A backdoor has been found in Linksys and Netgear Wi-Fi DSL modems that grants admin access to the attacker along with the ability to reset the router’s configuration. This backdoor was found by security researcher “Eloi Vanderbeken”. The following models are the ones to be affected:
– Linksys WAG200G
– Netgear DM111Pv2
– Linksys WAG320N
– Linksys WAG54G2
– DGN1000 Netgear N150
– Diamond DSL642WLG / SerComm IP806Gx v2 TI
The backdoor allows access to guests on a local network but not from remote networks. Still the backdoor can be used to control a wireless access point allowing an attacker direct control over local network resources. The researcher posted his findings in a PowerPoint presentation along with the code to Github. While changing the settings of his own Linksys WAG200G wireless DSL, he realized that the router was responding to messages over an arbitrary TCP port number: 32764. Then, he tried to reverse engineer Linksys firmware code and found that he was able to reset the router’s configuration settings without getting authenticated as an administrator. Further, he noticed a few commands that could be run against the router which enabled him to write a script that could grant an attacker admin access and reset the password.
The python based backdoor script can be downloaded from the following link:
https://github.com/elvanderb/TCP-32764
The presentation he created can be grasped here:
https://github.com/elvanderb/TCP-32764/blob/master/backdoor_description_for_those_who_don-t_like_pptx.pdf
A little later, it was revealed on the web that other models of Linksys and Netgear as well as those from SerComm might be prone to the same attack.