Jump to content
Not connected, Your IP: 3.138.121.79
OpenSourcerer

Strange backdoor in some routers [19/04/14 - it's still there!]

Recommended Posts

Posted ... (edited)

People (who are involved in IT security in first place) read about the open port 32764 in routers from Cisco, Linksys, Netgear and Diamond having strange backdoor access to the configuration files of those routers.

 

Long story short, there is a service listening on this port which accepts a variety of commands such as resetting the router or printing out all kinds of information, even passwords in plain text. Connecting to the router through telnet should return the string "ScMM" or "MMcS" if the service is running (it's for SerComm).

 

It could be smart to check if your Cisco/Linksys/Netgear/Diamond router is listed here. Or use this python script. Or just connect to your router via

telnet [your.router.ip] 32764

and see if you get one of the aforementioned strings back.

 

Source #1

 

Source #2

 

 

---- Update #1 ----

First statements of manufacturers Linksys and Netgear. Both of them allegedly are "going through all possible vulnerabilites" and will publish more information on this after they did some analyzing. Fact is that they didn't even warn the users of those routers... strange, too...

Source

 

---- Update #2 ----

Cisco released a Security Advisory and is working on a fix. There are no workarounds so you have to wait for Cisco's update.

 

---- Update #3 ----

 

It's not over!

Edited ... by gigan3rd

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Could this be the NSA backdoor described in Jacob Appelbaum's recent speech? He specifically mentioned Cisco and I think possibly some of the other brands there. If anyone hasn't seen this, you definitely need to:

Share this post


Link to post

Could this be the NSA backdoor described in Jacob Appelbaum's recent speech?

 

I don't know. From the PPTX:

Guess #1

Guess #2


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Cisco released a Security Advisory and is working on a fix. There are no workarounds so you have to wait for Cisco's update.


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

There is no security fix for these backdoors. They were found by us the people, and now they are working hard to closing what we found and opening another hole for us to find later to yet again...

 

For anyone who still is trusting.. My god :/ facebook has better privacy security features

Share this post


Link to post

There is no security fix for these backdoors. They were found by us the people, and now they are working hard to closing what we found and opening another hole for us to find later to yet again...

 

This is somehow paranoid.


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

 

There is no security fix for these backdoors. They were found by us the people, and now they are working hard to closing what we found and opening another hole for us to find later to yet again...

 

This is somehow paranoid.

 

But you were right.

 

It's not over! It's still there!


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

As a security guy I frankly expect that both my router and any commercial modem are backdoor'd.  My only hope (in my mind) is to configure a vpn tunnel with TOR afterwards using a linux OS, and then make CERTAIN only encrypted payloads are able to exit my laptops.  Assuming that the payloads are sufficiently encrypted, then the router backdoor crap wouldn't really mean anything.  It really bothers me that router mfg's would sell their customer's privacy out to "agencies".  I am trying hard to look over the hardware on my laptops and apply safe practices.  Its tough because the reality is its impossible if something really sinister is going on.  The obvious one is the selection of an OS, and I won't go there to avoid arguments because of my lack of proof.

 

In a world where I was using a "wired" home network, I would only use pfsense and that would be on my own hardware where I signed off on the components.  As it is, for me, I really hope that my fully encrypted payload scheme is prohibiting some exposure from these obvious router backdoors.  I guess time will tell.

Share this post


Link to post

Great findings.

 

Another wake-up call for people that still wait for another reason in oder to switch to open-source rotuer firmwares, like pfSense or OpenWRT.

 

 

I was just reading about the resurfacing of this exploit and recalled this post... came here to post about it.

 

This is exactly why I switched to pfSense. I use an Asus router with merlin firmware in Access point mode only.

 

Soon enough the pfSense guide I have made will have options to harden pfSense/OpenVPN added to it. It is being tested in PM's currently.


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

Hi everyone,

 

Would you think a Linksys WRT54GS flashed with DD-WRT would have this backdoor?

Thanks.

 

anonym

Share this post


Link to post

anyone know if the billion 7800 models have these backdoors ?

 

had a look on google and didn't find any results like linksys shows results. also dd-wrt doesn't support any billions.

one interesting point to consider if you run your modem in bridge mode an have pfsense connect itself on pppoe i dont see how the backdoor could be reached

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...