News Article: Source: Wireless attack backdoor discovered in DSL modems - SC Magazine UK
And you don't need to reset the modem's configuration to have a root shell.
And some router are vulnerable from the internet, not only from the LAN.
Wireless attack backdoor discovered in DSL modems
French researcher drives a London bus through wireless modem security
Whilst several vulnerable backdoors in various DSL (broadband) modems were revealed by security researchers last year, would-be hackers required relatively unfettered direct IP access to the device to carry out an attack. Now a French researcher has discovered a series of wireless flaws on DSL modems from Linksys, Netgear and other vendors.
According to Eloi Vanderbecken, the wireless backdoor effectively gives attackers administration level access by simply resetting the modem's configuration settings, so bypassing the firewall settings of the unit.
The vulnerability particularly affects public access WiFi services, SCMagazineUK.com notes, since these units are designed to allow password-less access to the unit across wireless channels, prior to logging in. This raises the spectre of a complete takeover of a public access WiFi hotspot and covert monitoring of all user IP traffic as a result.
Vanderbecken has been developing his research strategy for several weeks (INSERT URL:Eloi Vanderbeken (elvanderb) on Twitter ) but made a major breakthrough over the Christmas period in which he identified a series of common loopholes across several DSL modems.
In his analysis (INSERT URL: elvanderb/TCP-32764 · GitHub ) the French researcher revealed that he was attempting to code-limit the bandwidth of individual users of his family's Linksys WAS200G DSL modem, but had locked himself out of the wireless admin console.
This is where it gets interesting, as the researcher discovered he could manage the router via an unusual TCP port (32764) - something that other users, he later found, had also realised.
After analysing the firmware of the modem (downloaded from the Web), he created a simple interface to send admin commands to the router without being logged in as an administrator, resetting the unit to its default settings.
Switching to a shell command, he then coded a script to gain access to admin mode - without the admin password - and published the script on to the Github software development service, at which stage other Linksys and Netgear users reported the script worked on their modems.
Linksys and Netgear say they are investigating the claims.
Nigel Stanley, CEO and analyst of Incoming Thought, the information security consultancy, said that, with the proliferation of broadband technology, many homes and small businesses will be relying on these modems to provide access to the Web.
"But how on earth can an average user ensure their modem is fully patched and secure from these exploits?" he asked SCMagazineUK.com, adding that, whilst in this case the exploit requires the attacker to be on the local network, he and his team have seen other security flaws that appear to be easier to exploit.
"Whilst in isolation this may not seem a big problem, imagine if a vulnerable modem was being used by a small supplier to a larger defence or aerospace company? We then start to have interesting conversations about supply chain risk," he noted.
Peter Wood, CEO of pen testing specialist First Base Technologies, meanwhile, said he has seen this type of security loophole many times when conducting penetration testing at major companies, many of whom rely on these types of modems for users to log into the corporate network from home or remote locations.
"The problem here is that, even though the corporate may have locked down its own access systems, these remote modems effectively give attackers access to the system using weird and wonderful port addresses," he said, adding that, even if VPNs and other security mechanisms are used, this does not rule out a remote attack using Vanderbecken's methodology.
"All it does is to reduce the risk of a remote attack. I'm not entirely surprised by this researcher's findings, as in a corporate environment with 2,000 or more network nodes, we tend to see dozens of these port issues, any one of which can let a hacker or a cybercriminal in via the back door," he explained.
Some random code/data about the backdoor found in Linksys WAG200G (TCP/32764).
Possible fix :
Probable source of the backdoor:
- if it's listening on the internet: add a firewall rule in the web UI (@domainzero)
- it also seems to work on the LAN side. (issue 35)
- but apparently, not for every body (issue 57) so use the PoC again after adding the rule to make sure the firewall does its job.
