J0.png' alt='Ida Pro Windows' title='Ida Pro Windows' />Reverse Engineering a D Link Backdoor devtty. S0. All right. Its Saturday night, I have no date, a two liter bottle of Shasta and my all Rush mix tapelets hack. On a whim I downloaded firmware v. DIR 1. 00 rev. A. Binwalk quickly found and extracted a Squash. FS file system, and soon I had the firmwares web server binwebs loaded into IDA Strings inside binwebs. Based on the above strings listing, the binwebs binary is a modified version of thttpd which provides the administrative interface for the router. It appears to have been modified by Alphanetworks a spin off of D Link. They were even thoughtful enough to prepend many of their custom function names with the string alpha Alphanetworks custom functions. The alphaauthcheck function sounds interesting This function is called from a couple different locations, most notably from alphahttpdparserequest Function call to alphaauthcheck. We can see that alphaauthcheck is passed one argument whatever is stored in register s. FFFFFFFF, the code jumps to the end of alphahttpdparserequest, otherwise it continues processing the request. Some further examination of the use of register s. HTTP request, such as HTTP headers and the requested URL s. We can now define a function prototype for alphaauthcheck and begin to enumerate elements of the data structure. B8. char url At offset 0x. Ida Pro Windows' title='Ida Pro Windows' />B8 into the data structure. It does a few strstrs and strcmps against some pointers in the httprequestt structure, then calls checklogin, which actually does the authentication check. If the calls to any of the strstrs strcmps or checklogin succeed, it returns 1 else, it redirects the browser to the login page and returns 1 alphaauthcheck code snippet. Those strstrs look interesting. They take the requested URL at offset 0x. B8 into the httprequestt data structure, as previously noted and check to see if it contains the strings graphic or public. Star Profile Food Technology Template'>Star Profile Food Technology Template. These are sub directories under the devices web directory, and if the requested URL contains one of those strings, then the request is allowed without authentication. It is the final strcmp however, which proves a bit more compelling An interesting string comparison in alphaauthcheck. This is performing a strcmp between the string pointer at offset 0x. Ida Pro Windows' title='Ida Pro Windows' />In case you are running IDA on Windows are using the systems Python as opposed to the bundled Python distribution, that one can opt for at installationtime. IDA 7. 0 Named, Computer and Floating licenses in Starter and Pro editions are available for purchase. We have the Windows, Mac and Linux editions sold. Ceragon Software. Tabtight professional, free when you need it, VPN service. Phoenix Protector provides obfuscation features like name, string and control flow obfuscation to help prevent. NET assembly from being decompiled into an. Ida Pro Windows' title='Ida Pro Windows' />D0 inside the httprequestt structure and the string xmlsetroodkcableoj. OK. A quick Google for the xmlsetroodkcableoj. Russian forum post from a few years ago, which notes that this is an interesting line inside the binwebs binary. Id have to agree. So what is this mystery string getting compared against If we look back in the call tree, we see that the httprequestt structure pointer is passed around by a few functions It turns out that the pointer at offset 0x. D0 in the httprequestt structure is populated by the httpdparserequest function Checks for the User Agent HTTP header. Populates httprequestt 0x. D0 with a pointer to the User Agent header string. This code is effectively. User Agent, strlenUser Agent NULL. D0 header strlenUser Agent strspnheader, t. Knowing that offset 0x. D0 in httprequestt contains a pointer to the User Agent header, we can now re construct the alphaauthcheck function. AUTHOK 1. define AUTHFAIL 1. AUTHOK. These arguments are probably userpass or session info. Stronghold Crusader Direct Full there. C, request 0x. E0 0. AUTHOK. AUTHFAIL. In other words, if your browsers user agent string is xmlsetroodkcableoj. DI 5. 24. UP is shown, as I dont have a DIR 1. DI 5. 24. UP uses the same firmware Accessing the admin page of a DI 5. UPBased on the source code of the HTML pages and some Shodan search results, it can be reasonably concluded that the following D Link devices are likely affected DIR 1. DIR 1. 20. DI 6. SDI 5. UPDI 6. SDI 6. 04. UPDI 6. TM G5. 24. Additionally, several Planex routers also appear to use the same firmware You stay classy, D Link. UPDATE The ever neighborly Travis Goodspeed pointed out that this backdoor is used by the binxmlsetc binary in the D Link firmware. After some grepping, I found several binaries that appear to use xmlsetc to automatically re configure the devices settings example dynamic DNS. My guess is that the developers realized that some programsservices needed to be able to change the devices settings automatically realizing that the web server already had all the code to change these settings, they decided to just send requests to the web server whenever they needed to change something. The only problem was that the web server required a username and password, which the end user could change. Then, in a eureka moment, Joel jumped up and said, Dont worry, for I have a cunning plan. Also, several people have reported in the comments that some versions of the DIR 6. Virgin Mobile. I have not yet verified this, but it seems quite reasonable. UPDATE 2 Arbitrary code execution is also possible, thanks to the backdoor. Proof of concept.