All right. It’s Saturday night, I have no date, a two-liter bottle of Shasta and my all-Rush mix-tape…let’s hack.
On a whim I downloaded firmware v1.13 for the DIR-100 revA. Binwalk quickly found and extracted a SquashFS file system, and soon I had the firmware’s web server (/bin/webs) loaded into IDA:
Strings inside /bin/webs
Based on the above strings listing, the /bin/webs binary is a modified version of thttpd which provides the administrative interface for the router. It appears to have been modified by Alphanetworks (a spin-off of D-Link). They were even thoughtful enough to prepend many of their custom function names with the string “alpha”:
Alphanetworks’ custom functions
The alpha_auth_check function sounds interesting!
This function is called from a couple different locations, most notably from alpha_httpd_parse_request:
Function call to alpha_auth_check
We can see that alpha_auth_check is passed one argument (whatever is stored in register $s2); if alpha_auth_check returns -1 (0xFFFFFFFF), the code jumps to the end of alpha_httpd_parse_request, otherwise it continues processing the request.
Some further examination of the use of register $s2 prior to the alpha_auth_check call indicates that it is a pointer to a data structure which contains char* pointers to various pieces of the received HTTP request, such as HTTP headers and the requested URL:
$s2 is a pointer to a data structure
We can now define a function prototype for alpha_auth_check and begin to enumerate elements of the data structure:
struct http_request_t
{
char unknown[0xB8];
char *url; // At offset 0xB8 into the data structure
};
int alpha_auth_check(struct http_request_t *request);
alpha_auth_check itself is a fairly simple function. It does a few strstr’s and strcmp’s against some pointers in the http_request_t structure, then calls check_login, which actually does the authentication check. If the calls to any of the strstr’s / strcmp’s or check_login succeed, it returns 1; else, it redirects the browser to the login page and returns -1:
alpha_auth_check code snippet
Those strstr’s look interesting. They take the requested URL (at offset 0xB8 into the http_request_t data structure, as previously noted) and check to see if it contains the strings “graphic/” or “public/”. These are sub-directories under the device’s web directory, and if the requested URL contains one of those strings, then the request is allowed without authentication.
It is the final strcmp however, which proves a bit more compelling:
An interesting string comparison in alpha_auth_check
This is performing a strcmp between the string pointer at offset 0xD0 inside the http_request_t structure and the string “xmlset_roodkcableoj28840ybtide”; if the strings match, the check_login function call is skipped and alpha_auth_check returns 1 (authentication OK).
A quick Google for the “xmlset_roodkcableoj28840ybtide” string turns up only a single Russian forum post from a few years ago, which notes that this is an “interesting line” inside the /bin/webs binary. I’d have to agree.
So what is this mystery string getting compared against? If we look back in the call tree, we see that the http_request_t structure pointer is passed around by a few functions:
It turns out that the pointer at offset 0xD0 in the http_request_t structure is populated by the httpd_parse_request function:
Checks for the User-Agent HTTP header
Populates http_request_t + 0xD0 with a pointer to the User-Agent header string
This code is effectively:
if(strncasecmp(header, "User-Agent:", strlen("User-Agent:")) != NULL)
{
http_request_t->0xD0 = header + strlen("User-Agent:") + strspn(header, " \t");
}
Knowing that offset 0xD0 in http_request_t contains a pointer to the User-Agent header, we can now re-construct the alpha_auth_check function:
#define AUTH_OK 1
#define AUTH_FAIL -1
int alpha_auth_check(struct http_request_t *request)
{
if(strstr(request->url, "graphic/") ||
strstr(request->url, "public/") ||
strcmp(request->user_agent, "xmlset_roodkcableoj28840ybtide") == 0)
{
return AUTH_OK;
}
else
{
// These arguments are probably user/pass or session info
if(check_login(request->0xC, request->0xE0) != 0)
{
return AUTH_OK;
}
}
return AUTH_FAIL;
}
In other words, if your browser’s user agent string is “xmlset_roodkcableoj28840ybtide” (no quotes), you can access the web interface without any authentication and view/change the device settings (a DI-524UP is shown, as I don’t have a DIR-100 and the DI-524UP uses the same firmware):
Accessing the admin page of a DI-524UP
Based on the source code of the HTML pages and some Shodan search results, it can be reasonably concluded that the following D-Link devices are likely affected:
- DIR-100
- DIR-120
- DI-624S
- DI-524UP
- DI-604S
- DI-604UP
- DI-604+
- TM-G5240
Additionally, several Planex routers also appear to use the same firmware:
- BRL-04R
- BRL-04UR
- BRL-04CW
You stay classy, D-Link.
UPDATE:
The ever neighborly Travis Goodspeed pointed out that this backdoor is used by the /bin/xmlsetc binary in the D-Link firmware. After some grepping, I found several binaries that appear to use xmlsetc to automatically re-configure the device’s settings (example: dynamic DNS). My guess is that the developers realized that some programs/services needed to be able to change the device’s settings automatically; realizing that the web server already had all the code to change these settings, they decided to just send requests to the web server whenever they needed to change something. The only problem was that the web server required a username and password, which the end user could change. Then, in a eureka moment, Joel jumped up and said, “Don’t worry, for I have a cunning plan!”.
