Fix for WAG120N

[lahdekorpi]

I coded a small script that fixes WAG120N (RAM only, needs to be run after reboot):

https://github.com/lahdekorpi/TCP-32764-First-Aid/

And am planning on releasing more first aid fixes for different routers.

[elvanderb]

nice, thank you.
for your next update, you have to kill scfgmgr to stop the backdoor on a lot of routers :) (test and works on at least one IP reported by shodan ;) )

[lahdekorpi]

Sure thing, WAG120N doesn't have any processes called scfgmgr, but I'll add that for others.
Do you have any idea on how many routers does the root ping exploit work?

[SilentT-FR]

different routers have acces to shell, you think its possible to write script in the memory(Not ram) and it run on each boot or each minute ?

[lahdekorpi]

I'm working on unpacking at least the WAG120N Annex A firmware so that I can edit the /etc/rcS to remove the backdoor from booting up.
But I'm not sure if there is any other way than flashing a modified firmware.

[elvanderb]

at least 2000 vuln routers are listening on the internet right now: http://www.shodanhq.com/search?q=port%3A32764+ScMM + http://www.shodanhq.com/search?q=port%3A32764+MMcS

There is a list of vuln routers in the readme.md but I don't have any idea of how many of them are running right now. You can use shodan for guessing, for example there is ~50000 Netgear DG834 with their admin interface listening on the net: http://www.shodanhq.com/search?q=DG834 (and probably much more without any admin interface listening on the internet)

[SilentT-FR]

and this list contain sometimes router with default login/password :/

[lahdekorpi]

I just ran

/sbin/iptables -A INPUT -p tcp --destination-port 32764 -j DROP

on my router but that didn't restrict access, any ideas?

# iptables -L INPUT
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             all-systems.mcast.net 
ACCEPT     all  --  anywhere             anywhere            state NEW 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            limit: avg 10/sec burst 5 multiport dports 80,443 tcp flags:FIN,SYN,RST,ACK/SYN 
ACCEPT     udp  --  anywhere             anywhere            limit: avg 10/sec burst 5 udp spt:68 dpt:67 
ACCEPT     icmp --  anywhere             anywhere            limit: avg 10/sec burst 5 icmp echo-request 
INPUT_TCP  tcp  --  anywhere             anywhere            
INPUT_UDP  udp  --  anywhere             anywhere            
RPING      icmp --  anywhere             anywhere            limit: avg 10/sec burst 5 
DROP       tcp  --  anywhere             anywhere            tcp dpt:32764 

[mavit]

@lahdekorpi: It's likely that the packet is being accepted by the INPUT_TCP chain before it gets to your new drop rule. The following works for me on my WRT350v2:

iptables -I INPUT 1 -p tcp --destination-port 32764 -j DROP

The snag with this is that it also makes the web admin interface inoperable. Killing scfgmgr leads to the same result.

[SilentT-FR]

@lahdekorpi You need to up the rule in first position

[lahdekorpi]

D'oh!

[wulfaro]

The new firewall rule disappears, every time when the WAG120N renews its IP or I disconnect manually.
To keep the web-gui of the router reachable, it is necessary to specify the wan interface, on WAG120N it is ppp0.

[lahdekorpi]

But limiting to ppp0 would still mean it would be exploitable inside the LAN?

[wulfaro]

@lahdekorpi
Yes, the LAN remains vulnerable.