Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Howdy y'all,
- (These notes will probably be obsolete by the time you read them, but so it
- goes. The TL;DR is that /bin/xmlsetc is the client for the D-Link backdoor.)
- Craig exposed a new D-Link backdoor today, so I took a look at all images
- in my local copy of their FTP site. His article describes the backdoor at
- the following URL explains how he found it and how to call it. I have
- just a little to add.
- http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/
- The backdoor seems specific to eight firmware images, which I extracted
- from .bix files using binwalk. None of the .bin or .img files seem to contain
- the backdoor.
- % grep roodkcab `find . -name webs`
- Binary file ./_DIR100_v5.0.0EUb3_patch02.bix.extracted/squashfs-root/bin/webs matches
- Binary file ./_TM-G5240-alpha-v4-0-0b20.bix.extracted/squashfs-root/bin/webs matches
- Binary file ./_di604UP_firmware_103_BETA.bix.extracted/squashfs-root/bin/webs matches
- Binary file ./_tm-g5240-alpha-v4-0-0b17.bix.extracted/squashfs-root/bin/webs matches
- Binary file ./_TM-G5240-b26_320k.bix.extracted/squashfs-root/bin/webs matches
- Binary file ./_TM-G5240-4.0.0b28.bix.extracted/squashfs-root/bin/webs matches
- Binary file ./_TM-G5240-alpha-v4.0.0b23.bix.extracted/squashfs-root/bin/webs matches
- Binary file ./_TM-G5240-v4-0-0b29.bix.extracted/squashfs-root/bin/webs matches
- %
- In addition to /bin/webs containing the string "xmlset_roodkcableoj28840ybtide",
- it also appears in /bin/xmlsetc. Of my eight images, there are only two unique
- versions of xmlsetc, while every one of the eight webs copies is distinct.
- % md5sum `find . -name xmlsetc` | sort
- 5c79f358a60280248098db10d6446528 ./_tm-g5240-alpha-v4-0-0b17.bix.extracted/squashfs-root/bin/xmlsetc
- 5c79f358a60280248098db10d6446528 ./_TM-G5240-alpha-v4-0-0b20.bix.extracted/squashfs-root/bin/xmlsetc
- 5c79f358a60280248098db10d6446528 ./_TM-G5240-alpha-v4.0.0b23.bix.extracted/squashfs-root/bin/xmlsetc
- a443b1455ae3db9a572a685da51fabec ./_di604UP_firmware_103_BETA.bix.extracted/squashfs-root/bin/xmlsetc
- a443b1455ae3db9a572a685da51fabec ./_DIR100_v5.0.0EUb3_patch02.bix.extracted/squashfs-root/bin/xmlsetc
- a443b1455ae3db9a572a685da51fabec ./_TM-G5240-4.0.0b28.bix.extracted/squashfs-root/bin/xmlsetc
- a443b1455ae3db9a572a685da51fabec ./_TM-G5240-b26_320k.bix.extracted/squashfs-root/bin/xmlsetc
- a443b1455ae3db9a572a685da51fabec ./_TM-G5240-v4-0-0b29.bix.extracted/squashfs-root/bin/xmlsetc
- % md5sum `find . -name webs` | sort
- 07abc2afebb8fb90fd650a30f1f0b789 ./_TM-G5240-alpha-v4-0-0b20.bix.extracted/squashfs-root/bin/webs
- 46637832adbd4056e97ab38aaaf31da4 ./_DIR100_v5.0.0EUb3_patch02.bix.extracted/squashfs-root/bin/webs
- 78da0913e50b2deb93bc9fe3a8a8d1cd ./_TM-G5240-b26_320k.bix.extracted/squashfs-root/bin/webs
- 8fe0c80d230bf207bfaeb16b70ef8a45 ./_TM-G5240-v4-0-0b29.bix.extracted/squashfs-root/bin/webs
- 9318210953eb2dcd6895f091cdc847a1 ./_TM-G5240-alpha-v4.0.0b23.bix.extracted/squashfs-root/bin/webs
- 9e57fe42a4c1dad21460a13c22356096 ./_tm-g5240-alpha-v4-0-0b17.bix.extracted/squashfs-root/bin/webs
- e183a94c5f17bb186d663ac915fe71ff ./_di604UP_firmware_103_BETA.bix.extracted/squashfs-root/bin/webs
- ecc427017d2fa3d88faf65fc26d0ab5f ./_TM-G5240-4.0.0b28.bix.extracted/squashfs-root/bin/webs
- %
- A quick glance at xmlsetc in IDA shows that it is sending the backdoor User-Agent with printf(),
- rather than receiving it. Perhaps the backdoor serves some legitimate purpose, and
- Mystery Joel is only guilty of incompetence and not of malice?
- I'm too busy to look further, but I hope you neighbors have fun.
- Cheers from Philly,
- --TG
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement