“The thread then goes into a recvfrom loop, reading up to 128 bytes from the socket. It expects each received UDP packet to be at least 14 bytes in length:””We can see that the thread is expecting a packet with the following structure:”

struct command_packet_t
{
    char magic[10]; // 9 byte magic string ("w302r_mfg"), plus a NULL terminating byte
    char command_byte;
    char command_arg[117];
};

The Tenda Technology backdoor only listens on the LAN and it is not exploitable from the WAN, however hackers can exploit it over the wireless network if the victim has WPS enabled by default with no brute force rate limiting.

The service expects a packet starts with the string “w302r_mfg”, the code then compares the specified command byte against three ASCII characters (’1′, ‘x’, and ‘e’) associated with the following commands:

• ‘e’ – Responds with a pre-defined string, basically a ping test
• ’1′ – Intended to allow you to run iwpriv commands
• ‘x’ – Allows you to run any command, as root