A backdoor present in many D-Link devices allows to bypass authentication

A backdoor present in many D-Link devices allows to bypass authentication

Researcher Craig published an interesting blog post on “/dev/ttyS0” on the reverse engineering of the backdoor present in many D-Link devices.

Today I decided to propose an interesting backdoor analysis published on the blog “/dev/ttyS0” specialized on the embedded device hacking.

The researcher Craig demonstrated the presence of a backdoor within some DLink routers that allows an attacker to access the administration web interface of network devices without any authentication and view/change its settings.

The author of the post found the backdoor inside the firmware v1.13 for the DIR-100 revA. Craig found and extracted the SquashFS file system loading firmware’s web server file system (/bin/webs) into IDA.


Giving a look at the string listing, the Craig’s attention was captured by a modified version of thttpd, the thttpd-alphanetworks/2.23, implemented to provide the rights to the administrative interface for the router. The library is written by Alphanetworks,  a spin-off company of D-Link, analyzing it Craig found many custom functions characterized by a name starting with suffix “alpha” including the alpha_auth_check.

The function is invoked to parse http request in the phase of authentication.

“We can see that alpha_auth_check is passed one argument (whatever is stored in register $s2); if alpha_auth_check returns -1 (0xFFFFFFFF), the code jumps to the end of alpha_httpd_parse_request, otherwise it continues processing the request.”

Analyzing the parameters passed to the function the researcher was able to reconstruct the authentication flow, the function parses the requested URL and check if it contains the strings “graphic/” or “public/”. “graphic/” or “public/” are sub-directories under the device’s web directory, if the requested URL contains one of them the request is passed without authentication.

Another intriguing detail has been found by Craig, the above function ends with a comparison with the specific string “xmlset_roodkcableoj28840ybtide”.



If the code “xmlset_roodkcableoj28840ybtide” is part of the http_request_t structure the check_login function call is skipped and alpha_auth_check returns 1, meaning that the authentication is OK.

Craig decided to search the code “xmlset_roodkcableoj28840ybtide” on Google and discovered traces of it only in one  Russian forum post from a few years ago. Going deep in its analysis Craig was able to piece together the body of the alpha_auth_check:

int alpha_auth_check(struct http_request_t *request)


if(strstr(request->url, “graphic/”) ||

strstr(request->url, “public/”) ||

strcmp(request->user_agent, “xmlset_roodkcableoj28840ybtide”) == 0)


return AUTH_OK;




// These arguments are probably user/pass or session info

if(check_login(request->0xC, request->0xE0) != 0)


return AUTH_OK;




return AUTH_FAIL;


Resuming the reverse engineering for the D-Link Backdoor, if attacker browser user agent string is xmlset_roodkcableoj28840ybtide, he can access the web interface of the D-Link device bypassing authentication procedure and view/change the device settings.

Try to read the string xmlset_roodkcableoj28840ybtide backwards …. it appears as “Edit by 04882 joel backdoor“, very cool.



Craig extended the results of its discovery to many other D-Link devices affected by the same backdoor, the author searched for the code present in the HTML pages on the entire Internet with the Shodan. He searched for the word “thttpd-alphanetworks/2.23”, the modified version of thttpd, retrieving following search results:

after a series of test Craig concluded that the following D-Link devices are likely affected:

  • DIR-100
  • DI-524
  • DI-524UP
  • DI-604S
  • DI-604UP
  • DI-604+
  • TM-G5240

The researcher discovered also that Planex routers, based on the same firmware, are affected by the flaw.

  • BRL-04UR
  • BRL-04CW

Very intriguing … What do you think about?

(Source: CDM, Pierluigi Paganini, Editor and Chief )

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase