, you can have more than one IP address per physical Ethernet connector, so even the 2nd adapter is optional. As an example, VMWare and the like have features like that.

  52. Pingback: Alpha Networks Inc. Want to Backdoor Your Router | Subversive Bytes

  53. mattjs says:

    Yeah you’re right some special and reserved IP addresses like 127.0.0.1 should in general be neither routed nor indeed even route-able on most hardware (other than DLINK’s of course HAHA…)

  54. Pingback: Detectada una puerta trasera en routers D-Link - tuexperto.com

  55. Pingback: Cool Math Games » Backdoor found in D-Link router firmware code

  56. rootless rooter says:

    D-Link 100,firmware 1.13 [most recent] rev.A,supplied by T-Systems in Czech rep.
    status : confirmed and working.

    nice nob,man!

  57. I’m extremely impressed with your writing skills as well as with the layout on your weblog. Is this a paid theme or did you modify it yourself? Anyway keep up the excellent quality writing, it is rare to see a nice blog like this one today.

  58. Pingback: เราท์เตอร์ D-Link หลายรุ่นมีช่องทางล็อกอินลับ | Webtheboy.com เว็บไซต์วาไรตี้

  59. Peter Hurst says:

    This appeared to work once with a DLINK 2640R but only when I entered the xmlset_roodkcableoj28840ybtide User string in IE9 and used compatibility mode. Then for no reason it stopped again.

  60. Hans Munister says:

    Does not work on my DI-524

    Request:
    ————-
    GET / HTTP/1.1
    Host: 192.168.1.2
    Connection: keep-alive
    Cache-Control: max-age=0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    User-Agent: xmlset_roodkcableoj28840ybtide
    Accept-Encoding: gzip,deflate,sdch
    Accept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
    ————–

    Response:
    ————–
    HTTP/1.0 401 NG
    WWW-Authenticate: Basic realm=”DI-524″
    ————–

    But this has tought me to buy a new router anyway. Fritzbox ?? Any suggestions ?

  61. Pingback: Have a D-Link Router ? You may be compromised | New Technology Update

  62. Pingback: Yebaa.com | D-Link to padlock router backdoor by Halloween

  63. Pingback: D-Link to padlock router backdoor by Halloween

  64. Pingback: D-Link 路由器有人為植入的後門,無需密碼可進入管理頁面 | 網絡安全與隱私

  65. Pingback: 轉貼:D-Link 路由器有人為植入的後門,無需密碼可進入管理頁面

  66. someone says:

    Well, I have a DIR-100 and it doesn’t work for me for some reason. (I changed the UA in the Chrome Settings and tested the changes on a website that displays the UA)

    Hardware Version : E1 Firmware Version : v4.00TP

  67. Pingback: Backdoor Found In D-Link Routers - Internet4k : : Internet For Knowledge | Internet4k : : Internet For Knowledge

  68. Pingback: Makl Ndrix » Blog Archive » The closeness of software, and its dangers.

  69. Chupacabras says:

    I have tried it with DI-524 but this backdoor doesn’t work.
    Firmware Version: V2.06-orange , Wed, Jul 25 2007

    • meisjustme says:

      I also can’t confirm for DI-524 Rev B (firmware version: V2.07DE, Tue, March 18 2008) with deactivated remote management when accessing the device from internal LAN using the given user agent string. I only get the normal login popup.

  70. Pingback: Backdoor en routers D-Link - | Indagadores |Seguridad informatica |Seguridad en internet

  71. DIR-632 owner says:

    Confirmed that DIR-632, hardware version A1, firmware version 1.02, is not vulnerable.

    Phew!

    Great work, Craig.

  72. Stanley Ang says:

    That’s why you should use OpenWrt.

  73. Pingback: Backdoor encontrada em roteadores da D-Link atinge milhões de usuários | TecnoGeek – Novidades Tecnológicas

  74. Pingback: D-Link to padlock router backdoor by Halloween

  75. danzhu says:

    My DIR-619L is also affected,firmware version is 1.15.

  76. Pingback: D-Link to padlock router backdoor by Halloween : My Creative Directory

  77. Michael says:

    Nice write-up!

    And +1 for the Futurama reference.

