Jump to content
ShyWriter

Critical backdoor in Linksys and Netgear routers found.. (Again)

Recommended Posts

.

Critical backdoor in Linksys and Netgear routers found
 
Posted on 03 January 2014.
 

wirelessrouter.jpg

 

A backdoor in some Linksys and Netgear wireless routers that allows malicious users to reset the devices' configuration to factory settings and, therefore, to default router administration username and password, has been discovered and its existence shared with the world.

French security systems' engineer Eloi Vanderbeken has first discovered the backdoor in his own Linksys WAG200G wireless DSL gateway, after deciding to limit the bandwidth used by his holiday guests and remembering he forgot the complex username and password combination he chose for accessing the router's administration panel.

By probing and prodding the device's firmware, he discovered that there was an unknown service listening on network port TCP 32764. The service accepts thirteen types of messages, among which are two that allowed him to peak into the configuration settings, and one that restored the router to its default factory settings.

After sharing the colourful details of his "quest" on his Github account, other hackers around the world took it upon themselves to check what other routers have the same backdoor.

Unfortunately, there are quite a few. The list allowed people to speculate that the affected devices have one thing in common: they have been manufactured by Sercomm, a firm that builds routers both under its own name and for several other companies, including Linksys and Netgear.

Other companies Sercomm works for are 3Com, Aruba and Belkin, so it's likely that those devices also sport the flawed firmware. Hopefully all of these companies will be pushing out a patched version as soon as possible.

SANS ISC CTO Johannes Ullrich has noted that since the revelation of the existence of the backdoor, they have been seeing an increase in probes for port TCP 32764.

"Our data shows almost no scans to the port prior to today, but a large number from 3 source IPs today. The by far largest number of scans come from 80.82.78.9. ShodanHQ has also been actively probing this port for the last couple of days," he shared.

"At this point, I urge everybody to scan their networks for devices listening on port 32764/TCP. If you use a Linksys router, try to scan its public IP address from outside your network."

Sophos' Paul Ducklin also offered good advice on what to do and check.

 

SOURCE: https://www.net-security.org/secworld.php?id=16155

 

/Steve

Share this post


Link to post
Share on other sites

"Hopefully all of these companies will be pushing out a patched version as soon as possible."

 

Yeah right. You can't push out an update to a router.  It's a manual process the user has to initiate so we know how many routers wont' be getting updates even if they have an update available today, unless there is another undisclosed backdoor that allows the vendor that type of remote access to your router.

Share this post


Link to post
Share on other sites

Yeah right. You can't push out an update to a router.  It's a manual process the user has to initiate so we know how many routers wont' be getting updates even if they have an update available today, unless there is another undisclosed backdoor that allows the vendor that type of remote access to your router.

Some routers automatically update their firmware.

Of course, I use the WRT54GL, which does not update automatically. Granted I also use Tomato rather than the actual Linksys firmware, so hopefully that shouldn't be an issue.

Share this post


Link to post
Share on other sites

Yes, true but not many and speaking for myself I certainly would not want my router to automatically update on it's own. I prefer to be in control of stuff like that. I'm sure that there are millions of routers out there that will never be updated.

Share this post


Link to post
Share on other sites

in a grating nasal new jersey female accent ; "copy proofing failure , isle 13 ..." :

"among which are two that allowed him to peak into the configuration settings ..."

well , at least it wasn't "pique" ... :lol::P

 

i took a look at some pictures of that router , it sure looks like one a friend of mine owns ... i'll be checking later on today .

 

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.