Backdoor found in Linksys, Netgear Routers

552 点作者 nilsjuenemann超过 11 年前

29 条评论

maxk42超过 11 年前

About a year ago I left a cable modem and internet service (Time Warner) at an apartment I was moving out of while my friend continued to stay there. I had configured the thing in a manner I thought to be fairly secure -- strong password, no broadcast, etc.. One day the internet goes down and my friend doesn't know what to do. She calls the ISP and asks them what's wrong. They say they can't release any information about the service to her without my permission, so I suddenly get a three-way call explaining that my friend and the ISP representative are on the line and I need to give my authorization to access the account information. Being the person I am, I attempt to troubleshoot things over the phone before giving out any sort of account credentials. Eventually, I ask her to log into the router configuration page. She doesn't know the password and the first one I gave her doesn't work. The representative chimes in "That's fine -- I can just change it from here.""...What?"I was furious. Time Warner had left a backdoor in all their modems that gives them administrative access to my private connection. And yes -- she did alter the password remotely. She didn't seem to think there was anything wrong with this. I tried googling for relevant information, but wasn't able to find anything more than speculation at the time.

评论 #6998650 未加载

评论 #6998356 未加载

评论 #6998831 未加载

评论 #6998345 未加载

评论 #6998819 未加载

评论 #6998478 未加载

评论 #7000382 未加载

评论 #7004176 未加载

评论 #6998643 未加载

评论 #6999965 未加载

earlz超过 11 年前

Interesting. Reminds me of the hack I did on a (mandatory) modem/router forced on AT&T users. They had a bunch of problems with it, so one day I got fed up after the millionth disconnect and cracked it open. Got a serial root shell by using the "magic !" command (completely randomly discovered) and dumped the source to the web UI(in Lua/haserl). From there found the equivalent of a SQL injection vulnerability and used it to gain a remote root exploit.Most annoyingly, AT&T put out a firmware update some months later that closed the exploit, but didn't fix any other problems. So, I found another more intrusive/permanent exploit. Still waiting on them to patch it next heh. But now they are actually putting out some updates that actually fix problems too at least. Hopefully user uproar will continue to drive them to fix more problems

评论 #6998132 未加载

评论 #6998041 未加载

评论 #6999551 未加载

X4超过 11 年前

I hacked my Fritz!Box (yeah, a bad name for a german router) and I'm entirely sure that it has a backdoor integrated too. That's why I wiped and flashed it with an alternative image. That and the Telecom's Speedport router are the most popular routers by far in Germany. And both have backdoors, I know that other router manufacturers also integrate backdoors from a source who works at such a company. A friend can also verify the fact, because a different employee told him the same. Also it's public that the ISP can upgrade, modify, flash and disable features remotely. My friend's router has wifi, but their provider disabled it remotely within the firmware (it even has an antenna) and his ISP wants him to pay 5€/m to re-enable wifi.I really wonder why nobody complained about that earlier. Also the interesting thing here is that for a very long time, you weren't allowed to use a different router than the one provided by your ISP. Which enforced their surveillance monopoly.Here's an article about reverse engineering the backdoor in D-Link routers using IDA:<a href="http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/" rel="nofollow">http://www.devttys0.com/2013/10/reverse-engineering-a-d-link...</a>PoC Available: <a href="http://pastebin.com/vbiG42VD" rel="nofollow">http://pastebin.com/vbiG42VD</a>

评论 #6997659 未加载

评论 #6997485 未加载

评论 #6997496 未加载

nlvd超过 11 年前

"And the Chinese have probably known about this back door since 2008." <a href="http://www.microsofttranslator.com/bv.aspx?from=&to=en&a=http%3A%2F%2Fhi.baidu.com%2Fcygnusnow%2Fitem%2F3fd853ade9f08f9e151073a1" rel="nofollow">http://www.microsofttranslator.com/bv.aspx?from=&to=en&a=htt...</a>That's a pretty scary prospect. If its been 'known' and exploited since at least 2008. Poor form Netgear/Linksys.

