Supposedly patched router backdoor was simply hidden
Posted on 22 April 2014.
When security systems' engineer and researcher Eloi Vanderbeken discovered the existence of a backdoor in his own Linksys router last Christmas, he spurred other hackers to check what other routers have the same backdoor. The results of this investigation was that 24 DSL router models from Cisco, Linksys, Netgear, and Diamond were confirmed to be vulnerable.

The backdoor has been tied with Sercomm - the firm that builds these routers for the aforementioned companies - and the specific firmware they install on the devices. A month after the discovery, those companies have pushed out a new version of the firmware that apparently closed the backdoor. Only it didn't - it merely hid it.

In his typical playful way, Vanderbeken explained this new discovery he made during the Easter holidays. The backdoor binary is still present in the new firmware version, he says, and the backdoor on port 32764 can be "opened" again by sending a specific network packet to the router.

He proved the matter by publishing PoC exploit code - based on earlier code created by Wilmer van der Gaast - which delivers an MD5 hash of the routerís model number.

The good news is that in order for the packet to deliver this payload, it has to be a raw Ethernet packet sent either form the local LAN or the ISP, so remote, random attacks are unlikely.

Once the backdoor is opened again, it allows attackers to reset the devices' configuration to factory settings and, consequently, to the default router administration username and password.

This new discovery definitely gives weight to his claim that the backdoor has been deliberately introduced into the firmware - a feature, not a security bug.


Thousands of Zhone SOHO routers can be easily hijacked

Security researcher Lyon Yang has released details about a number of vulnerabilities in routers made by California-based Zhone Technologies, the exploitation of some of which can result in the routers being hijacked.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Oct 13th