5/26/2018 TCP32764 Backdoor Again
1/18
Released18/04/2014ByEloi Vanderbeken - Synacktiv
How Sercomm saved my Easter
Another backdoor in my router:when Christmas is NOT enough!
5/26/2018 TCP32764 Backdoor Again
2/18
2 / 18
! don"t know abo#t yo#$ b#t ! love Easter
And with Sercomm, it's Easter every day!
5/26/2018 TCP32764 Backdoor Again
3/18
% / 18
Remember t&e '()/%2*+4 ro#terbackdoor,
Introduced by Sercomm
Gives root shell, no authentication Dump entire configuration
affected manufacturers "isco, #in$sys,%etGear, Diamond&
router models confirmed vulnerable
())) vulnerable routers on the Internet more info* https*++githubcom+elvanderb+-"./01(&
https://github.com/elvanderb/TCP-32764https://github.com/elvanderb/TCP-32764https://github.com/elvanderb/TCP-327645/26/2018 TCP32764 Backdoor Again
4/18
4 / 18
!t was atc&ed
5/26/2018 TCP32764 Backdoor Again
5/18
. / 18
o$ it can"t be a eat#re!t was a simle mistake wasn"t it,
5/26/2018 TCP32764 Backdoor Again
6/18
+ / 18
3et"s &ave a look
'binwal$ /e' to e2tract the file system
scfgmgrthe bac$door binary& is stillpresent
3ut it's now started with a new /l option
5/26/2018 TCP32764 Backdoor Again
7/18
* / 18
&at"s t&is -l otion,
scfgmgrnow listens on a 4ni2 domainsoc$et *'
5/26/2018 TCP32764 Backdoor Again
8/18
8 / 18
ait w&at,
-here is an alternate option* /f that ma$esscfgmgrlisten on -".
5/26/2018 TCP32764 Backdoor Again
9/18
5 / 18
3et"s see i it"s #sed
5/26/2018 TCP32764 Backdoor Again
10/18
10 / 18
&at"s t&is "t6tool",
5pens a raw soc$et
6aits for pac$ets
wit& et&ertye 7 08888
comin9 rom t&e Et&ernet card or broadcasted:c&eck o t&e destination ;
5/26/2018 TCP32764 Backdoor Again
11/18
11 / 18
! ayload 77 md.:"">?1000""=
5/26/2018 TCP32764 Backdoor Again
12/18
12 / 18
5/26/2018 TCP32764 Backdoor Again
13/18
1% / 18
So yo# can reactivate t&ebackdoor a9ain If you're on the #A%
5r if you're an Internet provider if you're one/hopaway, you can craft Ethernet headers&
It's DE#I3E8A-E
9ou can also use the )2)) pac$et type to pingthe router it will respond with its :A" address&and )2) to change its #A% I. address
5/26/2018 TCP32764 Backdoor Again
14/18
14 / 18
! don"t always atc& backdoors
5/26/2018 TCP32764 Backdoor Again
15/18
1. / 18
Beca#se a root s&ell is not eno#9&9ou can now among other things& ma$e
the router #EDs flash with the 00, 0 and0;th message *&
5/26/2018 TCP32764 Backdoor Again
16/18
1+ / 18
B#t w&ere does it come rom,
-he )2
5/26/2018 TCP32764 Backdoor Again
17/18
1* / 18
How to detect it,
>or DG%?))), simply use the .o" fromyour #A%
>or other routers, the simplest way is to*
se "binwalk -e" to etract t&e ile system
Searc& or "t6tool" or 9re -r "sc9m9r -"
se !>< to conirm
5/26/2018 TCP32764 Backdoor Again
18/18
e &oe yo# enCoyed t&isresentation D=
.o" is available here*http*++synac$tivcom+ressources+ethercommc
http://synacktiv.com/ressources/ethercomm.chttp://synacktiv.com/ressources/ethercomm.cTop Related