Story 3J8 Netgear Hides Router Backdoor Instead of Fixing It

Netgear Hides Router Backdoor Instead of Fixing It

by
in security on (#3J8)
story imageA very recent firmware analysis from the reverse engineer Eloi Vanderbeken shows that NETGEAR didn't fix the backdoor on port 32764 but instead implemented a knocking feature that is now required to unlock the service.

Summary from the slides: The knocking feature is initiated when a "packet type == 0x201" arrived at "ft_tool" that listens to the Ethernet packets. It only works with EtherType 0x8888 and the payload has to be "45d1bb339b07a6618b2114dbc0d7783e" which is the MD5-hash of the model number DGN1000. If such a packet arrives, the backdoor service /usr/bin/scfgmgr f- is launched.

Ars Technica reports :
The nature of the change, which leverages the same code as was used in the old firmware to provide administrative access over the concealed port, suggests that the backdoor is an intentional feature of the firmware and not just a mistake made in coding. "It's DELIBERATE," Vanderbecken asserted in his presentation.

(Cross posted on Soylentnews)
Reply 29 comments

Okay (Score: 2, Interesting)

by Anonymous Coward on 2014-04-23 14:41 (#15D)

this is indeed deliberate, maybe on NSA order? As a consequence Netgear, Cisco, Linksys and the other US network gear suppliers should be avoided as home and in enterprise equipment from now on

Re: Okay (Score: 1)

by songofthepogo@pipedot.org on 2014-04-23 15:26 (#15E)

Time to look into open-source firmware. Replacing oem with, eg, dd-wrt would mitigate this sort of thing, wouldn't it? I'm honestly asking.

Re: Okay (Score: 3, Informative)

by omoc@pipedot.org on 2014-04-23 17:00 (#15F)

Well, sadly most Linux distributions tend to *not activate* some exploit mitigation. I don't know about the Linux router firmwares but last time I checked they even used some old kernel versions that didn't even had some of these mitigations. Personally I use an OpenBSD on an old ALIX board for a long time. Too bad pfsense is based on FreeBSD instead of OpenBSD, otherwise it would be an ideal candidate.

For hardware, I would recommend either the ALIX boards http://www.pcengines.ch/ (there is a new APU model) or Mikrotik routerboards http://routerboard.com/

Re: Okay (Score: 2, Interesting)

by fnj@pipedot.org on 2014-04-25 14:46 (#15X)

Nothing at all against OpenBSD, it is great, but do you have something of substance against FreeBSD? Why specifically do you think basing pfsense on FreeBSD is a negative? I may be reading too much into your comment.

Re: Okay (Score: 2, Interesting)

by omoc@pipedot.org on 2014-04-25 18:07 (#168)

FreeBSD just started to implement mitigations that have been standard in OpenBSD for years. For example, ASLR or SSP, last time I checked was 2013 and FreeBSD still lacked these very simple mitigations that are even available in Windows by now. This is just utterly ridiculous.

They're just sloppy in terms of security and they also accept horrible patches just because there is some performance benefit. OpenBSD plays on an entirely different level and is my only choice for infrastructure as critical as routers.

Re: Okay (Score: 1, Interesting)

by Anonymous Coward on 2014-04-26 11:05 (#16D)

Well, most of those mitigations don't even make sense on a router box (no local user activity, a subset of daemons, no http-like stuff opened to the public, just plain old routing and NAT). And FreeBSD has a couple of other security features that - while not that relevant to routers - are absent in OpenBSD. This includes jails (and no, systrace doesn't cut it), ACL support, MAC, signed packages and port auditing. Even NetBSD's veriexec feature is still missing on OpenBSD. ASLR and SSP are nice, and they mitigate real threats, but this is not 1998 anymore. And the reason these techniques exist is because most kernel developers haven't bothered reading the actual x86 processor manual and implement a per-process, multi-segment architecture.

And yeah, I used OpenBSD for more than 10 years. I'd still pick it as a solution for VPN endpoints or small-time routing.

