Gaping admin access holes found in SoHo routers from Linksys, Netgear and others

Filed Under: Data loss, Featured, Vulnerability

For many home users, the router-slash-firewall at the edge of their network plays an vital security role.

It acts as a stockade to keep crooks on the internet at arms' length, typically blocking inbound network connections by default.

It shields the internal layout of the network from outside observers.

It probably also serves as a wireless access point for the household, and thus bears the responsibility of preventing random passers-by from jumping online and getting up to mischief at someone else's expense.

In a word, your SoHo router is important.

So it is always alarming to read about sloppy programming in the firmware that ships with this sort of device.

Late last year, we wrote about "Joel's Backdoor," a misfeature in some D-Link routers which would have been a great joke, if only the side-effects hadn't been so serious.

Joel's bug was that if you told your browser to identify itself as xmlset_roodkcab­leoj28840ybtide (read it backwards!) instead of, say, Mozilla or AppleWebKit, then many D-Link routers would skip the need for a password.

Unauthenticated administrative access, just like that!

Here's another flaw, this time in various router products from Sercomm, that shows a similarly casual attitude to security by programmers who really owe you better code.

Sercomm produces routers under its own name, as well as building hardware sold under a diverse range of brand names, including 3Com, Aruba, Belkin, Linksys, Netgear and Watchguard.

→ Note that not all Sercomm-based products use Sercomm's firmware, and not all Sercomm firmware builds include the vulnerability detailed below. The finder of the flaw has a partial list of devices and whether they are, might be, or are not affected. The only completely reliable way to tell if you have a router that is affected is to try to exploit the vulnerability on your own device. We'll repeat that last bit: on your own device.

This latest example of dodgy router firmware coding was found over the recent holiday period by Eloi Vanderbeken, a reverse engineering enthusiast from France.

Eloi's story started over Christmas, when - presumably due to having a bunch of guests full of festive online spirit - he claims to have found his home network unresponsive.

So he went to tweak a few settings in his router, only to remember that he had forgotten the administrative password.

What better way to spend a vacation, then, that trying to find a way into your own router without the password?

With a bit of prodding, and a spot of reverse engineering applied to a downoaded copy of the router's firmware, Eloi quickly found just the hole he needed: an unauthenticated access vulnerability that he could use to list, edit or reset his router's configuration.

What's that service?

Eloi spotted a TCP service listening on network port 32764 on the router's internal (wireless) interface.

Poking a stick at it caused it to reply like this:

By reversing, he realised that the reply was three 32-bit values, or DWORDS:

  1. ScMM was a magic number, probably just short for Sercomm.
  2. FFFFFFFF (-1 when treated as a signed integer) signalled an error.
  3. 00000000 was the length of the rest of the reply, zero because the error meant there was nothing to report.

Further reversing showed that a similar packet format was used when making requests, with the middle DWORD containing a number denoting the message type, and the third DWORD containing the length of the data accompanying the message, if any.

Eloi identified thirteen different message types, including two that didn't require any special data, but were each sufficient to give you access without knowing the password.

Message Type 1 could be triggered by sending a packet like this:

The reply came back with a list of configuration strings from the router's non-volatile memory (NVRAM), like this:

That's the crown jewels, right there!

Anyone you let onto your home network, even as a temporary guest, can easily find out how to login to your router, and to your ISP. (The PPPOE username and password are the credentials your router uses when it connects to your ISP after a dropout or a reboot.)

Ironically, when Eloi was testing his exploit code, he iterated through all 13 message types in order.

After he'd finished, he found he'd been kicked offline.

That turned out to be Message Type 11, which resets the router to its factory defaults.

Of course, that means the router no longer had the right pppoe_username and pppoe_password settings, so it couldn't get back onto the internet.

But with the router administration username and password set to the defaults, Eloi had nevertheless achieved his desired result: unauthenticated administrative access.

What to do?

As mentioned above, there is a partial list of affected and unaffected devices on Eloi Vanderbeken's Github page.

If you are affected, you're going to need a firmware update, which probably won't come from Sercomm, but rather from the vendor whose brand is on the router.

