Linksys WAG200G Router Has Backdoor, Other Routers May Also Be Compromized UPDATED

A backdoor in wireless router/DSL modems has been confirmed on several Linksys and Netgear DSL models.  The risk of this is moderate because the backdoor requires the attacker to be connected to the LAN ports on the vulnerable systems.

The backdoor is located behind TCP port 32764.  It was discovered by Eloi Vanderbeken after noticing the router responded to TCP 32764.  Vanderbeken reverse engineered the device firmware and found a simple interface that allowed him to interact with the device administratively without authentication. The backdoor has been confirmed in the following list of devices:

Backdoor LISTENING ON THE INTERNET Confirmed In:

    • Netgear DG834B V5.01.14
    • Cisco WAP4410N-E V2.0.1.0,V2.0.3.3, V2.0.4.2, V2.0.6.1
    • Linksys WAG120N
    • Netgear DGN2000 V1.1.1, V1.1.11.0, V1.3.10.0, V1.3.11.0, V1.3.12.0
    • OpenWAG200

LAN Backdoor Confirmed In:

  • Linksys WAG200G
  • Netgear DM111Pv2
  • Linksys WAG320N
  • Linksys WAG54G2
  • Linksys WAG54GS
  • Linksys WRT350N V2 2.00.19
  • Linksys WRT300N v2.00.17
  • DGN1000[B] Netgear N150
  • NETGEAR DGN1000
  • Netgear DG834G V2 firmware 4.01.40
  • Diamond DSL642WLG / SerComm IP806Gx v2 TI
  • Linksys WAG120N
  • Linksys WAG160N
  • Cisco WAP4410N
  • Cisco RVS4000 V2.0.3.2
  • Cisco WRVS4400N
  • Linksys WAG160n
  • LevelOne WBR3460B
  • Netgear DGN3500
  • NetGear DG834 v3
  • Netgear DG834[GB, N] version < 5
  • Netgear DGN1000
  • Netgear DGN1000(B) N150
  • Netgear DGN2000B
  • Netgear DGN3500
  • Netgear DGN3300
  • Netgear DGN3300Bv2 V 2.1.00.53, V1.00.53GR
  • Linksys WRVS4400N (Firmware Version:V2.0.2.1)

Backdoor May Be Present In:

  • Netgear DG934 
  • Netgear WPNT834
  • Netgear WG602, WGR614 (Not wroking in v3), DGN2000
  • Linksys WAG160N
  • all SerComm manufactured devices

The list of routers is current as of 3 Jan 2014. The list is expected to grow as more are found vulnerable.

You can find an update to Vanderbeken’s work on GitHub at:  https://github.com/elvanderb/TCP-32764

or cached copies here on the Protocol46 server:

backdoorolol.py  <— the script used on the backdoor

backdoor_description_for_those_who_don-t_like_pptx  <— PDF of Vanderbeken’s notes

Post by Protocol 46