secret backdoor ‘TCP 32764’

At the beginning of this year, we reported about the secret backdoor ‘TCP 32764’ discovered in several routers including, Linksys, Netgear, Cisco and Diamond that allowed an attacker to send commands to the vulnerable routers at TCP port 32764 from a command-line shell without being authenticated as the administrator.

The Reverse-engineer from France Eloi Vanderbeken, who discovered this backdoor has found that although the problem has been patched in the latest firmware release, but SerComm has added the same backdoor again in another way.

To verify the released patch, recently he downloaded the patched firmware version 1.1.0.55 of Netgear DGN1000 and unpacked it using binwalk tool. He found that the file ‘scfgmgr’ which contains the backdoor is still present there with a new option “-l”, that limits it only for a local socket interprocess communication (Unix domain socket), or only for the processes running on the same device.

On further investigation via reverse engineering the binaries, he found another mysterious tool called ‘ft_tool’ with “-f”option that could re-activates the TCP backdoor.

In his illustrated report (shown below), he explained that ‘ft_tool’ actually open a raw socket, that listens incoming packages and attackers on the local network can reactivate the backdoor at TCP port 32764 by sending the following specific packets:

• EtherType parameter should be equal to ‘0x8888’.
• Payload should contains MD5 hash of the value DGN1000 (45d1bb339b07a6618b2114dbc0d7783e).
• The package type should be 0x201.

Share on Google Plus

About AKMM

This is a short description in the author block about the author. You edit it by entering text in the "Biographical Info" field in the user admin panel.