The SoHo router backdoor that was "fixed" by hiding it behind another backdoor

library
crime | hacking | security

Over the Christmas break at the end of 2013, French hacker Eloi Vanderbeken decided to see if he could break into his own Netgear router.

He wanted to tweak some of the performance settings, but realised he’d forgotten the password, and hacking his way in seemed more fun that doing a hardware reset and starting from scratch.

Long story short, Vanderbeken found his way in.

Turns out there was a service listening on port 32764 (mercifully only on the internal interface by default, not on the internet side!) that could be instructed, without authentication, to dump the router’s configution.

Including the admin username and password.

All he had to do was to send the text ScMM (short for SerComm, the original equipment manufacturer), followed by a command number (1 to dump the configuration), followed by the number zero (meaning “I have no further data to send”).

Even if a backdoor like this is only accessible to users who are already on your network, it’s still a giant security hole.

It means, for example, that any duplicitous guests to whom you grant internet access can surreptitiously get into your router and mess with the settings, including opening up the backdoor on the internet interface so they can get back in later.

The vendor therefore came out with a patch, closing the listening port and with it the backdoor.

That got Mr Vanderbreken thinking, “How serious was the patch?”

After all, if the original purpose of the backdoor was to make it easier for the vendor’s own management software to interact with the router, a patch that closed the backdoor altogether would necessitate wholesale changes to the management software, too.

Another long story short, Vanderbeken found that the backdoor was still there [PDF], just turned off by default.

He discovered that you could re-renable it by sending the router a so-called “magic ethernet packet.”

→ If you’ve ever used a feature called Wake-on-LAN, you’ve used a “magic packet”: it’s an ethernet frame that acts as a signal, rather than carrying data, telling a network card to power up the computer in which it’s installed. Wake-on-LAN can be very handy. You can leave your computers turned off at night to save power, and rely on the network card alone to let you activate the computer remotely if required, for example to install security updates.

Greatly simplified, Ethernet frames start with the six-byte MAC address (network card ID) of the destination device; the MAC address of the source device; and a two-byte type EtherType identifier.

Example EtherTypes are 0800 for an IPv4 packet, 86DD for an IPv6 packet, 0806 for ARP (address resolution protocol), and 0842 for Wake-on-LAN.

Sercomm routers, or at least Vanderbeken’s Sercomm router, also look out for 8888 “magic packets”, which act as another backdoor.

Vanderbeken found that if he sent his router an 8888-type packet containing the number 0x0201 (effectively a command identifier) and the MD5 checksum of the string DGN1000, corresponding to his router’s model number, then…

…the original backdoor listening on port 32764 was reactivated!

Just in case you don’t know if there are any vulnerable routers on the current LAN segment, Vanderbeken also found that sending a broadcast 8888 packet with command number 0x0200 would provoke the router to reply, allowing a would-be attacker on a LAN to find out automatically if there are any exploitable routers in range.

What to do?

Short of decompiling your router’s firmware, like Vanderbeken did, it’s hard to tell whether your vendor has left behind a security hole of this sort.

Even if you think your router has this very same “magic packet” hole, you can never be sure exactly what model identifier string is used in the firmware to generate the MD5 checksum used to validate the magic packets.

So we’ll simply repeat the advice we gave last time.

If you’re technically inclined, or have a friend or family member who is and can help you, you might want to see if your router can run an open source firmware such as OpenWRT or DD-WRT.

Those are Linux-based firmware builds for low-end routers that are much more modular than most of the firmware downloads from router vendors, meaning that you can leave out the bits you don’t need.

They also receive regular security patches, thanks to the care and attention of the developer communities that have sprung up around them.

And if you are ready to go a bit more high-end than a SoHo router, you might want to grab a copy of Sophos’s award-winning UTM product, which you can run entirely for free at home.

Follow @duckblog