Advertisement
Guest User

Client for the DLink Backdoor, /bin/xmlsetc

a guest
Oct 13th, 2013
7,979
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.55 KB | None | 0 0
  1. Howdy y'all,
  2.  
  3. (These notes will probably be obsolete by the time you read them, but so it
  4. goes. The TL;DR is that /bin/xmlsetc is the client for the D-Link backdoor.)
  5.  
  6. Craig exposed a new D-Link backdoor today, so I took a look at all images
  7. in my local copy of their FTP site. His article describes the backdoor at
  8. the following URL explains how he found it and how to call it. I have
  9. just a little to add.
  10. http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/
  11.  
  12. The backdoor seems specific to eight firmware images, which I extracted
  13. from .bix files using binwalk. None of the .bin or .img files seem to contain
  14. the backdoor.
  15.  
  16. % grep roodkcab `find . -name webs`
  17. Binary file ./_DIR100_v5.0.0EUb3_patch02.bix.extracted/squashfs-root/bin/webs matches
  18. Binary file ./_TM-G5240-alpha-v4-0-0b20.bix.extracted/squashfs-root/bin/webs matches
  19. Binary file ./_di604UP_firmware_103_BETA.bix.extracted/squashfs-root/bin/webs matches
  20. Binary file ./_tm-g5240-alpha-v4-0-0b17.bix.extracted/squashfs-root/bin/webs matches
  21. Binary file ./_TM-G5240-b26_320k.bix.extracted/squashfs-root/bin/webs matches
  22. Binary file ./_TM-G5240-4.0.0b28.bix.extracted/squashfs-root/bin/webs matches
  23. Binary file ./_TM-G5240-alpha-v4.0.0b23.bix.extracted/squashfs-root/bin/webs matches
  24. Binary file ./_TM-G5240-v4-0-0b29.bix.extracted/squashfs-root/bin/webs matches
  25. %
  26.  
  27. In addition to /bin/webs containing the string "xmlset_roodkcableoj28840ybtide",
  28. it also appears in /bin/xmlsetc. Of my eight images, there are only two unique
  29. versions of xmlsetc, while every one of the eight webs copies is distinct.
  30. % md5sum `find . -name xmlsetc` | sort
  31. 5c79f358a60280248098db10d6446528 ./_tm-g5240-alpha-v4-0-0b17.bix.extracted/squashfs-root/bin/xmlsetc
  32. 5c79f358a60280248098db10d6446528 ./_TM-G5240-alpha-v4-0-0b20.bix.extracted/squashfs-root/bin/xmlsetc
  33. 5c79f358a60280248098db10d6446528 ./_TM-G5240-alpha-v4.0.0b23.bix.extracted/squashfs-root/bin/xmlsetc
  34. a443b1455ae3db9a572a685da51fabec ./_di604UP_firmware_103_BETA.bix.extracted/squashfs-root/bin/xmlsetc
  35. a443b1455ae3db9a572a685da51fabec ./_DIR100_v5.0.0EUb3_patch02.bix.extracted/squashfs-root/bin/xmlsetc
  36. a443b1455ae3db9a572a685da51fabec ./_TM-G5240-4.0.0b28.bix.extracted/squashfs-root/bin/xmlsetc
  37. a443b1455ae3db9a572a685da51fabec ./_TM-G5240-b26_320k.bix.extracted/squashfs-root/bin/xmlsetc
  38. a443b1455ae3db9a572a685da51fabec ./_TM-G5240-v4-0-0b29.bix.extracted/squashfs-root/bin/xmlsetc
  39. % md5sum `find . -name webs` | sort
  40. 07abc2afebb8fb90fd650a30f1f0b789 ./_TM-G5240-alpha-v4-0-0b20.bix.extracted/squashfs-root/bin/webs
  41. 46637832adbd4056e97ab38aaaf31da4 ./_DIR100_v5.0.0EUb3_patch02.bix.extracted/squashfs-root/bin/webs
  42. 78da0913e50b2deb93bc9fe3a8a8d1cd ./_TM-G5240-b26_320k.bix.extracted/squashfs-root/bin/webs
  43. 8fe0c80d230bf207bfaeb16b70ef8a45 ./_TM-G5240-v4-0-0b29.bix.extracted/squashfs-root/bin/webs
  44. 9318210953eb2dcd6895f091cdc847a1 ./_TM-G5240-alpha-v4.0.0b23.bix.extracted/squashfs-root/bin/webs
  45. 9e57fe42a4c1dad21460a13c22356096 ./_tm-g5240-alpha-v4-0-0b17.bix.extracted/squashfs-root/bin/webs
  46. e183a94c5f17bb186d663ac915fe71ff ./_di604UP_firmware_103_BETA.bix.extracted/squashfs-root/bin/webs
  47. ecc427017d2fa3d88faf65fc26d0ab5f ./_TM-G5240-4.0.0b28.bix.extracted/squashfs-root/bin/webs
  48. %
  49.  
  50. A quick glance at xmlsetc in IDA shows that it is sending the backdoor User-Agent with printf(),
  51. rather than receiving it. Perhaps the backdoor serves some legitimate purpose, and
  52. Mystery Joel is only guilty of incompetence and not of malice?
  53.  
  54. I'm too busy to look further, but I hope you neighbors have fun.
  55.  
  56. Cheers from Philly,
  57. --TG
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement