In early 2014, researchers reported secret backdoor TCP 32764 in several routers, router manufactures included Linksys, Netgear, Cisco and Diamond. The vulnerability allowed attackers to send commands to the vulnerable router via TCP port 32764 without authentication.
The original security researcher who found the first backdoor, Eloi Vanderbeken, has noted that the past backdoor has been patched in a firmware update, but SerComm has added the same backdoor via another method.
To verify the backdoor had been patched, Mr. Vanderbeken downloaded the patched firmware version 126.96.36.199 of Netgear DGN1000, and unpacked it using binwalk firmware analysis tool. Going through the files Eloi found the file scfgmgr which initially contained the backdoor to still be vulnerable. There is a new option included, -l, that limits the amount of processes able to be running on the same device. Diving further into firmware update, Eloi also found an unknown tool labeled, ft_tool, with option -f that allowed the reactivation of the previous TCP backdoor.
In Vanderbeken’s report, he explains that the unknown ft_tool can actually open a socket, or listen on incoming packets. The attacker on the local network can reactivate the backdoor with TCP port 32764 with the 3 small lines of code noted below.
EtherType parameter should be equal to ‘0x8888’.
Payload should contains MD5 hash of the value DGN1000 (45d1bb339b07a6618b2114dbc0d7783e).
The package type should be 0x201.
Mr. Vanderbeken has clearly shown the old patched vulnerability, can still be exploited with a slightly different method. It appears SerComm is intentionally leaving these files vulnerable, and installing backdoors.
The reason is unknown why these backdoors were intentionally put into place. Researchers speculate these backdoors could aid government agencies, and the NSA.
As these backdoors were put in place with the most recent update, there is no patch available. Users can test their wireless router for this backdoor by downloading Proof-of-Concept (PoC) exploit tool released by researcher. Eloi Vanderbeken. Once downloaded the following steps can be performed to test if your router is vulnerable.
Use ‘binwalk -e’ to extract the file system
Search for ‘ft_tool’ or grep -r ‘scfgmgr -f
Use IDA to confirm.