News Article: Source: Login or Signup to view links / downloads
And you don't need to reset the modem's configuration to have a root shell.
And some router are vulnerable from the internet, not only from the LAN.
Wireless attack backdoor discovered in DSL modems
French researcher drives a London bus through wireless modem security
Whilst several vulnerable backdoors in various DSL (broadband) modems were revealed by security researchers last year, would-be hackers required relatively unfettered direct IP access to the device to carry out an attack. Now a French researcher has discovered a series of wireless flaws on DSL modems from Linksys, Netgear and other vendors.
According to Eloi Vanderbecken, the wireless backdoor effectively gives attackers administration level access by simply resetting the modem's configuration settings, so bypassing the firewall settings of the unit.
The vulnerability particularly affects public access WiFi services, SCMagazineUK.com notes, since these units are designed to allow password-less access to the unit across wireless channels, prior to logging in. This raises the spectre of a complete takeover of a public access WiFi hotspot and covert monitoring of all user IP traffic as a result.
Loopholes identified
Vanderbecken has been developing his research strategy for several weeks (INSERT URL:Login or Signup to view links / downloads ) but made a major breakthrough over the Christmas period in which he identified a series of common loopholes across several DSL modems.
In his analysis (INSERT URL: Login or Signup to view links / downloads ) the French researcher revealed that he was attempting to code-limit the bandwidth of individual users of his family's Linksys WAS200G DSL modem, but had locked himself out of the wireless admin console.
This is where it gets interesting, as the researcher discovered he could manage the router via an unusual TCP port (32764) - something that other users, he later found, had also realised.
After analysing the firmware of the modem (downloaded from the Web), he created a simple interface to send admin commands to the router without being logged in as an administrator, resetting the unit to its default settings.
Switching to a shell command, he then coded a script to gain access to admin mode - without the admin password - and published the script on to the Github software development service, at which stage other Linksys and Netgear users reported the script worked on their modems.
Linksys and Netgear say they are investigating the claims.
Home-use vulnerable
Nigel Stanley, CEO and analyst of Incoming Thought, the information security consultancy, said that, with the proliferation of broadband technology, many homes and small businesses will be relying on these modems to provide access to the Web.
"But how on earth can an average user ensure their modem is fully patched and secure from these exploits?" he asked SCMagazineUK.com, adding that, whilst in this case the exploit requires the attacker to be on the local network, he and his team have seen other security flaws that appear to be easier to exploit.
"Whilst in isolation this may not seem a big problem, imagine if a vulnerable modem was being used by a small supplier to a larger defence or aerospace company? We then start to have interesting conversations about supply chain risk," he noted.
Peter Wood, CEO of pen testing specialist First Base Technologies, meanwhile, said he has seen this type of security loophole many times when conducting penetration testing at major companies, many of whom rely on these types of modems for users to log into the corporate network from home or remote locations.
"The problem here is that, even though the corporate may have locked down its own access systems, these remote modems effectively give attackers access to the system using weird and wonderful port addresses," he said, adding that, even if VPNs and other security mechanisms are used, this does not rule out a remote attack using Vanderbecken's methodology.
"All it does is to reduce the risk of a remote attack. I'm not entirely surprised by this researcher's findings, as in a corporate environment with 2,000 or more network nodes, we tend to see dozens of these port issues, any one of which can let a hacker or a cybercriminal in via the back door," he explained.
Some random code/data about the backdoor found in Linksys WAG200G (TCP/32764).
Possible fix :
Probable source of the backdoor:
- if it's listening on the internet: add a firewall rule in the web UI (Login or Signup to view links / downloads)
- it also seems to work on the LAN side. (Login or Signup to view links / downloads)
- but apparently, not for every body (Login or Signup to view links / downloads) so use the PoC again after adding the rule to make sure the firewall does its job.