评论 #6998097 未加载

midas007超过 11 年前

This is not surprising. It's a calculated risk to make a product just good enough. Development resources invested in retail wireless gear is minimal. I've worked on firmware for high-confidence industrial wireless gear used in mines. Most of them fall over under load, run obsolete+unpatched code and/or reboot randomly. Retail customers will tend to just put up with it and not return the product before the merchant's return grace period.It's a totally different attitude when the intended market is enterprise: it's assumed that if a product causes a failure, the vendor is going to receive escalating, unpleasant phone calls until it's resolved.

评论 #6999107 未加载

评论 #7008303 未加载

salient超过 11 年前

Can this be fixed by changing the firmware to OpenWRT or DD-WRT?

评论 #6997708 未加载

评论 #6998009 未加载

评论 #6998785 未加载

redx00超过 11 年前

Has anyone ever tried submitting a GPL request to <a href="http://support.linksys.com/en-us/gplcodecenter" rel="nofollow">http://support.linksys.com/en-us/gplcodecenter</a>I wonder if there is anyone still working in the GPL compliance department.

评论 #6999088 未加载

elwell超过 11 年前

TIL: Some people know a lot more than me about hacking. That PDF was interesting, but I only understood a small fraction of it.

评论 #6997474 未加载

评论 #6997399 未加载

评论 #6998272 未加载

dbbolton超过 11 年前

Has there been a technical write-up on this yet? I honestly tried to read the presentation and had to quit after the third superfluous meme slide.

评论 #6998626 未加载

评论 #6998607 未加载

评论 #6999608 未加载

评论 #7002641 未加载

comic404超过 11 年前

More information: <a href="https://github.com/elvanderb/TCP-32764/blob/master/backdoor_description.pptx" rel="nofollow">https://github.com/elvanderb/TCP-32764/blob/master/backdoor_...</a>"Mr. Guessing 2010" doesn't know shit about backdoor (superuser.com).

评论 #6997534 未加载

nwh超过 11 年前

I have confirmed this (or something similar) is present in the Netgear DG834N as well.

评论 #6998917 未加载

m86超过 11 年前

ScMM = SerComm, perhaps?Many of Linksys' old DSL modems were manufactured by them, AFAIK.. and it seems many of the noted 'probably affected' models have a SerComm manuf'ed device for at least one revision of that model lineMore probable SerComm manuf'ed devices are visible at the WD query link below..<a href="http://wikidevi.com/w/index.php?title=Special%3AAsk&q=[[Manuf%3A%3ASerComm]]+[[Global+type%3A%3A~embedded*]]&po=%3FFCC+ID%0D%0A%3FFCC+approval+date%3DFCC+date%0D%0A%3FEstimated+date+of+release%3DEst.+release+date%0D%0A%3FEmbedded+system+type%0D%0A%3FCPU1+brand%0D%0A%3FCPU1+model%3DCPU1+mdl.%0D%0A&eq=yes&p[format]=broadtable&sort_num=&order_num=ASC&p[limit]=500&p[offset]=&p[link]=all&p[sort]=&p[headers]=show&p[mainlabel]=&p[intro]=&p[outro]=&p[searchlabel]=%E2%80%A6+further+results&p[default]=&p[class]=sortable+wikitable+smwtable&eq=yes" rel="nofollow">http://wikidevi.com/w/index.php?title=Special%3AAsk&q=[[Manu...</a>

评论 #7000647 未加载

评论 #6998682 未加载

dobbsbob超过 11 年前

Buy a $200 soekris box and install openbsd or m0n0wall on it, or on any old pc you have lying around with 2 network cards.