In the meantime, be careful whom you let on your wireless network; choose a strong Wi-Fi password; and make sure that you don't have the router's web adminstration service activated on the external interface, which would let any crook wander in at will.

If you're technically inclined, or have a friend or family member who is and can help you, you might also want to see if your router can run an open source firmware such as OpenWRT or DD-WRT.

Those are Linux-based firmware builds for low-end routers that are much more modular than most of the firmware downloads from router vendors, meaning that you can leave out the bits you don't need.

They also receive regular security patches, thanks to the care and attention of the developer communities that have sprung up around them.

And if you are ready to go a bit more high-end than a SoHo router, you might want to grab a copy of Sophos's award-winning UTM product, which you can run entirely for free at home.

Click to go to download page...

There's no catch (though you need to register with an email address so we can send you a licence code), and included in the free licence is Sophos Anti-Virus protection for up to 12 Windows PCs, managed right from the UTM.

In you live in a shared house, or you have children to look out for online, this could be just the product you need.

→ The Sophos UTM offers a full-blown firewall, spam and web filtering (including anti-virus scanning), a VPN, and much more. That means it can't be installed on a low-end router. You will need a spare computer with a 64-bit Intel CPU, such as a retired laptop.

Further advice and information

You can mitigate the risk of this router hole by ensuring you're doing Wi-Fi security properly, so why not review your own Wi-fi setup today?

In particular, use WPA2 with a long and hard-to-guess passphrase (you only need to enter it once on each device), and don't rely on security short-cuts like network name hiding or MAC address filtering.

These short-cuts don't give you the security you might think, and here's why:

Image of floating Wi-Fi logo courtesy of Shutterstock.

, , , , , , ,

You might like

11 Responses to Gaping admin access holes found in SoHo routers from Linksys, Netgear and others

  1. The Sophos UTM Home edition is great. btw it works fine on a 32 bit computer.(Pentium 4)

  2. Jan Doggen · 294 days ago

    UTM='Unified Threat Management'? Even your own page linked to does not explain that.

  3. Steve · 294 days ago

    Sloppy programming for sure, that backdoor access should not have been found so easily :) The NSA will have to pay, or is it free by secret court order, for another backdoor to be included now ;)

  4. Campbell Milton · 294 days ago

    Can Port 32764 be blocked from external incoming traffic? Or more importantly, should it be ? Seems like this is a reported vulnerability on the threat and security sites today.

    • Paul Ducklin · 294 days ago

      Most (or at least many) routers, by default, block all inbound TCP connections, and in any case don't listen for admin connections on the external interface. So you should be OK.

      If in doubt, try blocking 32764 (though this is a rather specific "fix") and see what happens. Did anything you need from outside stop working? No? Thought not...so you can leave the block in place:-)

  5. Andrew Ludgate · 294 days ago

    One issue as I see it is drive-by malware attempting to connect back to your router via this port and sending the credentials found back to the attacker for future use. If admin access is allowed remotely, they can just log in directly. If it's not, they can use a remote access tool to log in to your router internally and open whatever channels they want to the outside world.

    For general automated malware, this isn't too likely, but this does provide a way that such router attacks could be automated, which means it becomes a problem.

    • Paul Ducklin · 293 days ago

      Indeed. Of course, if you are infected by malware, all (or at least many) security bets are off already - the malware could simply keylog your router password next time you logged in.

      This hole, however, makes it easy and instantaneous for the Bad Guys to grab (and change) your entire router config.

  6. Steve Sant · 293 days ago

    http://forum1.netgear.com/showthread.php?p=270354

    You can see this was always a disaster waiting to happen!

  7. WPA2 with AES only (no TKIP) and a long password is important and there's no great need for a hidden SSID or mac filtering. But you really, really need to disable WPS. Wardrivers are less likely to exploit it, but given enough time (about 48 hours at the longest), it doesn't matter how good your password is, WPS will cough it up...

  8. By the way, WatchGuard devices are in no way vulnerable or susceptible to this. We use our own firmware. People who would like to test before mentioning other products in the same post as those with a backdoor are welcome to nmap our devices and see for themselves.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog