Keeping The Family Off The Net With An Undocumented Backdoor

memetics

When [Eloi] was home for Christmas, he faced one of the most difficult problems man has ever faced: his entire family, equipped with smartphones and laptops, siphoning all the Internet through a 1Mb/s connection. For any technically minded person, the fix for this problem is to limit the bandwith for all those Facebook and Twitter-heads, while leaving [Eloi]‘s battlestation unaffected. [Eloi] had originally set up the Linksys WAG200G router in the family home a few years ago but had since forgotten the overly complex admin password. No worries, then, because apparently the WAG200G is open as wide as a barn door with a completely undocumented backdoor.

Without the password to the admin panel of the router, [Eloi] needed a way in. After pointing nmap at the router, he found an undocumented service running on port 32764. Googling this observation resulted in a lot of speculation, so the only option was to download the router’s firmware, look for the service, and figure out a way in.

[Eloi] eventually got a shell on the router and wrote a very short Python script to automate the process for all WAG200G routers. As for where this backdoor came from, it appears a SerComm device on the router is responsible. This means a whole bunch of routers with this specific SerComm module also have this backdoor, and we’d assume anything with a service running on port 32764 is suspect.

If you’re looking for a fix for this backdoor, your best bet is probably installing OpenWRT or Tomato. The OpenWAG200 project, an open firmware specifically designed for [Eloi]‘s router, still has this vulnerability, though.

Comments

  1. wouldn’t it have made more sense to just do a 30-30-30 reset?

  2. toodlestech says:

    Or you could click the factory reset pin-hole button that is on every router, but to each his own.

  3. denis says:

    Perhaps he wanted to preserve all his settings? And this solution is more in keeping woth the spirit of this site ;)

  4. FrankTheCat says:

    My family isn’t just into social integration, but heavily into Netflix. 3.3Mb/s down speed on a good day split between five users is bad news bears. Tomato Speedmod on my WRT54GL + some QoS rules to heavily throttle all IPs (strangely not including mine; oops! c:) on non-HTTP/HTTPS port traffic (not including Tumblr/Instagram/Vine/Youtube/Netflix/etc. domains) fixed the problem. Also setup WLAN traffic to be on a lower priority than LAN traffic just to make sure.

  5. Eirinn says:

    Does anyone have a web-tutorial for general router admin stuff? I wouldn’t mind getting my hands a little dirty with this. Some programs are sucking a bit too much bandwidth at seemingly random times at home.

    • ckiens says:

      Routers don’t do Application layer filtering. You could filter through port numbers and protocols, though false positives become a problem for anything beyond 1024. Most cheap routers lack the kind of sophistication to do anything more. What you are looking for is a piece of software or a security appliance.

      Squid and iptables would work just fine.

      In any case, if you want to get your hands dirty then you are going to have to dig up some dirt first.

  6. Ozwald says:

    Actually his name is Eloi, not Eoli ;-)

  7. Phil says:

    I’m on 120mb, they can use what they want ;)

  8. Trui says:

    Where is this place where you only get 1 Mbps ?

    • polossatik says:

      France?

    • Australia to.

    • Blue Footed Booby says:

      Anywhere sufficiently rural in the United States.

    • matt says:

      Lots of small businesses in the urban American environments which bought T1s a decade ago or longer and havent bothered to upgrade to business class DSL/cable.

      • RogueAngel2k says:

        Sadly this is true and sad. What’s more sad is that the Telco providers are still selling T1’s as though it is still a relevant piece of technology in today’s small business. ~$300+ for 3 Mb/s ? No thanks.

        • 11black says:

          Agreed that the pricing scheme versus residential/SMB service offerings is way off, but what the T1 providers sell with the miserable speed is SLA/uptime stats. Wait til Time Warner business class goes down because a construction crew severed a line 3 miles away. You get ‘best effort’ at resolution. The T1 providers promise RTO of ~ 4 hours +/- based on your contract, or face charge backs from clients if they go beyond SLA.
          Having said that, as IT for a company that has thousands of remote sites on the other end of (mostly) T1 circuits, the bandwidth is abismal, and something as simple as an outlook local copy rebuild can crush the circuit, rendering critical business operations dead in the water.

        • CAhrens says:

          A lot of times T-1s are still better than a lot of DSL connections due t the fact that a T-1 is 1.544 Mbps in both direction where you end up seeing a lot of DSL connections promising 10 Mpbs down but only offer 768k up (especially on business class connections).

          A T-1 also allows linking a remote site directly to the main network without having to set up a VPN or trying to tunnel through the internet.

          • ckiens says:

            Totally. It is very, very worth it if you absolutely need dedicated connections (reliability, real privacy, availability, and consistency). It also is far superior for large VoIP usage and that is what new T1 installs are usually for.

    • Tisper says:

      Rural places in Chile (If we are lucky, most rural places don’t have)…. At mayor cities you can get up to 150Mbps though. Darn companies that don’t want to invest a single penny, not even for maintenance. But makes us pay US$38 for a 1Mbps connection that DC’s every now and then and sometimes connects at 512kps or less <.<

    • AngelX says:

      Venezuela XD

  9. FinalEchelon says:

    I admit I would have most likely opted for the 30-30-30 reset, but none the less after reading the slides and looking into this more this is an excellent case of “the hammer is faster but I prefer the screwdriver”! Love it!

    FE

  10. asdf says:

    What a nice way to spend christmas holidays isolated from your family.

  11. If I remember correctly from Reddit, this all happened because he was too lazy to get out of bed. He turned off the webconsole to the WLAN (even though, in his presentation he notes that he lives in the middle of nowhere and doubts anyone would be on his WLAN).

    Could he have pushed the reset button and done a 30-30-30? Sure. Could he have gone to the wired desktop PC and logged in? Sure.

    But either of those would have required him leaving bed.

  12. LK says:

    Hit the news two days ago in Germany with the focus on the until now undocumented backdoor to a whole family of routers rather than getting around admin passwords you could bypass by using the reset button…

  13. r4k says:

    How hard could it be to google “WAG200G reset password” ???

    Of course, if you are leaching WiFi and want to throttle the legitimate owners, this could indeed be most useful….

  14. Mike D says:

    He needs a mooltipass. … or yeah, just reset it.

  15. DigiGram says:

    Okay, I need a way to get me more speed for the half hour I will need it. On my way to get that, I spend days developing a way in to the router, then a script to automate it. By now I don’t have time for the game any more. This sounds like my way of gaming :D

    I’m glad he preferred the screwdriver over the hammer

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 93,625 other followers