Also, several people have reported in the comments that some versions of the DIR-615 are also affected, including those distributed by Virgin Mobile. I have not yet verified this, but it seems quite reasonable.
UPDATE #2:
Arbitrary code execution is also possible, thanks to the backdoor. Proof of concept.
WOW,
really works..
tested against one of the ip listed in shodanHQ!
http://imageshack.us/photo/my-images/14/wikq.png/
Pingback: Ciekawa tylna furtka w kilku modelach ruterów D-Linka | Zaufana Trzecia Strona
It’s said in the Russian forum post:
Try to read the string backwards.
xmlset_roodkcableoj28840ybtide
😉
Edit by 04882 joel backdoor
joelbackdoor actually
Wow, this is insane, changing your user-agent to backdoor will gain you access.
I wonder on how many firmwares this (type of) backdoor is added.
(maybe the same string “xmlset_roodkcableoj28840ybtide” or with any other string)
«xmlset_roodkcableoj28840ybtide» «editby04882joelbackdoor_teslmx»
http://habrahabr.ru/post/197314/#comment_6843864
I think it is old backdoor :
http://forum.codenet.ru/q58748/%D0%BF%D0%B5%D1%80%D0%B5%D0%B1%D0%BE%D1%80+%D0%BB%D0%BE%D0%B3%D0%B8%D0%BD%D0%BE%D0%B2+-+%D0%B4%D0%B0%D0%B9%D1%82%D0%B5+%D1%81%D0%BE%D0%B2%D0%B5%D1%82
last post.
Sorry it is linked in the article 😉
Why use this made-in-china crap at all ? I’ve stopped using more than 5 years ago after discovering the IP’s list of the DDOS network in one of the FXS devices firmware.
Because it’s cheap, easy and does the job most people need it to.
Yea, you can buy cheap and easy exploits with it, nothing more 😉
Who said american-based software/hardware are bug free ? US products are severely bugged/under surveillance more than any other country would ever do !
Do you honestly think that anyone cares about the fact that you are not affected by this?
Hear, hear! We should only use good ol’ Made-in-the-USA routers so we can be sure it’s just the NSA spying on us and not those dirty foreigners!
‘MERICA!
Those that are afraid of NSA should make own routers and write own firmware – this is the only right jedi way
“Those that are afraid of NSA should make own routers and write own firmware”
oh I see, so it’s okay to trust NSA since it’s an american agency, but not country X? fuck u, u stupid american twat, fuck your usa internet backbone and fuck your nsa prism. no country should spy on anyone, got that retard.
@ ‘sfinx is a born again as$h0le’
Sure, no nation-state should spy on anyone. The real world is war is made on each other, that is via electronic means, including routers. Including on all continents. The NSA would be letting the side down if they DIDN’T meet, for example, the Russians, the Chinese / potential cyber-terrorists out there in the field of cyberspace.
The real issue is the same as ever: who watches the watchers? Enforcing respect for Democratic principles, law, when it comes to conflict between the Citizen’s rights, universal human rights, like the right to freedom of thought, expression of that thought, and assembly (lawful political activity). The massive power that such weak security on most devices hands the NSA (and other agents) then corrupts massively. That is the real battle, if you follow and respect what the likes of Edward Snowden are supposed to be saying. Watch Snowden and Enemy Of The State, for Hollywood’s simple, but clear examples of the problem. The latter was released in 1997 (!).
Joel doesn’t sound very chinese to me
Neither does John, yet John Lee is the CEO.
And a quick search also digs up a “Joel Liu” and a “Joel Lee”, who seem somewhat affiliated with alphanetworks. But that’s probably fake, because it is well known that Chinese parents always pick a Chinese name for their children.
Sorry, wring link, try John Lee
Not necessarily fake. These days, many chinese people adopt a western name (usually american) that they use when talking to foreigners. I guess foreigners’s pronunciation of chinese name is so bad that chinese people can barely notice you’re referring to them (happened to me when in china). That, or the guy think John’s a cool name.
Stop thinking that English/Christian names are only for people in Europe, America or Australia. Christanity exists in all parts of the world, including China and India and hence the first names of some people from many countries are not what you want them to sound like.
Who says the backdoor is placed by china? Could as well be placed there by a D-Link developer in the original image sent to production.
*i meant “by Chinese goverment”
D-link is a taiwanese company imbecile. So it’s made-in-taiwan crap.
I wonder if this succeeds from outside even if outside management is disabled ?
Are you serious? If RMGMT is disabled, any outside attempt to even connect to the interface is rejected, so of course not.
Have you tried to connect with remote management disabled? I agree that in theory you should not be able to but….
Also, if a password is enabled, all attempts without passwords are rejected, so this backdoor doesn’t exist.
lol…i don’t think you understand the meaning of BACK DOOR…if password is enabled it goes into that LOOP and if it sees an agent string…poof
Interesting question about RMGMT though
a lot of these d-link routers are facing the web and have an “admin admin” login. you can enable telnet on em too.
Pingback: Une backdoor dans les routeurs D-Link « Korben Korben
Pingback: Une backdoor dans les routeurs D-Link- Dépannage Informatique PC à domicile Limoges haute vienne 87
Pingback: Une backdoor dans les routeurs D-Link « Mes idées HIGH TECH
Pingback: Une backdoor dans les routeurs D-Link | Blog de tout et de rien
You just seriously pissed of the NSA
Nice find!
