Backdoor Discovered In Netgear and Linkys Routers

An anonymous reader writes "A hacker has found a backdoor in the Linksys WAG200G router, that gives access to the admin panel without authentication. Further research shows that these devices are made by Sercomm, meaning that Cisco, Watchguard, Belkin and various others maybe affected as well. From the article: 'The backdoor requires that the attacker be on the local network, so this isn’t something that could be used to remotely attack DSL users. However, it could be used to commandeer a wireless access point and allow an attacker to get unfettered access to local network resources.'"

not exclusively local

http://www.shodanhq.com/search?q=port%3A32764

OpenBSD

[grub]

Thank goodness for OpenBSD and a bit of elbow grease.

Re:OpenBSD

[grub]

As a gateway/router/wifi point, OpenBSD is excellent. My comment is very relevant to the story.
For example, my own setup has OpenBSD acting as a router/NAT/etc. box. For guests there is a wifi network it broadcasts and routes only to the world. Also has a VLAN for DMZ, outside accessible services, etc.
It's not name dropping if it's true.

Re: OpenBSD

[TooTechy]

Small comment.

I have a Netgear router with Tomato running on it with over 730 days of uptime!

malware = local

[SethJohnson]

Attacking the router from inside the network is only a matter of infecting a computer inside the network.

Then the compromised computer is used to modify the DNS settings.

Then the whole network depending on the router to provide proper DNS is now visiting whatever hosts the attackers desire.

great. typo in the title.

[richlv]

"Linkys". because details are for samzenpussies.
this is getting annoying enough.

similar problem in 2004

I did a web search for "linksys router backdoor" and this story was one of the top results:
http://news.techworld.com/security/1682/critical-flaws-in-linksys-and-netgear-kit/

"...a hard-wired user account with a known password. Any user with access to a LAN with an affected WG602 device connected to it would be able to gain full administrator access to the device..."

Is this really a vulnerability or a feature?

[DigitAl56K]

There is a supported feature on Netgear routers where so long as you're on the internal network you can send a magic packet (using a utility called TelnetEnable) to open up the telnet port, then you can telnet in and issue commands as the super user. All TelnetEnable needs is the IP address of the router, it's MAC address, and a widely known default username and password - all things anyone connected to the network can get easily.

It seems like this guy stumbled upon a similar feature.

Yes, this stuff should be better protected, but it's not necessarily a vulnerability. For example, you can log into your router this way and use iptables to add some custom firewall rules that the web admin interface doesn't support. The main hole here is A) Most people don't know it's even there, and B) The default username/password is the same for every router by default. You do need to be on the LAN side to send the magic packet in the first place.

wrt54gL is made for diy

[raymorris]

> Or does such a thing already exist?

The wrt54gL (L for Linux) is an example of such a device. The early versions of wrt54g were popular with people using openWRT and such of course. Recognizing this, the company released a version specifically for nerds.

I'd love to see some other, more up-to-date options. I have some projects that would fit nicely in several MBs of RAM, without necessarily needing all the ports. A Raspberry Pi would work, but a beefed up WRT would be better.