At the beginning of this year, we reported about the secret backdoor ‘TCP 32764’ discovered in severalrouters including, Linksys, Netgear, Cisco and Diamond that allowed an attacker to send commands to the vulnerable routers at TCP port 32764 from a command-line shell without being authenticated as the administrator.
The Reverse-engineer from France Eloi Vanderbeken, who discovered this backdoor has found that although the flaw has been patched in the latest firmware release, but SerComm has added the same backdoor again in another way.
To verify the released patch, recently he downloaded the patched firmware version 126.96.36.199 of Netgear DGN1000 and unpacked it using binwalk tool. He found that the file ‘scfgmgr’ which contains the backdoor is still present there with a new option “-l”, that limits it only for a local socket interprocess communication (Unix domain socket), or only for the processes running on the same device.
On further investigation via reverse engineering the binaries, he found another mysterious tool called ‘ft_tool’ with “-f”option that could re-activates the TCP backdoor.
In his illustrated report (shown below), he explained that ‘ft_tool’ actually open a raw socket, that listens incoming packages and attackers on the local network can reactivate the backdoor at TCP port 32764 by sending the following specific packets:
- EtherType parameter should be equal to ‘0x8888’.
- Payload should contains MD5 hash of the value DGN1000 (45d1bb339b07a6618b2114dbc0d7783e).
- The package type should be 0x201.
So, an attacker can reactivate the TCP 32764 backdoor in order to execute the shell commands on thevulnerable SerComm routers even after installing the patched version.
Now question rises, why the routers manufacturers are adding intentional backdoors again and again?? May be the reason behind to be a helping hand for the U.S. intelligence agency NSA.
Currently there is no patch available for newly discovered backdoor. If you want to check your wireless router for this backdoor, you can download Proof-of-Concept (PoC) exploit released by the researcherfrom here or follow the below given steps manually:
- Use 'binwalk -e' to extract the file system
- Search for 'ft_tool' or grep -r 'scfgmgr -f
- Use IDA to confirm.