Patched Router Not Really Patched

Tuesday, April 22, 2014 @ 05:04 PM gHale

It all started when security systems’ engineer and researcher Eloi Vanderbeken found a backdoor in his own Linksys router at Christmas time.

He then asked other security researchers to check what other routers have the same backdoor. The results of that ad hoc investigation ended up showing that 24 DSL router models from Cisco, Linksys, Netgear, and Diamond were vulnerable.

Backdoor Found in Routers
Innominate Fixes Heartbleed Hole
Weak Routers Bring DNS DDoS Attacks
IoT Beware: Worm Hitting Devices

The backdoor ended up tied to Sercomm, the company that builds these routers for the companies. A month after the discovery, those companies pushed out a new version of the firmware that closed the backdoor. Or did they?

During downtime on another holiday, Vanderbeken discovered on Easter the backdoor binary is still present in the new firmware version and the backdoor on port 32764 can end up “opened” by sending a specific network packet to the router, he said.

He proved the matter by publishing PoC exploit code based on earlier code created by Wilmer van der Gaast, which delivers an MD5 hash of the router’s model number.

In order for the packet to deliver this payload, it has to be a raw Ethernet packet sent either from the local LAN or the ISP, so remote, random attacks are unlikely.

Once the backdoor opens again, it allows attackers to reset the devices’ configuration to factory settings and, consequently, to the default router administration username and password.

Leave a Reply

You must be logged in to post a comment.