Re: Okay (Score: 1, Interesting)

by Anonymous Coward on 2014-04-26 11:15 (#16E)

Yeah, Alix boards are nice if you're handling traffic from 2000. Most of those boards cannot route my home internet connection traffic, let alone serious workloads. And serious workloads often need other stuff like proper link aggregation, and multiple default routes (all of these exist in OpenBSD now, but several years after FreeBSD). And for "serious workloads", pf was a limiting factor until recently, because of lack of SMP support.

I have an Alix board I never used for anything. An atom board with 2xGigE has >10x the same routing capacity, and its not much more expensive than an Alix. It will draw more power, sure, and it takes more space. But at least it can handle my home connection.

Re: Okay (Score: 1, Interesting)

by Anonymous Coward on 2014-04-24 01:47 (#15J)

http://orp1.com/
Try the ORP1

I WANT TO PULL IT OUT! (Score: -1, Offtopic)

by Anonymous Coward on 2014-04-24 10:55 (#15M)

Don't like to think too much, it makes me think too much,
It keeps my mind on my mind
Don't wanna see too much, it makes me see to much
Sometimes I'd rather be blind

All the things that they're saying & doing
When they pass me by just fills me up with noise
It overloads me
I wanna disconnect myself
Pull my brain stem out and unplug myself
I want nothing right now, I want to pull it out

Chorus:
Yeah, I want to pull it out, yeah
I wanna break it all down, hey, I wanna pull it out
Yeah, yeah, disconnect myself, disconnect myself
I wanna see it go down, yeah, disconnect myself

A thousand miles an hour going nowhere fast
Clinging to the details of your past
Talking 'bout your damages and your wasting my time
Wanna be the king of pain, stand in line
All the numbers and the colours and the facts
Backed by the rumours and the figures and the stats
I think I'm gonna download my mind

Chorus

Too damn bad if at the end of the day the only thoughts
In your brain are all the things that they say, what a waste
Too damn bad if at the end of the line you got no idea
What's on your own mind, you got no one to blame but yourself
Too much to know, too much to see
It might mean something to you but it's nothing to me
Its just another ad for someone's version of how they think it should be

I wanna disconnect myself, pull my brain stem out, unplug myself
I want nothing right now, I want to pull it out

Pipedot Needs People! (Score: 1, Insightful)

by Anonymous Coward on 2014-04-24 14:25 (#15N)

It's such a shame that Soylent (horrible name) has so much more activity than Pipedot.

This site has better editorial control, a much better appearance, better article selection, and even seems to load faster.

I don't know if a Pipedot/Soylent merge is one of the choices in the Soylent name poll, but it damn well should be.

From my point of view the only big mistake Pipedot initially made was banning anonymous posters, but you seem to have fixed that.

In any case, no matter what happens, thank you for making such a strong effort!

Re: Pipedot Needs People! (Score: 0)

by Anonymous Coward on 2014-04-24 21:37 (#15R)

Damn, even the URLs are better here! Instead of descriptive article names, Soylent's got datestamped numeric article numbers. Like 1995 all over again!

Re: Pipedot Needs People! (Score: 0)

by Anonymous Coward on 2014-04-24 22:27 (#15S)

A big problem I've noticed is Pipedot has very few articles posted. Start posting more articles and there will be more to discuss. With more to discuss, more folks will start coming, as I agree that this site is technically better than the other ones. Unfortunately, that technical "betterness" means nothing if you don't have the content.

Re: Pipedot Needs People! (Score: 3, Insightful)

by omoc@pipedot.org on 2014-04-25 07:07 (#15V)

More articles yes, but more importantly more comments. A lot of articles without comments won't make it better, you go to /. for the discussion mainly. Just go out and advertise this site.

The biggest thing missing here feature wise are notifications on a reply IMO.

Re: Pipedot Needs People! (Score: 0)

by Anonymous Coward on 2014-04-25 14:27 (#15W)

Damn, even the threaded display is worlds better than Soylent. I can see all these replies so cleanly.

Perhaps one solution is to be unabashed about partially copying/mirroring good links from other sites, whether or not they are individually submitted by Pipedot members. People at Soylent are bitching at people who complain about old articles -- "why didn't YOU submit it then, big shot" -- but there's nothing wrong (ethically or legally) with using some links at another aggregator as a basis for discussion here. You can separate it into a "The Slashdot Feed" category if you must, though I wouldn't recommend that...

