Router Backdoor Listening on TCP-32764 1.0

Direct access on DSL modems from Linksys, Netgear and other vendors.

Watchers:
This resource is being watched by 231 members.
  1. Mr. Penguin
    News Article: Source: Wireless attack backdoor discovered in DSL modems - SC Magazine UK

    And you don't need to reset the modem's configuration to have a root shell.
    And some router are vulnerable from the internet, not only from the LAN.

    Wireless attack backdoor discovered in DSL modems

    French researcher drives a London bus through wireless modem security

    Whilst several vulnerable backdoors in various DSL (broadband) modems were revealed by security researchers last year, would-be hackers required relatively unfettered direct IP access to the device to carry out an attack. Now a French researcher has discovered a series of wireless flaws on DSL modems from Linksys, Netgear and other vendors.

    According to Eloi Vanderbecken, the wireless backdoor effectively gives attackers administration level access by simply resetting the modem's configuration settings, so bypassing the firewall settings of the unit.
    The vulnerability particularly affects public access WiFi services, SCMagazineUK.com notes, since these units are designed to allow password-less access to the unit across wireless channels, prior to logging in. This raises the spectre of a complete takeover of a public access WiFi hotspot and covert monitoring of all user IP traffic as a result.

    Loopholes identified
    Vanderbecken has been developing his research strategy for several weeks (INSERT URL:Eloi Vanderbeken (elvanderb) on Twitter ) but made a major breakthrough over the Christmas period in which he identified a series of common loopholes across several DSL modems.

    In his analysis (INSERT URL: elvanderb/TCP-32764 · GitHub ) the French researcher revealed that he was attempting to code-limit the bandwidth of individual users of his family's Linksys WAS200G DSL modem, but had locked himself out of the wireless admin console.
    This is where it gets interesting, as the researcher discovered he could manage the router via an unusual TCP port (32764) - something that other users, he later found, had also realised.

    After analysing the firmware of the modem (downloaded from the Web), he created a simple interface to send admin commands to the router without being logged in as an administrator, resetting the unit to its default settings.

    Switching to a shell command, he then coded a script to gain access to admin mode - without the admin password - and published the script on to the Github software development service, at which stage other Linksys and Netgear users reported the script worked on their modems.
    Linksys and Netgear say they are investigating the claims.

    Home-use vulnerable
    Nigel Stanley, CEO and analyst of Incoming Thought, the information security consultancy, said that, with the proliferation of broadband technology, many homes and small businesses will be relying on these modems to provide access to the Web.

    "But how on earth can an average user ensure their modem is fully patched and secure from these exploits?" he asked SCMagazineUK.com, adding that, whilst in this case the exploit requires the attacker to be on the local network, he and his team have seen other security flaws that appear to be easier to exploit.

    "Whilst in isolation this may not seem a big problem, imagine if a vulnerable modem was being used by a small supplier to a larger defence or aerospace company? We then start to have interesting conversations about supply chain risk," he noted.

    Peter Wood, CEO of pen testing specialist First Base Technologies, meanwhile, said he has seen this type of security loophole many times when conducting penetration testing at major companies, many of whom rely on these types of modems for users to log into the corporate network from home or remote locations.

    "The problem here is that, even though the corporate may have locked down its own access systems, these remote modems effectively give attackers access to the system using weird and wonderful port addresses," he said, adding that, even if VPNs and other security mechanisms are used, this does not rule out a remote attack using Vanderbecken's methodology.

    "All it does is to reduce the risk of a remote attack. I'm not entirely surprised by this researcher's findings, as in a corporate environment with 2,000 or more network nodes, we tend to see dozens of these port issues, any one of which can let a hacker or a cybercriminal in via the back door," he explained.

    Some random code/data about the backdoor found in Linksys WAG200G (TCP/32764).

    Possible fix :
    Probable source of the backdoor:
    Backdoor LISTENING ON THE INTERNET confirmed in :
    • Cisco WAP4410N-E 2.0.1.0, 2.0.3.3, 2.0.4.2, 2.0.6.1 (issue 44)
    • Linksys WAG120N (@p_w999)
    • Netgear DG834B V5.01.14 (@domainzero)
    • Netgear DGN2000 1.1.1, 1.1.11.0, 1.3.10.0, 1.3.11.0, 1.3.12.0 (issue 44)
    • OpenWAG200 maybe a little bit TOO open ;) (issue 49)
    Backdoor confirmed in:

    Backdoor may be present in:
    Backdoor is not working in:
    • Belkin F5D7230-4 6000 (SerComm manufactured product) (issue 51)
    • Cisco E2000 fwv 1.0.02 (issue 17)
    • Cisco Linksys E4200 V1 fwv 1.0.05 (issue 18)
    • Cisco Linksys X2000 (issue 40)
    • Linksys E2500 (@Antoniojojojo)
    • Linksys E3000 fwv 1.0.04 (issue 16)
    • Linksys E4200 Firmware Version: 2.0.26 (issue 53)
    • Linksys WRT120N fwv 1.0.07 (@viniciuskmax)
    • Linksys WRT160Nv2 (issue 43)
    • Linksys WRT320N (issue 31)
    • Linksys WRT54GL(v1.1) Firmware v4.30.16
    • Linksys WRT54GS v1.52.8 build 001 (thanks Helmut Tessarek)
    • Linksys WRT600N running 1.01.36 build 3 (@shanetheclassic & issue 46)
    • Linksys WRT610N V1 fwv 1.00.03 B15 (issue 60)
    • Netgear CG3100 (issue 6)
    • Netgear CG3700EMR as provided by ComHem Sweden (issue 20)
    • Netgear DG834G v5 (manufactured by Foxconn as opposed to the previous versions, nice finding anthologist issue 28)
    • Netgear DGN2200Bv3 (V1.1.00.23_1.00.23) (issue 41)
    • Netgear DGND3700 (issue 33)
    • Netgear ProSafe FVS318G fwv 3.1.1-14 (thank you Jason Leake :) )
    • Netgear R4500 firmware V1.0.0.4_1.0.3 (issue 64)
    • Netgear R6300 (issue 15)
    • Netgear R7000 (@LRFLEW)
    • Netgear RP614v[4,2] V1.0.8_02.02 (issue 22 & issue 24)
    • Netgear VMDG480 (aka. VirginMedia SuperHub) swv 2.38.01 (issue 16)
    • Netgear VMDG485 (aka. VirginMedia SuperHub 2) swv1.01.26 (issue 16)
    • Netgear WGR614v3 (issue 8)
    • Netgear WGR614v7 (thanks "Martin from germany" [your e-mail doesn't work])
    • Netgear WGR614v9 (issue 7)
    • Netgear WN2500RP (issue 15)
    • Netgear WNDR3700 (@juliengrenier)
    • Netgear WNDR4000 (issue 10)
    • Netgear WNDR4500 (@TechnicalRah)
    • Netgear WNR2000v3 (issue 43)
    • Netgear WNR3500L firmware V1.2.2.30_34.0.37 (issue 65)
    • Netgear WNR3500Lv2