tcp32764 backdoor again netgear router
DESCRIPTION
funny / sad story about customer digital securityTRANSCRIPT
-
5/26/2018 TCP32764 Backdoor Again Netgear Router
1/18
Released18/04/2014ByEloi Vanderbeken - Synacktiv
How Sercomm saved my Easter
Another backdoor in my router:when Christmas is NOT enough!
-
5/26/2018 TCP32764 Backdoor Again Netgear Router
2/18
2 / 18
! don"t know abo#t yo#$ b#t ! love Easter
And with Sercomm, it's Easter every day!
-
5/26/2018 TCP32764 Backdoor Again Netgear Router
3/18
% / 18
Remember t&e '()/%2*+4 ro#terbackdoor,
Introduced by Sercomm
Gives root shell, no authentication Dump entire configuration
affected manufacturers "isco, #in$sys,%etGear, Diamond&
router models confirmed vulnerable
())) vulnerable routers on the Internet more info* https*++githubcom+elvanderb+-"./01(&
https://github.com/elvanderb/TCP-32764https://github.com/elvanderb/TCP-32764 -
5/26/2018 TCP32764 Backdoor Again Netgear Router
4/18
4 / 18
!t was atc&ed
-
5/26/2018 TCP32764 Backdoor Again Netgear Router
5/18
. / 18
o$ it can"t be a eat#re!t was a simle mistake wasn"t it,
-
5/26/2018 TCP32764 Backdoor Again Netgear Router
6/18
+ / 18
3et"s &ave a look
'binwal$ /e' to e2tract the file system
scfgmgrthe bac$door binary& is stillpresent
3ut it's now started with a new /l option
-
5/26/2018 TCP32764 Backdoor Again Netgear Router
7/18
* / 18
&at"s t&is -l otion,
scfgmgrnow listen on a 4ni2 domainsoc$et *'
-
5/26/2018 TCP32764 Backdoor Again Netgear Router
8/18
8 / 18
ait w&at,
-here is an alternate option* /f that ma$escfgmgrlisten on -".
-
5/26/2018 TCP32764 Backdoor Again Netgear Router
9/18
5 / 18
3et"s see i it"s #sed
-
5/26/2018 TCP32764 Backdoor Again Netgear Router
10/18
10 / 18
&at"s t&is "t6tool",
5pens a raw soc$et
6ait for pac$ets
wit& et&ertye 7 08888
comin9 rom t&e Et&ernet card or broadcasted:c&eck o t&e destination ;
-
5/26/2018 TCP32764 Backdoor Again Netgear Router
11/18
11 / 18
! ayload 77 md.:"">?1000""=
-
5/26/2018 TCP32764 Backdoor Again Netgear Router
12/18
12 / 18
-
5/26/2018 TCP32764 Backdoor Again Netgear Router
13/18
1% / 18
So yo# can reactivate t&ebackdoor a9ain If you're on the #A%
5r if you're an Internet provider if you're one/hop away, you can craft Ethernet pac$ets&
It's DE#I3E8A-E
9ou can also use the )2)) pac$et type to pingthe router it will respond with its :A" address&and )2) to change its #A% I. address
-
5/26/2018 TCP32764 Backdoor Again Netgear Router
14/18
14 / 18
! don"t always atc& backdoors
-
5/26/2018 TCP32764 Backdoor Again Netgear Router
15/18
1. / 18
Beca#se a root s&ell is not eno#9&9ou can now among other things& ma$e
the router #EDs flash with the 00, 0 and0;th message *&
-
5/26/2018 TCP32764 Backdoor Again Netgear Router
16/18
1+ / 18
B#t w&ere does it come rom,
-he )2
-
5/26/2018 TCP32764 Backdoor Again Netgear Router
17/18
1* / 18
How to detect it,
>or DG%?))), simply use the .o" fromyour #A%
>or other routers, the simplest way is to*
se "binwalk -e" to etract t&e ile system
Searc& or "t6tool" or 9re -r "sc9m9r -"
se !>< to conirm
-
5/26/2018 TCP32764 Backdoor Again Netgear Router
18/18
e &oe yo# enCoyed t&isresentation D=
.o" is available here*http*++synac$tivcom+ressources+ethercommc
http://synacktiv.com/ressources/ethercomm.chttp://synacktiv.com/ressources/ethercomm.c