The idea is to use the same articles (everything at Slash/Soy/etc. is pointing to 3rd and 4th party sites anyway) as a starting point for discussion on a site that people DO enjoy using...

(Loving these text captchas by the way.)

Re: Pipedot Needs People! (Score: 2, Insightful)

by dotdotdot@pipedot.org on 2014-04-25 16:49 (#160)

This. Notifications are essential. We can't be expected to go back and look at every single post to see if someone responded.

Re: Pipedot Needs People! (Score: 1, Insightful)

by Anonymous Coward on 2014-04-25 01:42 (#15T)

I agree. This site blows Soylent out of the water.

Re: Pipedot Needs People! (Score: 1)

by bryonak@pipedot.org on 2014-04-25 15:15 (#15Y)

I agree, SoylentNews is a terrible name and hopefully gets replaced in the name vote, but Pipedot isn't that great of a name either. A good deal of the rename suggestions at the vote would be better than both current names.

IMO the biggest omission is the lack of a roadmap or clear declaration of intent here. Is development even still ongoing? (assumably it is, but too invisible for my taste) When will we be able to contribute? What's the 10k+ users support plan? What further features are planned?
We know that there will be likely no merging between pipedot and SN, but what's the outlook? I understand if Bryan has other priorities (job, family, ...), and it's perfectly fine if things go slowly, but to me all of this seems to be hanging in limbo too much...

Apart from that, yeah, it's a technically excellent site, some details are still improvable (for example this response I'm typing right now, would be nice if it were inline/ajaxed like on Slashdot), but from a users perspective (potentially) superior to slashcode and it would be my first-go-to place if there were more submissions (I'll bring the comments).

Re: Pipedot Needs People! (Score: 2, Informative)

by Anonymous Coward on 2014-04-25 17:53 (#166)

Yes, development seems to be ongoing. There's a status log at http://pipedot.org/topic/pipedot

Re: Pipedot Needs People! (Score: 0)

by Anonymous Coward on 2014-04-28 10:10 (#17E)

Development is definitely ongoing, Bryan(1) is doing a great job of releasing weekly updates.

Re: Pipedot Needs People! (Score: 1, Interesting)

by Anonymous Coward on 2014-04-25 21:12 (#16B)

Doing sequential refreshes on the respective home pages today, on my ANCIENT laptop on a middling cable modem connection.

Pipedot: Under 1 second, every time.

Soylent: 4.5 to 5 seconds, every time.

And I understand they have all kinds of caching enabled (Varnish servers, etc.) That's really pretty bad. (And let's not be silly and blame it on volume; both are hosted at the same place, they don't have that much traffic, and as noted they have an entire front end caching infrastructure in place.)

pfft (Score: 0)

by Anonymous Coward on 2014-04-25 16:21 (#15Z)

I'm not seeing a reason why SoylentNews is being lambasted when the story title is:

"Netgear Hides Router Backdoor Instead of Fixing It"

Grow up.

Re: pfft (Score: 1)

by dotdotdot@pipedot.org on 2014-04-25 16:55 (#161)

The bottom of the summary says ...

(Cross posted on Soylentnews)


So the comments are relevant and on-topic, but I don't see SN being lambasted. SN simply falls short on many comparative elements.

Re: pfft (Score: 0)

by Anonymous Coward on 2014-04-25 17:28 (#163)

"So the comments are relevant and on-topic, but I don't see SN being lambasted. SN simply falls short on many comparative elements."

i slap my ballsack in protest.

Re: pfft (Score: 2, Funny)

by dotdotdot@pipedot.org on 2014-04-25 17:34 (#164)

i slap my ballsack in protest.

Duly noted.

Re: pfft (Score: 0)

by Anonymous Coward on 2014-04-25 17:50 (#165)

And I just read that whole little exchange without having to click once! This site works so much better.

Re: pfft (Score: -1, Troll)

by Anonymous Coward on 2014-04-25 18:06 (#167)

3========D OH MY!

Re: pfft (Score: 0)

by Anonymous Coward on 2014-04-25 18:30 (#169)

This isn't really the type of comments that will grow the userbase.