Consumer Broadband ISP Routers Exposed via New Backdoor Exploit

Broadband ISP customers that own some models of Cisco, Netgear, Linksys or certain other routers could be vulnerable to a new backdoor exploit that allows a hacker to remotely input their own admin password and possibly gain full access to your network.

The hack, which has been published by Eloi Vanderbeken on Github (note: more details via Hacker News), is increasingly believed to be common among devices that were physically manufactured, on behalf of the big router firms, by Sercomm.

Vanderbeken noted that many of these devices, such as for example Netgear’s DGN2000 and DG834B, appeared to be listening on an undocumented service via TCP port 32764 (note: not all models will listen via this port over the Internet / WAN but some do).

A little reverse engineering later and Vanderbeken found that he could send commands to the router via this port and without needing an administrator’s password. At this stage his access was still limited but it didn’t take him long to figure out how to reset the admin password for full access.

Backdoor confirmed in (LISTENING ON THE INTERNET):

• Cisco WAP4410N-E 2.0.1.0, 2.0.3.3, 2.0.4.2, 2.0.6.1 (issue 44)
• Linksys WAG120N (@p_w999)
• Netgear DG834B V5.01.14 (@domainzero)
• Netgear DGN2000 1.1.1, 1.1.11.0, 1.3.10.0, 1.3.11.0, 1.3.12.0 (issue 44)
• OpenWAG200 maybe a little bit TOO open 😉 (issue 49)

Backdoor confirmed in:

• Cisco RVS4000 fwv 2.0.3.2 (issue 57)
• Cisco WAP4410N (issue 11)
• Cisco WRVS4400N
• Cisco WRVS4400N (issue 36)
• Diamond DSL642WLG / SerComm IP806Gx v2 TI (https://news.ycombinator.com/item?id=6998682)
• LevelOne WBR3460B (http://www.securityfocus.com/archive/101/507219/30/0/threaded)
• Linksys RVS4000 Firmware V1.3.3.5 (issue 55)
• Linksys WAG120N (issue 58)
• Linksys WAG160n v1 and v2 (@xxchinasaurxx @saltspork)
• Linksys WAG200G
• Linksys WAG320N (http://zaufanatrzeciastrona.pl/post/smieszna-tylna-furtka-w-ruterach-linksysa-i-prawdopodobnie-netgeara/)
• Linksys WAG54G2 (@_xistence)
• Linksys WAG54GS (@henkka7)
• Linksys WRT350N v2 fw 2.00.19 (issue 39)
• Linksys WRT300N fw 2.00.17 (issue 34)
• Netgear DG834[∅, GB, N, PN, GT] version < 5 (issue 19 & issue 25 & issue 62 & jd & Burn2 Dev)
• Netgear DGN1000 (don’t know if there is a difference with the others N150 ones… issue 27)
• Netgear DGN1000[B] N150 (issue 3)
• Netgear DGN2000B (issue 26)
• Netgear DGN3500 (issue 13)
• Netgear DGND3300 (issue 56)
• Netgear DGND3300Bv2 fwv 2.1.00.53_1.00.53GR (issue 59)
• Netgear DM111Pv2 (@eguaj)
• Netgear JNR3210 (issue 37)

The exploit is also believed to be present in a number of other routers, although we’ve only listed the fully confirmed ones above. On some models the simplest solution to this exploit is to create a new Firewall Rule in your router that blocks access to TCP 32764, although it’s noted that this didn’t appear to work on the Cisco RVS4000 and others may share a similar problem.