评论 #6997595 未加载

评论 #6997639 未加载

atmosx超过 11 年前

I live in Czech Republic and my Zyxel from O2 has port 7547 open (Allegro RomPager 4.07) and you can't do anything about it. There is no editor on the installed linux version (cropped down linux, probably openWRT or something similar), no package manager no nothing.If I flash the firmware warranty is void and I have no user/pass to re-enable the ADSL. So basically, my router is a hostile AP.Given the fact that, it's a common pattern among ISPs in order to offer quick service - I firmly believe that ISPs do it for practical reasons - and end up killing your security, the best thing is to put the router in bridged mode and get a cheap custom-made router like carambola2[1] and install FreeBSD[2] on it.Disclosure: I donated one of these devices to Adrian Chadd[3] in order for him to port FreeBSD on this device, which enabled me to use PF[4] - my favorite firewall - but I have no affiliation otherwise with 8devices or FreeBSD.[1] <a href="http://8devices.com/carambola-2" rel="nofollow">http://8devices.com/carambola-2</a>[2] <a href="https://wiki.freebsd.org/FreeBSD/mips/Carambola2" rel="nofollow">https://wiki.freebsd.org/FreeBSD/mips/Carambola2</a>[3] <a href="https://wiki.freebsd.org/AdrianChadd" rel="nofollow">https://wiki.freebsd.org/AdrianChadd</a>[4] <a href="http://pf4freebsd.love2party.net" rel="nofollow">http://pf4freebsd.love2party.net</a>

chenster超过 11 年前

Why backdoor?? That's what I want to know.

评论 #6997821 未加载

评论 #6997676 未加载

DROP_TABLE超过 11 年前

Am I the only one who gets really annoyed by the memes in the exploit description?

评论 #7001240 未加载

jacob019超过 11 年前

is this backdoor only served up on the wlan or is it also exposed to the internet?

评论 #6997466 未加载

billpg超过 11 年前

I've used GRC's "Shields Up" and asked for a user-specified probe for port 32764 and it came back "Stealth".Assuming GRC isn't out to decive me, can I assume that my router is fine?Bill, using a Netgear router.

评论 #6997655 未加载

eggshell超过 11 年前

If you want more fun with the saved nvram config files, check out <a href="http://www.nirsoft.net/utils/router_password_recovery.html" rel="nofollow">http://www.nirsoft.net/utils/router_password_recovery.html</a>He's figured out many of their "encryption" methods. I've independently "cracked" most of the major ones as well, (including checksums/headers required to write back to the router).They're all pretty broken. PRNG key streams, simple bit swaps, XOR, encryption against a static key, etc.Fun stuff.

thrillgore超过 11 年前

Thankfully I have an older WNDR3700 and I remain unaffected.However seeing mention of (and an implementation of) Dual_ECC_DRBG in the slides immediately gives me a lot of pause regarding the security of my router. I love memes more than the next guy but this guy really went out of his way to make this confusing to understand.

评论 #7009902 未加载

userbinator超过 11 年前

I have a WGR614v6: it shows no response from port 32764 both from internet and local.At first I thought it was this, which has been known for a long time now: <a href="http://wiki.openwrt.org/toh/netgear/telnet.console" rel="nofollow">http://wiki.openwrt.org/toh/netgear/telnet.console</a>

spditner超过 11 年前

Netgear routers come with a well published back door (<a href="http://wiki.openwrt.org/toh/netgear/telnet.console" rel="nofollow">http://wiki.openwrt.org/toh/netgear/telnet.console</a>) that gives you telnet access from the LAN.

toxik超过 11 年前

While interesting, I wouldn't say this is news. It has been known for quite a while.

jason_slack超过 11 年前

Does anyone have a recommendation for nice, configurable, reliable wireless router now a days? My Linksys E2000 is on the fritz and didn't last near as long as my old WRT54G.

评论 #7001454 未加载

undoware超过 11 年前

Don't worry, no one will ever find out.

sly010超过 11 年前

Isn't this necessary to roll out IPV6 anyway?

rikacomet超过 11 年前

From the sounds of it, these are purposely made backdoors? or something ignored ?My expression: <a href="http://i.imgur.com/pYJMKC6.jpg" rel="nofollow">http://i.imgur.com/pYJMKC6.jpg</a>

评论 #6998081 未加载

ballard超过 11 年前

Great discovery. Surprised no tinfoil had been mentioned about being a possible NSA "diode."

hengheng超过 11 年前

More information here:<a href="http://superuser.com/questions/166627/netgear-router-listening-on-port-32764" rel="nofollow">http://superuser.com/questions/166627/netgear-router-listeni...</a>

评论 #6997388 未加载