On a sidenote, how did you go about downloading your router’s firmware? I can only seem to find articles about updating firmware when I search, nothing about downloading it.
To update the router’s firmware, you usually have to download it from the vendor’s support website. And that file can be reverse engineered like explained above.
So to block this backdoor, we need to patch the firmware binary to set that string (in two places) to some other random string, and patch it to pass bootup checksum (or just disable checksum checking).
I’m good with the first part, but the second part I don’t have yet. Anyone?
All the more reason to start adopting openwrt/ddwrt/tomato etc. Hard to believe this slid under the radar so long.. dir100 did you say? Ha!
Nice work Craig.
And appending “public/” somewhere in the URL (like in the querystring), does that bypass the authentication too ?
No, as far as I can tell the “public/” and “graphic/” strings have to be in the URL itself, not in the query string. IIRC, the server checks for directory traversal too.
Pingback: Reverse Engineering a D-Link Backdoor | Boardmad
Pingback: Reverse Engineering a D-Link Backdoor | Enjoying The Moment
My DSL-2650U seems to be unaffected by this specific one, fortunately.
You unit probably has an updated string, but still has this vulnerability. It would be worth capturing your current firmware and running this same analysis on it.
Pingback: codescaling | D-Link Backdoor badness
Well, if this was a plot by Kevin to frame Joel so he could become tech lead when the backdoor was found, he surely was playing a loooong game.
My plans for world domination !!!!
Also works on the DIR-615. Just checked.
Awesome! Any idea which hardware revision? DIR-615 has had a ton of different hardware revs.
Works on my DIR-615 too firmware 1.00VG – supplied by virgin media (my isp) here in the UK
HW Version C1, Firmware 3.13NA
Nevermind, It appears I was mistaken. The router was caching the login session for insane amounts of time.
Not affected.
Is there anything about this in the supplied sources?
Also find some clues at DLink’s GPL source code:
http://tsd.dlink.com.tw/downloads2008list.asp?t=1&OS=GPL&SourceType=download
For example, the GPL code of DI-524UP contains config.log,
which includes these magic strings DBACKDOOR_SIGNATURE & DXMLSET_BACKDOOR_USER_AGENT
https://gist.github.com/ccpz/6960941
Knowing now what to look for, both the backdoor key and Joel (judging by the source code comments, obviously a developer at Alphanetworks) can be found all over that source package
couldn’t confirm this on d-link 655
This is most likely a backdoor for the installer CD, though it’s a mystery as to why they don’t use simple HTTP authentication.
That was my first thought too, but after some searching it looks like a lot of the affected devices don’t come with those “auto-setup wizard” tools.
Also the Dlink DIR-655 is conformeren to be vulnerable for this type of attack.
Sorry…. Is not.
When session is still active you can relogin with any password. This confused me.
DIR-655 is not affected by this.
Excellent article. Makes me want to dig into some binaries.
Holy shit!
Good job, man! That’s one heck of reverse engineering. Wondering if D-Link updates their firmware soon in response to this.
My guess is probably not. Most of the affected devices seem to be older and have been end-of-lifed, so people still using them are SOL.
D-Link:
http://www.dlink.com/uk/en/support/security
It seems they are on to it.
The updates that are currently on that site address older vulnerabilities, though D-Link has said that they will be posting firmware updates for these affected devices by October 31.
Just changed the name of my neighbors router to “bigblackdix”.
Your server, or page, is ignoring user requests for desktop view on mobiles – tested with Firefox and AOSP on Android 4.3.
Your articles have forcibly disabled zoom, so the images are not entirely visible from phones.
just double click the images
if you double click the code windows you can scroll to the side
On my phone in any browser, double-clicking images scales them, but does not scale them to useful sizes. Most of the images on this page (for example) are shown in a choice of 1/4 screen width or full screen width. The screen is 2.25 inches wide.
On the desktop with Firefox 24.0, ctrl+ and ctrl- work here.
On my Android phone I can confirm your problem in Opera. Even in mobile view, pinch-zooming isn’t working.
Please could someone check with your devices, seems you do not need to use any ‘backdoor’ feature there.
Seems it is enough to have ‘public/’ or ‘graphic/’ substring in the URL, something like:
IP/public/..
or perhaps
IP/?public/
I don’t think this will work. The ‘graphic/’ and/or ‘public/’ strings need to be in the requested URL (not the query string), and the server checks for directory traversal elsewhere in the http request parser. I did some preliminary (but not complete) testing without any luck.
Just checked on a DI-604 (not 604S, 604UP, 604+…) — it does NOT work on the plain DI-604.
Same here, using plain 604, firmware V3.14, Thu, Dec 15 2005:
wget -U ‘xmlset_roodkcableoj28840ybtide’ http://x.x.x.x:8888/public/
–2013-11-01 16:08:58– http://x.x.x.x:8888/public/
Connecting to x.x.x.x:8888… connected.
HTTP request sent, awaiting response… 404 OK
2013-11-01 16:04:58 ERROR 404: OK.
can anyone recommend a nix debugger that I could play around with the dlink firmware? Looks like there is an IDA version for linux, but you really need the pro which costs a ton.
radare2 radare.org
GDB also works well, and there’s a nice gdbinit script for MIPS here: https://github.com/zcutlip/gdbinit-mips
no BSD version so its basically useless
Are you saying there’s no radare2 for BSD or no GDB for BSD? I thought both were available for the BSD platform.
Of course radare2 is available on BSD 🙂
Great work!
Good analysis. Does this remain in subsequent firmwares? (v1.13 was deprecated in 2006)
$ unsquashfs 9DB90.squashfs /tmp/9DB90/Reading a different endian SQUASHFS filesystem on 9DB90.squashfs
Parallel unsquashfs: Using 4 processors
gzip uncompress failed with error code -3
read_block: failed to read block @0xfe1c5
read_fragment_table: failed to read fragment table block
FATAL ERROR aborting: failed to read fragment table
:'(
Good job man, openwrt is the only way.
These are all Phased Out routers, accept for the DIR-100 in EU and is not sold in the USA, that are no longer in development nor marketed and may not see any fixes for this. I notice also that there are no newer gen routers listed or tested for this hack either. IF your concerned about this, I recommend that you phone contact your regional D-Link support office and inquire to check to see if your model router is actually effected by this.
Yes, the affected routers all appear to be older models. Probably no longer supported, so they won’t be getting firmware updates.
I guess you could try contacting D-Link. I doubt they will know what devices are affected though. They don’t write the firmware anyway, and based on my previous interactions they have no way of tracking which devices use the same, or similar, firmware.
I’m trying to duplicate your work found that the SquashFS filesystem is compressed with LZMA (not LZMA2/XZ), which is no longer supported. I cannot find a way to decompress it. How did you do mount it?
I used the unsquashfs-2.1-r2 utility in the firmware-mod-kit (https://code.google.com/p/firmware-mod-kit/).
Got it. Thanks! Great work!
Pingback: Wenig überraschend, finden sich Backdoors nicht nur in TP-Link, sondern auch in… | Die wunderbare Welt von Isotopp
Pingback: Une backdoor dans les routeurs D-Link | Lepuil Lepuil
Pingback: Una puerta trasera en equipos D-Link al estilo NSA
Pingback: ste williams – Back door found in D-Link routers
Pingback: Reverse Engineering a D-Link Backdoor – /dev/ttyS0 | Boardmad
Pingback: d-link router users - security issue - Pelican Parts Technical BBS
Pingback: Backdoor found in D-Link router firmware code
Pingback: rushengine.com | Backdoor found in D-Link router firmware code
Good work.
Checking:
DIR-615 Hardware Version: E3 Firmware Version: 5.10
Does not appear to have this vulnerability.
Pingback: D-Link router 'backdoor' - www.hardwarezone.com.sg
for an internal-use backdoor they should have checked the
IP-address of the client.
It’s much harder to fake 127.0.0.1
Yes, this is why there’s the concept of Bind. Say for example you have a FTP server on a machine with 2 network adapters (say, a router…). You just bind it to 192.168.0.1 and prevent the WAN from accessing. Or you can specify localhost (127.0.0.1) in most applications, and it’ll only accept loopback connections.
Technically, you can have more than one IP address per physical Ethernet connector, so even the 2nd adapter is optional. As an example, VMWare and the like have features like that.
Pingback: Alpha Networks Inc. Want to Backdoor Your Router | Subversive Bytes
Yeah you’re right some special and reserved IP addresses like 127.0.0.1 should in general be neither routed nor indeed even route-able on most hardware (other than DLINK’s of course HAHA…)
Pingback: Detectada una puerta trasera en routers D-Link - tuexperto.com
Pingback: Cool Math Games » Backdoor found in D-Link router firmware code
D-Link 100,firmware 1.13 [most recent] rev.A,supplied by T-Systems in Czech rep.
status : confirmed and working.
nice nob,man!
It seems there are/have been a few more router vulnerabilities discovered earlier this year, including password issues: –
http://www.h-online.com/security/news/item/Lots-of-router-vulnerabilities-not-many-patches-1800471.html
http://www.h-online.com/security/news/item/D-Link-fixes-router-vulnerabilities-very-quietly-1816873.htmls
http://sekurak.pl/tp-link-httptftp-backdoor/
http://www.h-online.com/security/news/item/Critical-vulnerabilities-in-numerous-ASUS-routers-1918469.html
http://arstechnica.com/security/2013/03/cisco-switches-to-weaker-hashing-scheme-passwords
I’m extremely impressed with your writing skills as well as with the layout on your weblog. Is this a paid theme or did you modify it yourself? Anyway keep up the excellent quality writing, it is rare to see a nice blog like this one today.
Pingback: เราท์เตอร์ D-Link หลายรุ่นมีช่องทางล็อกอินลับ | Webtheboy.com เว็บไซต์วาไรตี้
This appeared to work once with a DLINK 2640R but only when I entered the xmlset_roodkcableoj28840ybtide User string in IE9 and used compatibility mode. Then for no reason it stopped again.
Does not work on my DI-524
Request:
————-
GET / HTTP/1.1
Host: 192.168.1.2
Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: xmlset_roodkcableoj28840ybtide
Accept-Encoding: gzip,deflate,sdch
Accept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
————–
Response:
————–
HTTP/1.0 401 NG
WWW-Authenticate: Basic realm=”DI-524″
————–
But this has tought me to buy a new router anyway. Fritzbox ?? Any suggestions ?
