Netgear Hides Router Backdoor Instead of Fixing It

by
in security on (#3J8)
story imageA very recent firmware analysis from the reverse engineer Eloi Vanderbeken shows that NETGEAR didn't fix the backdoor on port 32764 but instead implemented a knocking feature that is now required to unlock the service.

Summary from the slides: The knocking feature is initiated when a "packet type == 0x201" arrived at "ft_tool" that listens to the Ethernet packets. It only works with EtherType 0x8888 and the payload has to be "45d1bb339b07a6618b2114dbc0d7783e" which is the MD5-hash of the model number DGN1000. If such a packet arrives, the backdoor service /usr/bin/scfgmgr f- is launched.

Ars Technica reports :
The nature of the change, which leverages the same code as was used in the old firmware to provide administrative access over the concealed port, suggests that the backdoor is an intentional feature of the firmware and not just a mistake made in coding. "It's DELIBERATE," Vanderbecken asserted in his presentation.

(Cross posted on Soylentnews)

Re: Okay (Score: 1, Interesting)

by Anonymous Coward on 2014-04-26 11:05 (#16D)

Well, most of those mitigations don't even make sense on a router box (no local user activity, a subset of daemons, no http-like stuff opened to the public, just plain old routing and NAT). And FreeBSD has a couple of other security features that - while not that relevant to routers - are absent in OpenBSD. This includes jails (and no, systrace doesn't cut it), ACL support, MAC, signed packages and port auditing. Even NetBSD's veriexec feature is still missing on OpenBSD. ASLR and SSP are nice, and they mitigate real threats, but this is not 1998 anymore. And the reason these techniques exist is because most kernel developers haven't bothered reading the actual x86 processor manual and implement a per-process, multi-segment architecture.

And yeah, I used OpenBSD for more than 10 years. I'd still pick it as a solution for VPN endpoints or small-time routing.
Post Comment
Subject
Comment
Captcha
What is five plus three?