Breaking Into Draytek Routers: Exploiting Custom Firmware and Dynamic Kernel Modules

TLDR: Researchers at DEF CON 2024 demonstrated how to achieve persistent code execution on Draytek SOHO routers by reverse engineering their proprietary firmware and dynamic kernel module (DLM) loading mechanism. By crafting a malicious DLM, an attacker can bypass authentication and maintain persistence even after firmware updates or configuration resets. This research highlights the critical danger of security through obscurity in edge devices and provides a new tool, draytek-arsenal, for security professionals to audit these devices.

Edge devices are the forgotten backdoors of modern infrastructure. While security teams obsess over cloud configurations and endpoint detection, a single misconfigured router at the network perimeter can grant an attacker a permanent foothold. The recent research presented at DEF CON 2024 regarding Draytek Vigor routers proves that proprietary, closed-source firmware is not a security feature; it is merely a hurdle that keeps defenders in the dark while attackers do the work to find the gaps.

The Mechanics of the DLM Backdoor

At the heart of the vulnerability is how these routers handle extensibility. Draytek devices use a real-time operating system (RTOS) that supports dynamic kernel modules. These modules are not just simple drivers; they are full-blown ELF binaries that the router loads into memory at runtime. The researchers discovered that the firmware update process for these modules is fundamentally broken.

The router does not perform cryptographic verification of the modules it loads. When a user uploads a new module through the web interface, the device simply accepts it. Because the router loads these modules into the same memory space as the core RTOS, a malicious module has unrestricted access to the system.

The researchers developed a proof-of-concept SSH backdoor by hooking the ssh_account_and_ldap_auth function. By replacing the standard authentication logic with a custom hook, they could intercept login attempts. If the provided credentials matched a hardcoded value, the hook would return a success code, granting access. If not, it would transparently pass the request to the original authentication function, ensuring the backdoor remained invisible to legitimate users.

Reverse Engineering the Firmware Format

Extracting this firmware is not as simple as running binwalk. Draytek uses a custom compression algorithm based on a modified version of LZ4 with a proprietary frame format. The researchers had to reverse engineer this format to extract the individual components, including the bootloader, the RTOS kernel, and the DLM section.

To automate this, they released draytek-arsenal, a Python-based toolkit. This tool handles the heavy lifting of parsing the firmware headers, decompressing the modules, and re-packaging them. For those interested in the binary structure, the researchers used Kaitai Struct to define the firmware layout, which allows for language-agnostic parsing of the binary blobs.

The following command demonstrates how the tool identifies the kernel loading address, a prerequisite for any further analysis or modification:

python3 -m draytek_arsenal find_loading_addr /path/to/rtos.bin

Once the loading address is known, an attacker can use the tool to inject their own code into the DLM section, effectively turning the router into a persistent command-and-control node.

Real-World Impact and Exploitation

For a pentester, these devices are high-value targets. They are often deployed in small-to-medium business environments where they are left unpatched for years. The vulnerabilities identified—ranging from stack-based buffer overflows to insecure password storage—are classic examples of Broken Authentication and Injection flaws.

During an engagement, if you encounter a Draytek device, do not assume it is secure just because it is a "business-grade" router. Check the firmware version against the vendor's security advisories. If the device is exposed to the WAN, it is likely already being scanned by automated botnets looking for these exact flaws. The ability to upload a custom DLM means that even if you gain temporary access, you can ensure that your presence survives a reboot, making it a perfect target for long-term persistence.

Defensive Strategies for Edge Security

Defenders must stop treating edge devices as "set and forget" infrastructure. The most effective mitigation is to restrict management interfaces to local, trusted networks. If remote management is required, it must be protected by a VPN, never exposed directly to the internet.

Furthermore, organizations should implement network-level monitoring to detect anomalous traffic patterns originating from these devices. A router that suddenly starts initiating outbound connections to unknown IPs or attempting to scan internal network segments is a clear indicator of compromise. Vendors must also move toward implementing secure boot chains and mandatory code signing for all dynamic modules. Without these controls, the device is essentially running arbitrary code provided by whoever happens to reach the management port first.

The research into Draytek devices is a stark reminder that complexity is the enemy of security. When vendors build proprietary, undocumented systems, they are not protecting their users; they are simply making it harder for the good guys to find the bugs before the bad guys do. If you are auditing these devices, start with the draytek-arsenal repository and look for other undocumented hooks in the DLM loading process. There is almost certainly more to find.