Pingback: Have a D-Link Router ? You may be compromised | New Technology Update
Pingback: Yebaa.com | D-Link to padlock router backdoor by Halloween
Pingback: D-Link to padlock router backdoor by Halloween
Pingback: D-Link 路由器有人為植入的後門,無需密碼可進入管理頁面 | 網絡安全與隱私
Pingback: 轉貼:D-Link 路由器有人為植入的後門,無需密碼可進入管理頁面
Well, I have a DIR-100 and it doesn’t work for me for some reason. (I changed the UA in the Chrome Settings and tested the changes on a website that displays the UA)
Hardware Version : E1 Firmware Version : v4.00TP
I believe that only hardware revision A1 is affected.
Pingback: Backdoor Found In D-Link Routers - Internet4k : : Internet For Knowledge | Internet4k : : Internet For Knowledge
Pingback: Makl Ndrix » Blog Archive » The closeness of software, and its dangers.
I have tried it with DI-524 but this backdoor doesn’t work.
Firmware Version: V2.06-orange , Wed, Jul 25 2007
I also can’t confirm for DI-524 Rev B (firmware version: V2.07DE, Tue, March 18 2008) with deactivated remote management when accessing the device from internal LAN using the given user agent string. I only get the normal login popup.
Pingback: Backdoor en routers D-Link - | Indagadores |Seguridad informatica |Seguridad en internet
Confirmed that DIR-632, hardware version A1, firmware version 1.02, is not vulnerable.
Phew!
Great work, Craig.
That’s why you should use OpenWrt.
Pingback: Backdoor encontrada em roteadores da D-Link atinge milhões de usuários | TecnoGeek – Novidades Tecnológicas
Pingback: D-Link to padlock router backdoor by Halloween
My DIR-619L is also affected,firmware version is 1.15.
Pingback: D-Link to padlock router backdoor by Halloween : My Creative Directory
Nice write-up!
And +1 for the Futurama reference.
Pingback: D-Link routers found to contain backdoor
Pingback: D-Link to padlock router backdoor by Halloween | raynermkx479
Pingback: D-Link to padlock router backdoor by Halloween | abapicukifem
Pingback: Information Technology Fars News
Pingback: D-Link’s backdoor: What else is in there? | elainehendrixes
Pingback: Bakdörr hittad i populära routrar - Fria Tider
Pingback: Information Technology Fars News
Pingback: D-Link Routers Compromised: Universal Backdoor Discovered | VPN Creative
any chance these are related to the images verizon used to put on the dlink routers they used to hand out with FiOS?
heh
Here is a nice collection of d-link oem source code. http://sourceforge.net/projects/officialdlinkfirmware/files/
I’m working on adding all of the affected ones to this list plus as many others as possible.
Pingback: Backdoor found for several D-Link routers | LIVE HACKING
Pingback: Alert:A backdoor found in many D-Link devices allows to bypass authentication | BitCyber Security
Pingback: D-Link to padlock router backdoor by Halloween
Pingback: D-Link’s backdoor: What else is in there? | busypyludose
Pingback: D-Link’s backdoor: What else is in there? | kopudagog
Pingback: Security flaw could allow attackers to take control of D-Link routers - EHads
Pingback: Security flaw could allow attackers to take control of D-Link routers ← Spec My PC.co.uk
Doesn’t work on my DIR-615 (bought about 18 months ago in Australia, retail)
Sooner I ditch the thing, though, the happier I’ll be
Firmware version 3.01-tomizone-1.0.2
Pingback: SL Three ltd, - I.T Support & Business Solutions
Pingback: Security flaw could allow attackers to take control of D-Link routers - techhowto.co
Pingback: D-Link router flaw lets anyone login through “Joel’s Backdoor” | Naked Security
Pingback: D-Link router flaw lets anyone login through "Joel’s Backdoor" » Cyber Crimes Unit | Cyber Crimes Unit
Pingback: IT Blog » Post Topic » Security flaw could allow attackers to take control of D-Link routers
Pingback: BackDoor Found In D-Link Router Firmware Code. | InterViewDvd MagaZine Blog
doesn’t work on my Iphone 5S
Pingback: Bug, non grossière erreur #DLink | Setec IS
Pingback: ste williams – D-Link router flaw lets anyone login through "Joel’s Backdoor"
Pingback: D-Link Planning to Patch Router Backdoor Bug | Threatpost
Pingback: Hintertür in diversen D-Link-Routern entdeckt | ZDNet.de
DIR-815, Hardware Version : B1, Firmware Version : 2.00 is not affected
yeha DD WRT helps a lot… 🙁 they built their backdoor there too
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=62146
login: Alphanetworks
password: wrgg19_c_dlwbr_dir300
more on this page
read more here
http://www.s3cur1ty.de/node/687
@John Martyn
See also:
http://sekurak.pl/hp-laserjet-pro-printers-remote-admin-password-extraction/ (August, 2013)
and this:
http://sekurak.pl/more-information-about-tp-link-backdoor/
Pingback: Backdoor Vulnerability Found In D-Link Router
Pingback: D-Link Planning to Patch Router Backdoor Bug « Cyber Security Aid
Pingback: Kritische Sicherheitslücke in diversen D-Link-Router-Modellen entdeckt - Servaholics
DIR-615 Hardware Version: B2 Firmware Version: 2.23 seems to be OK.
Pingback: Blue Note Tech Blog » D-Link begins fixing router backdoor
Pingback: If you have a D-Link router.... - Page 2 - MotorhomeFun
Pingback: Some D-Link Routers Have Built-In Backdoor…. Yikes! | The IT Nerd
Pingback: Backdoor Vulnerability Found In D-Link Router | World Wide Tech News 24
Pingback: Numerous D-Link Routers have Backdoor in Firmware | CYBER ARMS - Computer Security
Tested on DI-524 firmware version 3.00 (Jul 31 2007). It doesn’t work.
Pingback: Alerta de Routers DLink Vulnerables a Hackers - Joel Backdoor -
Pingback: Encontrada puerta trasera en routers D-Link | VorticeSoft
Pingback: D-Link-Router mit Sicherheitslücke – und dabei wollte ich sie gerade loben - Nerd-Supreme
Pingback: Security flaw could allow attackers to take control of D-Link routers | Daily Gadget
Backdoors on D-Link, including this one, was posted on codenet.ru more than 3 years ago
The article contains a link to a codenet.ru forum post which mentions the backdoor string, if that’s what you are talking about.
However, unless Google translate is failing me, they were just looking at strings in /bin/webs (as well as other files) in an effort to discover a telnet login on a DI-524UP. The forum contains no further analysis of /bin/webs and no mention of how to use the backdoor string.
russian people don’t usually say much. they leave things as riddles. you’ll notice this if you talk to them.
Riddle solved. 😉
Intelligent posting by Craig on embedded system. All of above is very beneficial in Rf engineering. Please help me out to clear the concept of Firmware versions also???
For more info:-
http://www.axsera.com/telecom-services/network-engineering/
Pingback: Time to Upgrade Your D-Link Router! |
Pingback: Back door nei router D-Link - macitynet.it
Pingback: Michael Tsai - Blog - Reverse Engineering a D-Link Backdoor
Pingback: crowmoor.se » Blog Archive » Commercial shortcut
DI-604+ not vulnerable xD
Which firmware version? I have confirmed that at least the DI-604+ v1.04 is vulnerable.
Pingback: ДАВАЙ-ДАВАЙ - Avoiding D-Link forever
Interesting, as I have an DIR-857 with Hardware Version A1 with Firmware version 1.03.
The Python script with the Proof of Concept, seems to return HTTP404. I imagine that should be translated to the attempt of Ping has failed.
Am I right ?
Pingback: D-Link router flaw lets anyone login through “Joel’s Backdoor” » Cyber Crimes Unit | Cyber Crimes Unit
Definitely Sum Tin Wong
Pingback: VU#248083: D-Link routers authenticate administrative access using specific User-Agent string
Hey,
is there any chance that your reverse-engineering skills gives me a hint, how to decode the config.bin (the downloadable router settings) of the di-524?
TIA!
Rembrandt
I can take a look. Which hardware/firmware version of the DI-524 are you looking at? And do you have a sample config.bin file?
I just have the config.bin – but I think it’s the DI-524UP with a firmware from 2008 / 2009.
You can download the firmware here:
https://copy.com/0M9C6moZUEVS
This is a gzipped file with 4 bytes slapped in front of it (maybe a checksum?). Get rid of those first four bytes and you should be able to gunzip it like any other gzipped file.
Thanks a lot! (Of course) You’re right! How did you discover it?
I just ran binwalk against the config.bin file. In fact, if you run binwalk with the -e option, it will extract the gzipped file for you. 😉
Pingback: From China, With Love - /dev/ttyS0
Pingback: SoDDing D-Link Backdoor | TechSNAP 132 | Jupiter Broadcasting
Actually no matter if someone doesn’t understand afterward its up to other users that they will assist, so here it happens.
IS
Pingback: D-Link Router Backdoor
Pingback: Hilarious… | Hans Howe
Pingback: Zahlreiche D-LINK Router mit Sicherheitslücke | Presseportal.cc - Kostenloses Presseportal!
Pingback: Links da semana #11 | Blog do Sergio Prado
Got a Linksys router and think you’re safe? Even changed the default user name and password? Or perhaps you turned off remote sign-in in order to be safer?
Type in 192.168.1.1 or even your remote IP address (the one your ISP has assigned you), since that is what anyone else would use to reach you…..
user name: root
password: admin
or
user name: root
password: root
Your user name and password doesn’t mean anything. Depending on your model, you just logged in as root, by passing whatever user name and password you had before (and on some models even if you had remote log-in turned off).
References? List of affected models/firmware?