- install an open source firmware (for example OpenWRT or Tomato) this is NOT magical, OpenWAG200 is vuln: Login or Signup to view links / downloads
- kill the backdoor after each reboot (Login or Signup to view links / downloads & Login or Signup to view links / downloads)
Backdoor LISTENING ON THE INTERNET confirmed in :
- SerComm Login or Signup to view links / downloads (nice finding
)
Backdoor confirmed in:
- Cisco WAP4410N-E 2.0.1.0, 2.0.3.3, 2.0.4.2, 2.0.6.1 (Login or Signup to view links / downloads)
- Linksys WAG120N (Login or Signup to view links / downloads)
- Netgear DG834B V5.01.14 (Login or Signup to view links / downloads)
- Netgear DGN2000 1.1.1, 1.1.11.0, 1.3.10.0, 1.3.11.0, 1.3.12.0 (Login or Signup to view links / downloads)
- OpenWAG200 maybe a little bit TOO open
(Login or Signup to view links / downloads)
- Cisco RVS4000 fwv 2.0.3.2 (Login or Signup to view links / downloads)
- Cisco WAP4410N (Login or Signup to view links / downloads)
- Cisco WRVS4400N
- Cisco WRVS4400N (Login or Signup to view links / downloads)
- Diamond DSL642WLG / SerComm IP806Gx v2 TI (Login or Signup to view links / downloads)
- LevelOne WBR3460B (Login or Signup to view links / downloads)
- Linksys RVS4000 Firmware V1.3.3.5 (Login or Signup to view links / downloads)
- Linksys WAG120N (Login or Signup to view links / downloads)
- Linksys WAG160n v1 and v2 (Login or Signup to view links / downloads Login or Signup to view links / downloads)
- Linksys WAG200G
- Linksys WAG320N (Login or Signup to view links / downloads)
- Linksys WAG54G2 (Login or Signup to view links / downloads)
- Linksys WAG54GS (Login or Signup to view links / downloads)
- Linksys WRT350N v2 fw 2.00.19 (Login or Signup to view links / downloads)
- Linksys WRT300N fw 2.00.17 (Login or Signup to view links / downloads)
- Netgear DG834[∅, GB, N, PN, GT] version < 5 (Login or Signup to view links / downloads & Login or Signup to view links / downloads & Login or Signup to view links / downloads & jd & Burn2 Dev)
- Netgear DGN1000 (don't know if there is a difference with the others N150 ones... Login or Signup to view links / downloads)
- Netgear DGN1000 N150 (Login or Signup to view links / downloads)
[*]Netgear DGN2000B (Login or Signup to view links / downloads)
[*]Netgear DGN3500 (Login or Signup to view links / downloads)
[*]Netgear DGND3300 (Login or Signup to view links / downloads)
[*]Netgear DGND3300Bv2 fwv 2.1.00.53_1.00.53GR (Login or Signup to view links / downloads)
[*]Netgear DM111Pv2 (Login or Signup to view links / downloads)
[*]Netgear JNR3210 (Login or Signup to view links / downloads)
Backdoor may be present in:
Backdoor is not working in:
- all SerComm manufactured devices (Login or Signup to view links / downloads)
- Linksys WAG160N (Login or Signup to view links / downloads)
- Netgear DG934 probability: probability: 99.99% (Login or Signup to view links / downloads)
- Netgear WG602, WGR614 (v3 doesn't work, maybe others...) (Login or Signup to view links / downloads)
- Netgear WPNT834 (Login or Signup to view links / downloads)
- Belkin F5D7230-4 6000 (SerComm manufactured product) (Login or Signup to view links / downloads)
- Cisco E2000 fwv 1.0.02 (Login or Signup to view links / downloads)
- Cisco Linksys E4200 V1 fwv 1.0.05 (Login or Signup to view links / downloads)
- Cisco Linksys X2000 (Login or Signup to view links / downloads)
- Linksys E2500 (Login or Signup to view links / downloads)
- Linksys E3000 fwv 1.0.04 (Login or Signup to view links / downloads)
- Linksys E4200 Firmware Version: 2.0.26 (Login or Signup to view links / downloads)
- Linksys WRT120N fwv 1.0.07 (Login or Signup to view links / downloads)
- Linksys WRT160Nv2 (Login or Signup to view links / downloads)
- Linksys WRT320N (Login or Signup to view links / downloads)
- Linksys WRT54GL(v1.1) Firmware v4.30.16
- Linksys WRT54GS v1.52.8 build 001 (thanks Helmut Tessarek)
- Linksys WRT600N running 1.01.36 build 3 (Login or Signup to view links / downloads & Login or Signup to view links / downloads)
- Linksys WRT610N V1 fwv 1.00.03 B15 (Login or Signup to view links / downloads)
- Netgear CG3100 (Login or Signup to view links / downloads)
- Netgear CG3700EMR as provided by ComHem Sweden (Login or Signup to view links / downloads)
- Netgear DG834G v5 (manufactured by Foxconn as opposed to the previous versions, nice finding anthologist Login or Signup to view links / downloads)
- Netgear DGN2200Bv3 (V1.1.00.23_1.00.23) (Login or Signup to view links / downloads)
- Netgear DGND3700 (Login or Signup to view links / downloads)
- Netgear ProSafe FVS318G fwv 3.1.1-14 (thank you Jason Leake
)
- Netgear R4500 firmware V1.0.0.4_1.0.3 (Login or Signup to view links / downloads)
- Netgear R6300 (Login or Signup to view links / downloads)
- Netgear R7000 (Login or Signup to view links / downloads)
- Netgear RP614v[4,2] V1.0.8_02.02 (Login or Signup to view links / downloads & Login or Signup to view links / downloads)
- Netgear VMDG480 (aka. VirginMedia SuperHub) swv 2.38.01 (Login or Signup to view links / downloads)
- Netgear VMDG485 (aka. VirginMedia SuperHub 2) swv1.01.26 (Login or Signup to view links / downloads)
- Netgear WGR614v3 (Login or Signup to view links / downloads)
- Netgear WGR614v7 (thanks "Martin from germany" [your e-mail doesn't work])
- Netgear WGR614v9 (Login or Signup to view links / downloads)
- Netgear WN2500RP (Login or Signup to view links / downloads)
- Netgear WNDR3700 (Login or Signup to view links / downloads)
- Netgear WNDR4000 (Login or Signup to view links / downloads)
- Netgear WNDR4500 (Login or Signup to view links / downloads)
- Netgear WNR2000v3 (Login or Signup to view links / downloads)
- Netgear WNR3500L firmware V1.2.2.30_34.0.37 (Login or Signup to view links / downloads)
- Netgear WNR3500Lv2

Router Backdoor Listening on TCP-32764 1.0
Direct access on DSL modems from Linksys, Netgear and other vendors.
- Watchers:
- This resource is being watched by 231 members.