  78. Pingback: D-Link routers found to contain backdoor

  79. Pingback: D-Link to padlock router backdoor by Halloween | raynermkx479

  80. Pingback: D-Link to padlock router backdoor by Halloween | abapicukifem

  81. Pingback: Information Technology Fars News

  82. Pingback: D-Link’s backdoor: What else is in there? | elainehendrixes

  83. Pingback: Bakdörr hittad i populära routrar - Fria Tider

  84. Pingback: Information Technology Fars News

  85. Pingback: D-Link Routers Compromised: Universal Backdoor Discovered | VPN Creative

  86. akp says:

    any chance these are related to the images verizon used to put on the dlink routers they used to hand out with FiOS?

  87. Lightsword says:

    Here is a nice collection of d-link oem source code. http://sourceforge.net/projects/officialdlinkfirmware/files/
    I’m working on adding all of the affected ones to this list plus as many others as possible.

  88. Pingback: Backdoor found for several D-Link routers | LIVE HACKING

  89. Pingback: Alert:A backdoor found in many D-Link devices allows to bypass authentication | BitCyber Security

  90. Pingback: D-Link to padlock router backdoor by Halloween

  91. Pingback: D-Link’s backdoor: What else is in there? | busypyludose

  92. Pingback: D-Link’s backdoor: What else is in there? | kopudagog

  93. Pingback: Security flaw could allow attackers to take control of D-Link routers - EHads

  94. Pingback: Security flaw could allow attackers to take control of D-Link routers ← Spec My PC.co.uk

  95. excatholica says:

    Doesn’t work on my DIR-615 (bought about 18 months ago in Australia, retail)

    Sooner I ditch the thing, though, the happier I’ll be

  96. Pingback: SL Three ltd, - I.T Support & Business Solutions

  97. Pingback: Security flaw could allow attackers to take control of D-Link routers - techhowto.co

  98. Pingback: D-Link router flaw lets anyone login through “Joel’s Backdoor” | Naked Security

  99. Pingback: D-Link router flaw lets anyone login through "Joel’s Backdoor" » Cyber Crimes Unit | Cyber Crimes Unit

  100. Pingback: IT Blog » Post Topic » Security flaw could allow attackers to take control of D-Link routers

  101. Pingback: BackDoor Found In D-Link Router Firmware Code. | InterViewDvd MagaZine Blog

  102. I-Man says:

    doesn’t work on my Iphone 5S

  103. Pingback: Bug, non grossière erreur #DLink | Setec IS

  104. Pingback: ste williams – D-Link router flaw lets anyone login through "Joel’s Backdoor"

  105. Pingback: D-Link Planning to Patch Router Backdoor Bug | Threatpost

  106. Pingback: Hintertür in diversen D-Link-Routern entdeckt | ZDNet.de

  107. Chris says:

    DIR-815, Hardware Version : B1, Firmware Version : 2.00 is not affected

  108. hans says:

    yeha DD WRT helps a lot… :( they built their backdoor there too

    http://www.dd-wrt.com/phpBB2/viewtopic.php?t=62146

    login: Alphanetworks
    password: wrgg19_c_dlwbr_dir300

    more on this page
    read more here
    http://www.s3cur1ty.de/node/687

  109. Pingback: Backdoor Vulnerability Found In D-Link Router

  110. Pingback: D-Link Planning to Patch Router Backdoor Bug « Cyber Security Aid

  111. Pingback: Kritische Sicherheitslücke in diversen D-Link-Router-Modellen entdeckt - Servaholics

  112. pc2005 says:

    DIR-615 Hardware Version: B2 Firmware Version: 2.23 seems to be OK.

  113. Pingback: Blue Note Tech Blog » D-Link begins fixing router backdoor

  114. Pingback: If you have a D-Link router.... - Page 2 - MotorhomeFun

  115. Pingback: Some D-Link Routers Have Built-In Backdoor…. Yikes! | The IT Nerd

  116. Pingback: Backdoor Vulnerability Found In D-Link Router | World Wide Tech News 24

  117. Pingback: Numerous D-Link Routers have Backdoor in Firmware | CYBER ARMS - Computer Security

  118. Rooster says:

    Tested on DI-524 firmware version 3.00 (Jul 31 2007). It doesn’t work.