Pingback: Backdoor Found In D-Link Routers | Cyber security labs by Cipher Net AB
Pingback: From China, With Love: Tenda's Backdoor - Internet4k : : Internet For Knowledge | Internet4k : : Internet For Knowledge
Pingback: D-Link publica nuevos firmwares que solucionan la puerta trasera descubierta
Pingback: 韩晋的网站 » Tenda Backdoor
Pingback: D-Link’s backdoor: What else is in there? | brynaocc256
Pingback: Tech Mind #41: Attacco ad iMessage | EasyPodcast
Pingback: Backdoor em Roteadores D-link | Chmod Security
Pingback: Backdoor found in D-Link router firmware code | gotutagydo
Pingback: Backdoor found in D-Link router firmware code | idavygeku
Pingback: Backdoor found in D-Link router firmware code | nakygorepu
Pingback: Backdoor found in D-Link router firmware code | nadeanhuo217
Pingback: Backdoor found in D-Link router firmware code | fidelitykjt484
Pingback: Router Backdoors | netwatch
Pingback: D-Link : Un backdoor découvert dans les routeurs de la marque | UnderNews
Pingback: Backdoor in cateva routere D-Link - kandrei.ro
Pingback: Backdoor found in D-Link router firmware code | End Times News
Pingback: Linux Outlaws 322 – Ubuntu to the Knee | Sixgun Productions
Pingback: #441 RadTech ACpower Compact USB Charger, In Car USB Charger, RadSleevz and ScreenSavrz, Orange Chef iPad Stand « Nosillacast
Pingback: เตือน! พบช่องโหว่เจาะเราท์เตอร์ D-Link
Pingback: les routeur DLINK sont vulnérables | TeraMagazine
Do you know what should be nice? Keep this backdoor hided for some time and analyse sources of requests with this ‘magic-string’ for your router. 😛
Pingback: alerta securitate d-link - OmRau.ro - Blog direct
Pingback: Wireless router security vulnerabilities: Key steps to stop attacks
Pingback: » 我是如何反编译D-Link路由器固件程序并发现它的后门的
Pingback: 逆向工程友讯科技(D-Link)路由器固件后门 | BadBoy
Pingback: >kloctalk | Backdoor in D-Link routers raises questions about handling software security
According to Chinese website, D-Link’s management ordered a security review of their products in April 2013 and assure customers that their products are secure. So why there is still a backdoor in Octoberr 2013? It is hard to trust such products in future.
http://www.pcpop.com/doc/0/901/901590.shtml
2013年04月
CNVD(国家信息安全共享平台)向消费者发布安全公告,称某品牌三款路由器存在后门漏洞,黑客可以利用漏洞完全控制路由器,实现盗取网银密码和QQ、微博、网游帐号,有超过70%用户的隐私信息面临泄漏危险。为防止类似事件发生,知名路由器品牌D-Link高层亲自下令加班彻查所有正在销售的路由器产品,确保旗下产品的安全性,保证该品牌用户的隐私安全。经过工作人员连续多日的加班测试,包括“云系列”在内的所有路由器均告安全无漏洞,让担惊受怕的D-link用户吃了一颗定心丸。
2013年04月D-Link高层亲自下令加班彻查所有正在销售的路由器产品,
10月还有後門??????
4月D-Link高层下令彻查所有产品,10月还有後門??
Pingback: “الشاوي بريس” تنفرد بنشر مشروع قانون المالي الجديد 2014 (نص المشروع كاملا) | Chaoui Press - الشاوي بريس
Pingback: D-Link Router Backdoor Vulnerability – BTA Blog
Pingback: D-link router backdoor | Typing Animal
Pingback: Backdoor em roteadores D-Link | Brain Stacks
Pingback: Reverse Engineering a D-Link Backdoor | The Travelin' Librarian
Pingback: [转] 我是如何反编译D-Link路由器固件程序并发现它的后门的 | 小谢的小站
Pingback: [Repost] Reverse Engineering a D-Link Backdoor | Xie 's Blog
Pingback: 我是如何反编译D-Link路由器固件程序并发现它的后门的 | Kimnote
Pingback: The Weakest Link, Routers and Switches? | Joseph Scott
Pingback: The backdoor present in many D-Link devices allows to bypass authentication | The Cyber Info
Pingback: Security flaw could allow attackers to take control of D-Link routers | Online Free Streaming
Pingback: Una puerta trasera en equipos D-Link al estilo NSA | Anonymous Costa Rica
Pingback: D-Link路由器固件后门漏洞 | 产品经理公社
Pingback: Have a D-Link Router ? You may be compromised | SketWeb
Pingback: Hintertür: D-Link bestätigt Sicherheitslücke in mehreren Routern | Germany News Online
Where can I get Shasta?
Pingback: Eksempel på et cyber angreb | Hennings blog
different strokes for different folks
Pingback: Security flaw could allow attackers to take control of D-Link routers - Noticiarium
I keep getting an error when I try to get (/bin/webs) loaded into IDA.
“Can not set the target processor type ‘mipsb’ ”
Any ideas?
What IDA license do you have? The free/standard versions of IDA don’t support MIPS; you need IDA Pro (formerly IDA Pro Advanced).
ohhh, I see… Alright, thank you.
Pingback: 我是如何反编译D-Link路由器固件程序并发现其后门 - IT讯息,最新IT咨询
Pingback: Очередная программная закладка в роутерах D-Link | Домик Миа
Pingback: Petits trous d’équipements : Netgear, Dlink, Tenda - CNIS mag
Pingback: PrimalSec Podcast Episode #3 ← Primal Security Podcast
Pingback: Vulnerability Note VU#248083 – D-Link routers authenticate administrative access using specific User-Agent string | TechWindowZ
Pingback: NSA Spying and Other Topics | lonevoiceblog.com
Pingback: URL
Pingback: 我是如何在腾达路由器固件程序上发现漏洞的 - 博客 - 伯乐在线
Pingback: Otkriven backdoor u D-Link ruterima » Unix Srbija
Pingback: Security Through Obscurity. Not. | Perspectives on Cybersecurity from Learning Tree International
Pingback: Compilado de enlaces | programacion@droope
Pingback: Routers D-Link contienen puerta trasera | HACKERS
Pingback: EE BrightBox router patched - still vulnerable - Scott Helme
I’ve got three D-Link routers and I can confirm they do have this problem… aargh! Why did they put this backdoor in them?
