Supposedly patched router backdoor was simply hidden
When security systems’ engineer and researcher Eloi Vanderbeken discovered the existence of a backdoor in his own Linksys router last Christmas, he spurred other hackers to check what other routers have the same backdoor. The results of this investigation was that 24 DSL router models from Cisco, Linksys, Netgear, and Diamond were confirmed to be vulnerable.
The backdoor has been tied with Sercomm – the firm that builds these routers for the aforementioned companies – and the specific firmware they install on the devices. A month after the discovery, those companies have pushed out a new version of the firmware that apparently closed the backdoor. Only it didn’t – it merely hid it.
In his typical playful way, Vanderbeken explained this new discovery he made during the Easter holidays. The backdoor binary is still present in the new firmware version, he says, and the backdoor on port 32764 can be “opened” again by sending a specific network packet to the router.
He proved the matter by publishing PoC exploit code – based on earlier code created by Wilmer van der Gaast – which delivers an MD5 hash of the router’s model number.
The good news is that in order for the packet to deliver this payload, it has to be a raw Ethernet packet sent either form the local LAN or the ISP, so remote, random attacks are unlikely.
Once the backdoor is opened again, it allows attackers to reset the devices’ configuration to factory settings and, consequently, to the default router administration username and password.
This new discovery definitely gives weight to his claim that the backdoor has been deliberately introduced into the firmware – a feature, not a security bug.