  119. Pingback: Alerta de Routers DLink Vulnerables a Hackers - Joel Backdoor -

  120. Pingback: Encontrada puerta trasera en routers D-Link | VorticeSoft

  121. Pingback: D-Link-Router mit Sicherheitslücke – und dabei wollte ich sie gerade loben - Nerd-Supreme

  122. Pingback: Security flaw could allow attackers to take control of D-Link routers | Daily Gadget

  123. Gin says:

    Backdoors on D-Link, including this one, was posted on codenet.ru more than 3 years ago

    • Craig says:

      The article contains a link to a codenet.ru forum post which mentions the backdoor string, if that’s what you are talking about.

      However, unless Google translate is failing me, they were just looking at strings in /bin/webs (as well as other files) in an effort to discover a telnet login on a DI-524UP. The forum contains no further analysis of /bin/webs and no mention of how to use the backdoor string.

  124. RF Engineering in toronto says:

    Intelligent posting by Craig on embedded system. All of above is very beneficial in Rf engineering. Please help me out to clear the concept of Firmware versions also???

  125. Pingback: Time to Upgrade Your D-Link Router! |

  126. Pingback: Back door nei router D-Link - macitynet.it

  127. Pingback: Michael Tsai - Blog - Reverse Engineering a D-Link Backdoor

  128. Pingback: crowmoor.se » Blog Archive » Commercial shortcut

  129. Pingback: ДАВАЙ-ДАВАЙ - Avoiding D-Link forever

  130. PetRose says:

    Interesting, as I have an DIR-857 with Hardware Version A1 with Firmware version 1.03.
    The Python script with the Proof of Concept, seems to return HTTP404. I imagine that should be translated to the attempt of Ping has failed.
    Am I right ?

  131. Pingback: D-Link router flaw lets anyone login through “Joel’s Backdoor” » Cyber Crimes Unit | Cyber Crimes Unit

  132. Glitchdata says:

    Definitely Sum Tin Wong

  133. Pingback: VU#248083: D-Link routers authenticate administrative access using specific User-Agent string

  134. Rembrandt says:

    Hey,

    is there any chance that your reverse-engineering skills gives me a hint, how to decode the config.bin (the downloadable router settings) of the di-524?

    TIA!

    Rembrandt

  135. Pingback: From China, With Love - /dev/ttyS0

  136. Pingback: SoDDing D-Link Backdoor | TechSNAP 132 | Jupiter Broadcasting

  137. arus says:

    Actually no matter if someone doesn’t understand afterward its up to other users that they will assist, so here it happens.

  138. Pingback: D-Link Router Backdoor

  139. Pingback: Hilarious… | Hans Howe

  140. Pingback: Zahlreiche D-LINK Router mit Sicherheitslücke | Presseportal.cc - Kostenloses Presseportal!

  141. Pingback: Links da semana #11 | Blog do Sergio Prado

  142. Got a Linksys router and think you’re safe? Even changed the default user name and password? Or perhaps you turned off remote sign-in in order to be safer?

    Type in 192.168.1.1 or even your remote IP address (the one your ISP has assigned you), since that is what anyone else would use to reach you…..

    user name: root
    password: admin

    or

    user name: root
    password: root

    Your user name and password doesn’t mean anything. Depending on your model, you just logged in as root, by passing whatever user name and password you had before (and on some models even if you had remote log-in turned off).

  143. Pingback: Backdoor Found In D-Link Routers | Cyber security labs by Cipher Net AB

  144. Pingback: From China, With Love: Tenda's Backdoor - Internet4k : : Internet For Knowledge | Internet4k : : Internet For Knowledge

