Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor found in many consumer routers and WAPs (Port 32764 vulnerability)


  • Please log in to reply
10 replies to this topic

#1 x64

x64

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:01:11 AM

Posted 07 January 2014 - 02:42 PM

A bit worrying... This chap seems to have found that a number of (mainly consumer grade) routers and wireless access points have a process listening on port 32764/tcp. He has published a proof of concept that allows unauthenticated attackers to reset the router to default settings.

 

https://github.com/elvanderb/TCP-32764

 

The post is techincal quite technical in places, and it is difficult, at least a first glance to build an idea of exactly where this fits of the scale of "bad".... to "very bad".... through "extremly bad" or even "outright terrible"

 

There is a list of vulnerable devices emerging on the site.

 

The exploit had been public now for a few days and it seems that the bad guys are already probing for vulnerable devices https://isc.sans.org/diary/Scans+Increase+for+New+Linksys+Backdoor+%2832764TCP%29/17336

 

An interesting thing is that the vulnerable devices include routers from both Netgear and Linksys/CIsco.

 

Time to check your routers and upgrade firmware maybe? (if indeed you can find clean firmware for your device - many of the devices on the list are EOL).

 

x64


Edited by x64, 07 January 2014 - 02:42 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:11 PM

Posted 07 January 2014 - 07:27 PM

Yes there have been several articles written about this in the past few days. Here are a couple more...

Backdoor in wireless DSL routers lets attacker reset router, get admin
Probes Against Linksys Backdoor Port Surging
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 jonuk76

jonuk76

  • Members
  • 2,157 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wales, UK
  • Local time:01:11 AM

Posted 09 January 2014 - 01:50 PM

Unfortunately I have a Linksys router that's named on the list.  There is no firmware update (it's not running the original factory firmware, but the one I am using was released in 2011 and it hasn't been updated since).  What is the recommendation at this stage?


7sbvuf-6.png


#4 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:12:11 PM

Posted 10 January 2014 - 07:56 PM

Unfortunately I have a Linksys router that's named on the list.  There is no firmware update (it's not running the original factory firmware, but the one I am using was released in 2011 and it hasn't been updated since).  What is the recommendation at this stage?

Add a rule to the router's firewall to block the port 32764

Scan you router on port 32764 to see if it's open using these sites.

http://www.yougetsignal.com/tools/open-ports/
http://www.canyouseeme.org/

Try to connect to port 32764 with WAN and LAN using your web browser.

LAN:32764
WAN:32764

http://www.reddit.com/r/technology/comments/1ukhpl/find_out_if_your_router_is_listening_on_backdoor/
http://www.ghacks.net/2014/01/06/find-router-listening-backdoor-port-32764/

Edited by Crazy Cat, 10 January 2014 - 08:30 PM.

 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#5 jonuk76

jonuk76

  • Members
  • 2,157 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wales, UK
  • Local time:01:11 AM

Posted 11 January 2014 - 08:38 AM

Thanks.  It's interesting when I tried it that both of those sites report the port is closed.  Trying to connect directly using a web browser resulted in a blank page showing "MMcSÿÿÿÿ" in the top left corner, but this changed within a split second to an error page showing "The connection was reset".  Does this mean it's blocking the attempt to access it on this port?

 

I'm not quite sure of what settings I can change in the Firewall on my router.  It seems to have fairly limited settings available:

 

QYDmflN.png


7sbvuf-6.png


#6 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:12:11 PM

Posted 11 January 2014 - 04:48 PM

It's interesting when I tried it that both of those sites report the port is closed.

To be sure on the WAN side, use:

Router Backdoor Scanner. http://www.router-backdoor.de/?lang=en

User-Specified Custom Port Probe Help. https://www.grc.com/x/ne.dll?rh1dkyd2
You may select any service from among those listed above . .
32764

Trying to connect directly using a web browser resulted in a blank page showing "MMcSÿÿÿÿ" in the top left corner, but this changed within a split second to an error page showing "The connection was reset". Does this mean it's blocking the attempt to access it on this port?

On the LAN side.
Read 2 to 5 on http://www.reddit.com/r/technology/comments/1ukhpl/find_out_if_your_router_is_listening_on_backdoor/
Hu6B4Ja.png

I'm not quite sure of what settings I can change in the Firewall on my router. It seems to have fairly limited settings available.

Make a Outbound/Inbound rule in either 'Access Restrictions' or 'Applications & Gaming'

http://i.imgur.com/cvzXhrJ.png and http://i.imgur.com/TjmVVSL.png
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#7 jonuk76

jonuk76

  • Members
  • 2,157 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wales, UK
  • Local time:01:11 AM

Posted 11 January 2014 - 08:01 PM

OK cheers :thumbsup2:   The Router Backdoor Scanner reports the port is not open (hopefully it's a trustworthy site), and the GRC test reports "Stealth" (no response received) so I'm somewhat hopeful it's OK on the WAN side.

 

The Applications and Gaming section only has options to do with manual port forwarding and setting up a DMZ.  I added a rule earlier in Access Restrictions to block TCP and UDP on port 32764 (no option to specify inbound or outbound).  Connecting via LAN I can still see the text shown in the screen shot above for a split second, but then as I said earlier it immediately errors saying the connection was reset.


7sbvuf-6.png


#8 jonuk76

jonuk76

  • Members
  • 2,157 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wales, UK
  • Local time:01:11 AM

Posted 21 February 2014 - 07:12 PM

This is getting some attention in the mainstream media now - http://www.bbc.co.uk/news/technology-26287517


7sbvuf-6.png


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:11 PM

Posted 21 February 2014 - 07:23 PM

Yes but not many U.S. folks read the BBC.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 x64

x64
  • Topic Starter

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:01:11 AM

Posted 22 February 2014 - 01:56 AM

The new reports are about an another vulnerability affecting a different subset of models. I have not had a chance to look into it yet.


Edited by x64, 22 February 2014 - 01:56 AM.


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:11 PM

Posted 22 February 2014 - 05:43 AM

Linksys E1000 / E1200 Routers targeted by TheMoon malware

How to prevent your Linksys router from getting The Moon malware
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users