Fix for WAG120N

Question

Fix for WAG120N

lahdekorpi opened this issue 11 years ago · 13 comments

lahdekorpi commented 11 years ago

I coded a small script that fixes WAG120N (RAM only, needs to be run after reboot):

https://github.com/lahdekorpi/TCP-32764-First-Aid/

And am planning on releasing more first aid fixes for different routers.

lahdekorpi commented 11 years ago

D'oh!

Answer 1 · 2014-01-05T20:52:38.000Z

nice, thank you.
for your next update, you have to kill scfgmgr to stop the backdoor on a lot of routers :) (test and works on at least one IP reported by shodan ;) )

Answer 2 · 2014-01-05T21:11:02.000Z

Sure thing, WAG120N doesn't have any processes called scfgmgr, but I'll add that for others.
Do you have any idea on how many routers does the root ping exploit work?

Answer 3 · 2014-01-05T21:16:00.000Z

different routers have acces to shell, you think its possible to write script in the memory(Not ram) and it run on each boot or each minute ?

Answer 4 · 2014-01-05T21:18:00.000Z

I'm working on unpacking at least the WAG120N Annex A firmware so that I can edit the /etc/rcS to remove the backdoor from booting up.
But I'm not sure if there is any other way than flashing a modified firmware.

Answer 5 · 2014-01-05T21:20:40.000Z

at least 2000 vuln routers are listening on the internet right now: http://www.shodanhq.com/search?q=port%3A32764+ScMM + http://www.shodanhq.com/search?q=port%3A32764+MMcS

There is a list of vuln routers in the readme.md but I don't have any idea of how many of them are running right now. You can use shodan for guessing, for example there is ~50000 Netgear DG834 with their admin interface listening on the net: http://www.shodanhq.com/search?q=DG834 (and probably much more without any admin interface listening on the internet)

Answer 6 · 2014-01-05T21:24:21.000Z

and this list contain sometimes router with default login/password :/

Answer 7 · 2014-01-05T21:57:48.000Z

I just ran

/sbin/iptables -A INPUT -p tcp --destination-port 32764 -j DROP

on my router but that didn't restrict access, any ideas?

# iptables -L INPUT
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             all-systems.mcast.net 
ACCEPT     all  --  anywhere             anywhere            state NEW 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            limit: avg 10/sec burst 5 multiport dports 80,443 tcp flags:FIN,SYN,RST,ACK/SYN 
ACCEPT     udp  --  anywhere             anywhere            limit: avg 10/sec burst 5 udp spt:68 dpt:67 
ACCEPT     icmp --  anywhere             anywhere            limit: avg 10/sec burst 5 icmp echo-request 
INPUT_TCP  tcp  --  anywhere             anywhere            
INPUT_UDP  udp  --  anywhere             anywhere            
RPING      icmp --  anywhere             anywhere            limit: avg 10/sec burst 5 
DROP       tcp  --  anywhere             anywhere            tcp dpt:32764

Answer 8 · 2014-01-07T21:39:48.000Z

@lahdekorpi: It's likely that the packet is being accepted by the INPUT_TCP chain before it gets to your new drop rule. The following works for me on my WRT350v2:

iptables -I INPUT 1 -p tcp --destination-port 32764 -j DROP

The snag with this is that it also makes the web admin interface inoperable. Killing scfgmgr leads to the same result.

Answer 9 · 2014-01-07T21:43:15.000Z

@lahdekorpi You need to up the rule in first position

Answer 10 · 2014-01-10T15:35:10.000Z

The new firewall rule disappears, every time when the WAG120N renews its IP or I disconnect manually.
To keep the web-gui of the router reachable, it is necessary to specify the wan interface, on WAG120N it is ppp0.

Answer 11 · 2014-01-11T19:35:52.000Z

But limiting to ppp0 would still mean it would be exploitable inside the LAN?

Answer 12 · 2014-01-12T15:46:35.000Z

@lahdekorpi
Yes, the LAN remains vulnerable.