  145. Pingback: D-Link publica nuevos firmwares que solucionan la puerta trasera descubierta

  146. Pingback: 韩晋的网站 » Tenda Backdoor

  147. Pingback: D-Link’s backdoor: What else is in there? | brynaocc256

  148. Pingback: Tech Mind #41: Attacco ad iMessage | EasyPodcast

  149. Pingback: Backdoor em Roteadores D-link | Chmod Security

  150. Pingback: Backdoor found in D-Link router firmware code | gotutagydo

  151. Pingback: Backdoor found in D-Link router firmware code | idavygeku

  152. Pingback: Backdoor found in D-Link router firmware code | nakygorepu

  153. Pingback: Backdoor found in D-Link router firmware code | nadeanhuo217

  154. Pingback: Backdoor found in D-Link router firmware code | fidelitykjt484

  155. Pingback: Router Backdoors | netwatch

  156. Pingback: D-Link : Un backdoor découvert dans les routeurs de la marque | UnderNews

  157. Pingback: Backdoor in cateva routere D-Link - kandrei.ro

  158. Pingback: Backdoor found in D-Link router firmware code | End Times News

  159. Pingback: Linux Outlaws 322 – Ubuntu to the Knee | Sixgun Productions

  160. Pingback: #441 RadTech ACpower Compact USB Charger, In Car USB Charger, RadSleevz and ScreenSavrz, Orange Chef iPad Stand « Nosillacast

  161. Pingback: เตือน! พบช่องโหว่เจาะเราท์เตอร์ D-Link

  162. Pingback: les routeur DLINK sont vulnérables | TeraMagazine

  163. Marcos Álvares says:

    Do you know what should be nice? Keep this backdoor hided for some time and analyse sources of requests with this ‘magic-string’ for your router. :P

  164. Pingback: alerta securitate d-link - OmRau.ro - Blog direct

  165. Pingback: Wireless router security vulnerabilities: Key steps to stop attacks

  166. Pingback: » 我是如何反编译D-Link路由器固件程序并发现它的后门的

  167. Pingback: 逆向工程友讯科技(D-Link)路由器固件后门 | BadBoy

  168. Pingback: >kloctalk | Backdoor in D-Link routers raises questions about handling software security

  169. dling says:

    According to Chinese website, D-Link’s management ordered a security review of their products in April 2013 and assure customers that their products are secure. So why there is still a backdoor in Octoberr 2013? It is hard to trust such products in future.

    http://www.pcpop.com/doc/0/901/901590.shtml

    2013年04月
    CNVD(国家信息安全共享平台)向消费者发布安全公告,称某品牌三款路由器存在后门漏洞,黑客可以利用漏洞完全控制路由器,实现盗取网银密码和QQ、微博、网游帐号,有超过70%用户的隐私信息面临泄漏危险。为防止类似事件发生,知名路由器品牌D-Link高层亲自下令加班彻查所有正在销售的路由器产品,确保旗下产品的安全性,保证该品牌用户的隐私安全。经过工作人员连续多日的加班测试,包括“云系列”在内的所有路由器均告安全无漏洞,让担惊受怕的D-link用户吃了一颗定心丸。

    2013年04月D-Link高层亲自下令加班彻查所有正在销售的路由器产品,
    10月还有後門??????

    4月D-Link高层下令彻查所有产品,10月还有後門??

  170. Pingback: “الشاوي بريس” تنفرد بنشر مشروع قانون المالي الجديد 2014 (نص المشروع كاملا) | Chaoui Press - الشاوي بريس

  171. Pingback: D-Link Router Backdoor Vulnerability – BTA Blog

  172. Pingback: D-link router backdoor | Typing Animal

  173. Pingback: Backdoor em roteadores D-Link | Brain Stacks

  174. Pingback: Reverse Engineering a D-Link Backdoor | The Travelin' Librarian

  175. Pingback: [转] 我是如何反编译D-Link路由器固件程序并发现它的后门的 | 小谢的小站

  176. Pingback: [Repost] Reverse Engineering a D-Link Backdoor | Xie 's Blog

  177. Pingback: 我是如何反编译D-Link路由器固件程序并发现它的后门的 | Kimnote

  178. Pingback: The Weakest Link, Routers and Switches? | Joseph Scott

  179. Pingback: The backdoor present in many D-Link devices allows to bypass authentication | The Cyber Info

  180. Pingback: Security flaw could allow attackers to take control of D-Link routers | Online Free Streaming

  181. Pingback: Una puerta trasera en equipos D-Link al estilo NSA | Anonymous Costa Rica

  182. Pingback: D-Link路由器固件后门漏洞 | 产品经理公社

  183. Pingback: Have a D-Link Router ? You may be compromised | SketWeb

  184. Pingback: Hintertür: D-Link bestätigt Sicherheitslücke in mehreren Routern | Germany News Online

  185. Neville Scollop says:

    Where can I get Shasta?