See the UPDATE section in the article. It’s a feature, not a bug. 🙂
Have you tested a url like “router/images/../page.cgi”
I hope you understand what i mean.
IIRC, the CGI pages aren’t actually separate files on disk; the web server just checks the requested URL and invokes the appropriate function handler, so directory traversal attacks aren’t applicable in this case.
Pingback: Очередная программная закладка в роутерах D-Link « Домик Миа
the download link is down…who can reupp it? please
Pingback: Researcher Uncovers Backdoor Vulnerability in D-Link Routers - eCoustics.com
Pingback: Routerele D-Link au o vulnerabilitate care permite accesul în pagina de administrare - Securitate IT
I do consider all the ideas you’ve presented on your post. They’re really convincing and can certainly work. Still, the posts are very brief for novices. May just you please extend them a little from next time? Thanks for the post. cfcdcdcgabca
Pingback: Have a D-Link Router ? You may be compromised - New Technology Update : New Technology Update
Pingback: How to Use a Custom Firmware on Your Router and Why You Might Want To |
Pingback: In depth: Watching the Watch Dogs: the ethical hackers protecting our smart cities | Techy News Today
Pingback: Reverse Engineering a D-Link BackdoorReverse Engineering a D-Link Backdoor | Programmare Web
Pingback: Backdoor in D-Link Router Could Give Hackers Access to Enterprise Nets - Dice News
Pingback: Judge Spotlight: Sprite_TM
Pingback: Judge Spotlight: Sprite_TM - Tech key | Techzone | Tech data
Pingback: Judge Spotlight: Sprite_TM | Arduino collector blog
Pingback: Judge Spotlight: Sprite_TM | Hack The Planet
Pingback: Unauthorized Access Backdoor found in D-Link router Firmware Code | My great WordPress blog
Pingback: Intrusio Backdoor or not backdoor ?
Pingback: How to Use a Custom Firmware on Your Router and Why You Might Want To | Blogging With Mikey
Pingback: How the NSA (may have) put a backdoor in RSA’s cryptography: A technical primer | GIXtools project
Pingback: Как компания D-Link предоставляет исходные коды прошивок | Zit@i0
Pingback: AVM Fritz!Box root RCE: От патча до модуля Metasploit – Часть 2 | Gens News
Pingback: M5S, un silenzio sospetto. | Niente stronzate ©
Pingback: Why there Backdoor in my Router I don’t need It ,Then who else ? | Entrust: Blog
Pingback: Is Your Office or Home D-Link Wifi Vulnerable? - Onsite PC Solution
Pingback: Reverse Engineering a D-Link Backdoor | Hackaday
Pingback: How To Fix D’link Authentication Error in Windows
Pingback: D-Link Routers Have Backdoor, Allows Full Exploitation | Protocol 46
Pingback: Cuidado: encuentran seria vulnerabilidad en routers | HACKERS
How did you get this running in an emulator? I have been playing around with a whole collection of router firmwares and running them in qemu but this particular one has some finicky and proprietary code that prevents it from running.
Nice work Craig! I’m so glad I don’t use D-Link’s stuff.
Could you reverse-engineer AMD’s firmware for their R9 270X card? I’m trying to only use GNU software but my old CRT monitor is making my eyes hurt because there’s no proprietary firmware loaded and it thus it reaches only 60 Hz.
Here’s the download link: https://packages.debian.org/jessie/firmware-linux-nonfree
Pingback: Is you D-Link router secure
Pingback: D-Link will Backdoor-Schwachstelle in Routern schließen - Securelist
Pingback: Как компания D-Link предоставляет исходные коды прошивок | FNIT.RU
Backdoors on D-Link, including this one
Pingback: D-Link a l’intention d’eliminer un bogue de porte derobee sur ses routeurs - Securelist
Great article. Keep it up!
I want to extract SquashFS from firmware. So i used binwalk -e command. but in this extracted file, there is nothing. could you help me?
I have noticed you don’t monetize your website, don’t waste
your traffic, you can earn additional cash
every month because you’ve got hi quality content. If you want to know how to
make extra bucks, search for: Mrdalekjd methods
for $$$
Pingback: Домашний роутер: «Полностью ломай! Ломай меня полностью!» - Dodwee
Nicе post. I used tto be checking continuously this webloց and I am inspired!
Very hеlpful information ⲣarticularly the ultimate phase 🙂 I maintain such information a lot.
I used to be lookming for this particular info forr a long time.
Thwnk you and best of luck.
I gotta favorite this internet site it seems very helpful invaluable
Excellent article and everything. I tried this but didn’t seem to work on some ecommerce sites. But I guess it depends on what hardware they are using. Someone is using it on D-link apparently. Seems fine, but I guess that’s how business is.