Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC: Port 32764 Router Backdoor is Back (or was it ever gone?) SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Port 32764 Router Backdoor is Back (or was it ever gone?)

Unlike announced a few month ago, the infamous "Port 32764" backdoor was not fully patched in new routers [1]. As a reminder, the original backdoored allowed unrestricted/unauthenticated root access to a router by connecting to port 32764. The backdoor was traced back to components manufactures by Sercomm. Sercomm delivers parts for a number of name brand routers sold under the brands of Cisco, Linksys, Netgear, Diamond and possibly others.

An analysis of an updates router by Synacktive revealed that the code implementing the backdoor is still present, and can be activated to listen again by sending a specific Ethernet packet. The packet would not be routed, so an attacker has to have access to the local network the router is connected to, which significantly lowers the probability of exploitation, but doesn't eliminate it.

The packet activating the backdoor is identified by an Ethernet type of 0x8888.

[1] http://www.synacktiv.com/ressources/TCP32764_backdoor_again.pdf

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Intrusion Detection In-Depth - SANS Cyber Defense Forum & Training

Johannes

3956 Posts
ISC Handler
Apr 22nd 2014

Sign Up for Free or Log In to start participating in the conversation!