models vulnerable from the web

Question

models vulnerable from the web

mandreko opened this issue 11 years ago · comments

I've been researching this backdoor, after seeing the excellent work done by Eloi. I found these models are working on the external wan interfaces, and have been able to get working shells on:

BSkyB DG934G
NETGEAR DG834
NETGEAR DG834
NETGEAR DG834G
NETGEAR DG834GT
NETGEAR DG834N
NETGEAR DG834PN
NETGEAR DGN1000
NETGEAR DGN2000
Honeywell WAP-PL2 IP Camera (I believe, but couldn't confirm model anywhere)

Models that I've found do not work from the wan interface, even though the port 32764 is open:
Linksys WAG120N
Linksys WAG320N
Linksys WAG54G2
Linksys WAG54G2B

Eloi Benoist-Vanderbeken · Answer 1 · Sat Jan 11 2014 23:49:52 GMT+0800 (China Standard Time)

Thank you but I won't update the readme.md anymore
It takes me to much time and I'm now back at work.
Could you please do a pull request?

Sbgodin · Answer 2 · Sun Jan 12 2014 00:51:50 GMT+0800 (China Standard Time)

I've got at least a strong reason to think that WAG120N can be accessed from the wan interface.

JeffShao · Answer 3 · Tue Jan 14 2014 14:22:32 GMT+0800 (China Standard Time)

I have one DGN1000 device on hand ,but I can only access 32764 via LAN.
Is there any extra steps to access this from wan internet interface?

Matt Andreko · Answer 4 · Tue Jan 14 2014 14:49:22 GMT+0800 (China Standard Time)

It may be specific firmware versions. I'll have to see if I can find my DGN1000 again, and get the version it was running.

JeffShao · Answer 5 · Tue Jan 14 2014 16:31:49 GMT+0800 (China Standard Time)

So it could be accessed by default?
I got the version of my device, 1.1.00.48., FYI. :)

JeffShao · Answer 6 · Tue Jan 14 2014 16:38:48 GMT+0800 (China Standard Time)

Hello Mandreko,
Could you let me know which device has been confirmed by you that could be access via WAN?
And luckily, my friend has other netgear devices , I will ask him for a trial.

Matt Andreko · Answer 7 · Wed Jan 15 2014 05:39:39 GMT+0800 (China Standard Time)

My vulnerable DGN1000 is running firmware 1.00.41, and exposed to the WAN (I got the shell)

JeffShao · Answer 8 · Wed Jan 15 2014 13:17:29 GMT+0800 (China Standard Time)

I downgrade my device to v41 , but failed to access 32764 from wan still. Seems wired , did you get reply on 32764 port from wan or you find any other funny way?

Eloi Benoist-Vanderbeken · Answer 9 · Wed Apr 23 2014 04:14:41 GMT+0800 (China Standard Time)

can anyone confirm ?

knanan · Answer 10 · Sun Jan 04 2015 22:01:41 GMT+0800 (China Standard Time)

It's very interesting why this issue tracker isn't flooded with people asking more about the vulnerability :)

Any suggestions on securing old linksys modems? / Is this vulnerability exposed to external/internet somehow?

I've checked myself, the answer seems no, but I wanted to get the opinion of other watchers of the project

I've recently discovered our ISP segmenting modems based on their host names, which is usually the model name(could be for performance reasons, or technical reasons, yet it's very fishy, I'm afraid these backdoors might be mass-exploited by ISP's in their efforts to siphon as much as they can from citizens), which urged me to fix/patch issues to the furthest point, I would appreciate any advice