  186. Pingback: Eksempel på et cyber angreb | Hennings blog

  187. addamb says:

    different strokes for different folks

  188. Pingback: Security flaw could allow attackers to take control of D-Link routers - Noticiarium

  189. Overtim3 says:

    I keep getting an error when I try to get (/bin/webs) loaded into IDA.

    “Can not set the target processor type ‘mipsb’ ”

    Any ideas?

  190. Pingback: 我是如何反编译D-Link路由器固件程序并发现其后门 - IT讯息,最新IT咨询

  191. Pingback: Очередная программная закладка в роутерах D-Link | Домик Миа

  192. Pingback: Petits trous d’équipements : Netgear, Dlink, Tenda - CNIS mag

  193. Pingback: PrimalSec Podcast Episode #3 ← Primal Security Podcast

  194. Pingback: Vulnerability Note VU#248083 – D-Link routers authenticate administrative access using specific User-Agent string | TechWindowZ

  195. Pingback: NSA Spying and Other Topics | lonevoiceblog.com

  196. Pingback: URL

  197. Pingback: 我是如何在腾达路由器固件程序上发现漏洞的 - 博客 - 伯乐在线

  198. Pingback: Otkriven backdoor u D-Link ruterima » Unix Srbija

  199. Pingback: Security Through Obscurity. Not. | Perspectives on Cybersecurity from Learning Tree International

  200. Pingback: Compilado de enlaces | programacion@droope

  201. Pingback: Routers D-Link contienen puerta trasera | HACKERS

  202. Pingback: EE BrightBox router patched - still vulnerable - Scott Helme

  203. Anthony David says:

    I’ve got three D-Link routers and I can confirm they do have this problem… aargh! Why did they put this backdoor in them?

  204. Ten says:

    Have you tested a url like “router/images/../page.cgi”

    I hope you understand what i mean.

    • Craig says:

      IIRC, the CGI pages aren’t actually separate files on disk; the web server just checks the requested URL and invokes the appropriate function handler, so directory traversal attacks aren’t applicable in this case.

  205. Pingback: Очередная программная закладка в роутерах D-Link « Домик Миа

  206. kara says:

    the download link is down…who can reupp it? please

  207. Pingback: Researcher Uncovers Backdoor Vulnerability in D-Link Routers - eCoustics.com

  208. Pingback: Routerele D-Link au o vulnerabilitate care permite accesul în pagina de administrare - Securitate IT

  209. Johnd434 says:

    I do consider all the ideas you’ve presented on your post. They’re really convincing and can certainly work. Still, the posts are very brief for novices. May just you please extend them a little from next time? Thanks for the post. cfcdcdcgabca

  210. Pingback: Have a D-Link Router ? You may be compromised - New Technology Update : New Technology Update

  211. Pingback: How to Use a Custom Firmware on Your Router and Why You Might Want To |

  212. Pingback: In depth: Watching the Watch Dogs: the ethical hackers protecting our smart cities | Techy News Today

  213. Pingback: Reverse Engineering a D-Link BackdoorReverse Engineering a D-Link Backdoor | Programmare Web

  214. Pingback: Backdoor in D-Link Router Could Give Hackers Access to Enterprise Nets - Dice News

  215. Pingback: Judge Spotlight: Sprite_TM

  216. Pingback: Judge Spotlight: Sprite_TM - Tech key | Techzone | Tech data

  217. Pingback: Judge Spotlight: Sprite_TM | Arduino collector blog

  218. Pingback: Judge Spotlight: Sprite_TM | Hack The Planet

  219. Pingback: Unauthorized Access Backdoor found in D-Link router Firmware Code | My great WordPress blog

  220. Pingback: Intrusio Backdoor or not backdoor ?

  221. Pingback: How to Use a Custom Firmware on Your Router and Why You Might Want To | Blogging With Mikey

  222. Pingback: How the NSA (may have) put a backdoor in RSA’s cryptography: A technical primer | GIXtools project

  223. Pingback: Как компания D-Link предоставляет исходные коды прошивок | Zit@i0

  224. Pingback: AVM Fritz!Box root RCE: От патча до модуля Metasploit – Часть 2 | Gens News

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>