At the beginning of this year, secret backdoor ‘TCP 32764’ was discovered in several routers including Linksys, Netgear, and Cisco. But even after releasing the new security patch, the backdoor binary continues to be present in the new firmware version, and the backdoor on port 32764 can be opened again by sending a specific network packet to the router.
A backdoor in a system is a method of bypassing normal authentication, securing illegal remote access to a computer, obtaining access to plain text, and so on, while attempting to remain undetected.
Back in December, Eloi Vanderbeken of Synacktiv Digital Security was visiting his family for the Christmas holiday, and for various reasons he had the need to gain administrative access to his Linksys WAG200G DSL gateway over Wi-Fi. He discovered that the device was listening on an undocumented Internet Protocol port number, and after analyzing the code in the firmware, he found that the port could be used to send administrative commands to the router without a password.
After Vanderbeken published his results, others confirmed that the same backdoor existed on other systems based on the same Sercomm modem, including home routers from Netgear, Cisco (both under the Cisco and Linksys brands), and Diamond. In January, Netgear and other vendors published a new version of the firmware that was supposed to close the backdoor.
Typically when a security vulnerability is discovered in a device like a wireless DSL router, the manufacturer issues a patch that fixes the problem. But that’s not always the case. Sometimes they just hide the problem instead.
However, that new firmware apparently only hid the backdoor rather than closing it. In a published post, Vanderbeken disclosed that the “fixed” code concealed the same communications port he had originally found (port 32764) until a remote user employed a secret “knock”—sending a specially crafted network packet that reactivates the backdoor interface. In his illustrated report, he explained that ‘ft_tool’ actually open a raw socket, that listens incoming packages and attackers on the local network can reactivate the backdoor at TCP port 32764 by sending the following specific packets:
Currently there is no patch available for the newly discovered backdoor. If you want to check your wireless router for this backdoor, you can download Proof-of-Concept (PoC) exploit released by the researcher from here.
This new discovery definitely gives weight to his claim that the backdoor has been deliberately introduced into the firmware as a ‘feature’, and not as a security bug.