- install an open source firmware (for example OpenWRT or Tomato) this is NOT magical, OpenWAG200 is vuln: OpenWAG200 - Browse /OpenWAG200/1.4 at SourceForge.net
- kill the backdoor after each reboot (issue 61 & TCP-32764-First-Aid)
Backdoor LISTENING ON THE INTERNET confirmed in :
- SerComm https://news.ycombinator.com/item?id=6998258 (nice finding )
Backdoor confirmed in:
- Cisco WAP4410N-E 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124 (issue 44)
- Linksys WAG120N (@p_w999)
- Netgear DG834B V5.01.14 (@domainzero)
- Netgear DGN2000 1.1.1, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11 (issue 44)
- OpenWAG200 maybe a little bit TOO open (issue 49)
- Cisco RVS4000 fwv 18.104.22.168 (issue 57)
- Cisco WAP4410N (issue 11)
- Cisco WRVS4400N
- Cisco WRVS4400N (issue 36)
- Diamond DSL642WLG / SerComm IP806Gx v2 TI (https://news.ycombinator.com/item?id=6998682)
- LevelOne WBR3460B (SecurityFocus)
- Linksys RVS4000 Firmware V22.214.171.124 (issue 55)
- Linksys WAG120N (issue 58)
- Linksys WAG160n v1 and v2 (@xxchinasaurxx @saltspork)
- Linksys WAG200G
- Linksys WAG320N (Śmieszna tylna furtka w ruterach Linksysa (i prawdopodobnie Netgeara) | Zaufana Trzecia Strona)
- Linksys WAG54G2 (@_xistence)
- Linksys WAG54GS (@henkka7)
- Linksys WRT350N v2 fw 2.00.19 (issue 39)
- Linksys WRT300N fw 2.00.17 (issue 34)
- Netgear DG834[∅, GB, N, PN, GT] version < 5 (issue 19 & issue 25 & issue 62 & jd & Burn2 Dev)
- Netgear DGN1000 (don't know if there is a difference with the others N150 ones... issue 27)
- Netgear DGN1000 N150 (issue 3)
[*]Netgear DGN2000B (issue 26)
[*]Netgear DGN3500 (issue 13)
[*]Netgear DGND3300 (issue 56)
[*]Netgear DGND3300Bv2 fwv 2.1.00.53_1.00.53GR (issue 59)
[*]Netgear DM111Pv2 (@eguaj)
[*]Netgear JNR3210 (issue 37)
Backdoor may be present in:
Backdoor is not working in:
- all SerComm manufactured devices (https://news.ycombinator.com/item?id=6998258)
- Linksys WAG160N (Śmieszna tylna furtka w ruterach Linksysa (i prawdopodobnie Netgeara) | Zaufana Trzecia Strona)
- Netgear DG934 probability: probability: 99.99% (Reverse Engineering | codeinsecurity)
- Netgear WG602, WGR614 (v3 doesn't work, maybe others...) (Śmieszna tylna furtka w ruterach Linksysa (i prawdopodobnie Netgeara) | Zaufana Trzecia Strona)
- Netgear WPNT834 (What is running on TCP port 32764? - NETGEAR Forums)
- Belkin F5D7230-4 6000 (SerComm manufactured product) (issue 51)
- Cisco E2000 fwv 1.0.02 (issue 17)
- Cisco Linksys E4200 V1 fwv 1.0.05 (issue 18)
- Cisco Linksys X2000 (issue 40)
- Linksys E2500 (@Antoniojojojo)
- Linksys E3000 fwv 1.0.04 (issue 16)
- Linksys E4200 Firmware Version: 2.0.26 (issue 53)
- Linksys WRT120N fwv 1.0.07 (@viniciuskmax)
- Linksys WRT160Nv2 (issue 43)
- Linksys WRT320N (issue 31)
- Linksys WRT54GL(v1.1) Firmware v4.30.16
- Linksys WRT54GS v1.52.8 build 001 (thanks Helmut Tessarek)
- Linksys WRT600N running 1.01.36 build 3 (@shanetheclassic & issue 46)
- Linksys WRT610N V1 fwv 1.00.03 B15 (issue 60)
- Netgear CG3100 (issue 6)
- Netgear CG3700EMR as provided by ComHem Sweden (issue 20)
- Netgear DG834G v5 (manufactured by Foxconn as opposed to the previous versions, nice finding anthologist issue 28)
- Netgear DGN2200Bv3 (V1.1.00.23_1.00.23) (issue 41)
- Netgear DGND3700 (issue 33)
- Netgear ProSafe FVS318G fwv 3.1.1-14 (thank you Jason Leake )
- Netgear R4500 firmware V126.96.36.199_1.0.3 (issue 64)
- Netgear R6300 (issue 15)
- Netgear R7000 (@LRFLEW)
- Netgear RP614v[4,2] V1.0.8_02.02 (issue 22 & issue 24)
- Netgear VMDG480 (aka. VirginMedia SuperHub) swv 2.38.01 (issue 16)
- Netgear VMDG485 (aka. VirginMedia SuperHub 2) swv1.01.26 (issue 16)
- Netgear WGR614v3 (issue 8)
- Netgear WGR614v7 (thanks "Martin from germany" [your e-mail doesn't work])
- Netgear WGR614v9 (issue 7)
- Netgear WN2500RP (issue 15)
- Netgear WNDR3700 (@juliengrenier)
- Netgear WNDR4000 (issue 10)
- Netgear WNDR4500 (@TechnicalRah)
- Netgear WNR2000v3 (issue 43)
- Netgear WNR3500L firmware V188.8.131.52_34.0.37 (issue 65)
- Netgear WNR3500Lv2