TCP 32764 Backdoor

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
TCP 32764 Backdoor
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
by Jason
Jan. 24, 2014
AKA Rooting Routers for Fun
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Firstly, I apologize, this is a little dated, but I think it is extremely interesting and worth sharing about. Unlike most other security related articles that just document an attack and tell the story in the past tense -this is an active, vulnerable, exploitiable backdoor.

About a month ago, a backdoor was discovered[1] on a Linksys WAG200G router. There is a process that listens in on port 32764, and it allows free access to many hosts on the internet. No patches are available, as this is an older router that is out of maintainence. The backdoor doesn't have any kind of authentication and allows some very dangerous commands[2], like giving access to a remote root shell, dump wifi, PPPoE creditials, and file copy! It's unclear as to what caused this backdoor, only that the program is in thefirmware itself. This vulerability is interesting because it's currently active and people are just figuring out how to systematically attack it[4].

This important because it is a huge security concern! We wouldn't want the whole internet to root our routers! It also makes one wonder whether they purposely put in the backdoor to conviently monitor our network traffic. Maybe it's the NSA. Maybe FBI. Reminds you of the incident where the FBI put a backdoor in OpenBSD[6] doesn't it?

What's interesting is that it's not just the WAG200G that is affected.Numerous other devices are listening on the internet, ready to be exploited too.The backdoor is confirmed to be present in 29 other routers[3], mostly Cisco/Linksys and Netgear. What's dangerous is that all these routers are active on the internet! There are about 1 million IPv4s routers with this vulerability - according to a TCP 32764 port scan[2].

Clearly, this will have a heavy impact towards consumers. How could large companies like Cisco/Linksys, and Netgear have such large vulurabilities? Since there are about 30 router models vulerable (with more being discovered), what are the chances that this is a random bug? For consumers, there'll be worry and decreased expectation of security and privacy from the trusted corporations.

It's unclear as to how this vulerability happened, in almost 30 differentrouters by different companies. We as consumers wouldn't want this to happen,but it's unknown as to how similar problems be might prevented in the future because the root cause of the vulurability is unknow.
Sources
=======
[1] Eloi Vanderbeken (discoverer) exploit PDF slide.
December 30, 2013
https://github.com/elvanderb/TCP-32764/blob/master/backdoor_description.pptx

[2] TCP backdoor 32764 or how we could patch the Internet (or part of it ;))
January 22, 2014
http://blog.quarkslab.com/tcp-backdoor-32764-or-how-we-could-patch-the-internet-or-part-of-it.html

[3] (Same as [1] but different link)
https://github.com/elvanderb/TCP-32764/README.md

[4] Automating the TCP-32764 netgear exploit - The Unsuspecting Bit
January 23, 2014
http://unsuspectingbit.com/howto-searching-internet-tcp-32764-netgear-exploit/

[5] Linksys Backdoor Port 32764 Probes On The Rise | Threatpost - English - Global - threatpost.com
January 3, 2014
http://threatpost.com/probes-against-linksys-backdoor-port-surging/103410

[6] An FBI backdoor in OpenBSD?
December 15, 2010
http://blogs.csoonline.com/1296/an_fbi_backdoor_in_openbsd

Leave a Reply

Your email address will not be published. Required fields are marked *