Router Backdoor Listening on TCP-32764 1.0

Direct access on DSL modems from Linksys, Netgear and other vendors.

Watchers:
This resource is being watched by 231 members.
  1. Mr. Penguin
    News Article: Source: Login or Signup to view links / downloads

    And you don't need to reset the modem's configuration to have a root shell.
    And some router are vulnerable from the internet, not only from the LAN.

    Wireless attack backdoor discovered in DSL modems

    French researcher drives a London bus through wireless modem security

    Whilst several vulnerable backdoors in various DSL (broadband) modems were revealed by security researchers last year, would-be hackers required relatively unfettered direct IP access to the device to carry out an attack. Now a French researcher has discovered a series of wireless flaws on DSL modems from Linksys, Netgear and other vendors.

    According to Eloi Vanderbecken, the wireless backdoor effectively gives attackers administration level access by simply resetting the modem's configuration settings, so bypassing the firewall settings of the unit.
    The vulnerability particularly affects public access WiFi services, SCMagazineUK.com notes, since these units are designed to allow password-less access to the unit across wireless channels, prior to logging in. This raises the spectre of a complete takeover of a public access WiFi hotspot and covert monitoring of all user IP traffic as a result.

    Loopholes identified
    Vanderbecken has been developing his research strategy for several weeks (INSERT URL:Login or Signup to view links / downloads ) but made a major breakthrough over the Christmas period in which he identified a series of common loopholes across several DSL modems.

    In his analysis (INSERT URL: Login or Signup to view links / downloads ) the French researcher revealed that he was attempting to code-limit the bandwidth of individual users of his family's Linksys WAS200G DSL modem, but had locked himself out of the wireless admin console.
    This is where it gets interesting, as the researcher discovered he could manage the router via an unusual TCP port (32764) - something that other users, he later found, had also realised.

    After analysing the firmware of the modem (downloaded from the Web), he created a simple interface to send admin commands to the router without being logged in as an administrator, resetting the unit to its default settings.

    Switching to a shell command, he then coded a script to gain access to admin mode - without the admin password - and published the script on to the Github software development service, at which stage other Linksys and Netgear users reported the script worked on their modems.
    Linksys and Netgear say they are investigating the claims.

    Home-use vulnerable
    Nigel Stanley, CEO and analyst of Incoming Thought, the information security consultancy, said that, with the proliferation of broadband technology, many homes and small businesses will be relying on these modems to provide access to the Web.

    "But how on earth can an average user ensure their modem is fully patched and secure from these exploits?" he asked SCMagazineUK.com, adding that, whilst in this case the exploit requires the attacker to be on the local network, he and his team have seen other security flaws that appear to be easier to exploit.

    "Whilst in isolation this may not seem a big problem, imagine if a vulnerable modem was being used by a small supplier to a larger defence or aerospace company? We then start to have interesting conversations about supply chain risk," he noted.

    Peter Wood, CEO of pen testing specialist First Base Technologies, meanwhile, said he has seen this type of security loophole many times when conducting penetration testing at major companies, many of whom rely on these types of modems for users to log into the corporate network from home or remote locations.

    "The problem here is that, even though the corporate may have locked down its own access systems, these remote modems effectively give attackers access to the system using weird and wonderful port addresses," he said, adding that, even if VPNs and other security mechanisms are used, this does not rule out a remote attack using Vanderbecken's methodology.

    "All it does is to reduce the risk of a remote attack. I'm not entirely surprised by this researcher's findings, as in a corporate environment with 2,000 or more network nodes, we tend to see dozens of these port issues, any one of which can let a hacker or a cybercriminal in via the back door," he explained.

    Some random code/data about the backdoor found in Linksys WAG200G (TCP/32764).

    Possible fix :
    Probable source of the backdoor:
    Backdoor LISTENING ON THE INTERNET confirmed in :
    Backdoor confirmed in:

    Backdoor may be present in:
    Backdoor is not working in:
Toggle Width

  • About Us

    We are a community mixed with professionals and beginners with an interest in wireless security, auditing and pentesting. Feel free to check out and upload resources.


    You can also find us on: Twitter and Facebook

  • Donate to Us

    Did you find our forums useful? Feel free to donate Bitcoin to us using the form below. Those who donate the equivlent of $10 USD or more will be upgraded to VIP membership. Don't have Bitcoin? Use your credit card to GO VIP here. Don't want to fork out some coin? There are other ways to GO VIP. Bitcoin: 1LMTGSoTyJWXuy2mQkHfgMzD7ez74x1Z8K