Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
some codes and notes about the backdoor listening on TCP-32764 in linksys WAG200G.
Python C
branch: master

README.md

I WILL NOT MANUALLY UPDATE THIS REPOSITORY ANYMORE

If you want to add a router in the list, please make a pull-request, also remember to USE THE POC and paste the result in your pull-request. Telnet clients and other solutions may not be relevant (some false negative / positive reported).

Some random code/data about the backdoor I found in my Linksys WAG200G (TCP/32764).

The backdoor may be present in other hardware, I'll update this readme accordingly. :)

Possible fix :

Probable source of the backdoor:

Backdoor LISTENING ON THE INTERNET confirmed in :

  • Linksys WAG120N (@p_w999)
  • Netgear DG834B V5.01.14 (@domainzero)
  • Netgear DGN2000 1.1.1, 1.1.11.0, 1.3.10.0, 1.3.11.0, 1.3.12.0 (issue 44)
  • Netgear WPNT834 (issue 79)
  • OpenWAG200 maybe a little bit TOO open ;) (issue 49)

Backdoor confirmed in:

Backdoor may be present in:

Backdoor is not working in:

  • Belkin F5D7230-4 6000 (SerComm manufactured product) (issue 51)
  • Belkin F9K1002 v3 (SerComm manufactured product)
  • Cisco E2000 fwv 1.0.02 (issue 17)
  • Cisco Linksys E4200 V1 fwv 1.0.05 (issue 18)
  • Cisco Linksys X2000 (issue 40)
  • Cisco EPC3925
  • Cisco RV082 v03 fw4.2.2.08 (issue 94)
  • Linksys E2500 (@Antoniojojojo)
  • Linksys E3000 fwv 1.0.04 (issue 16)
  • Linksys E3200 Firmware Version: 1.0.04 (Build 1)
  • Linksys E4200 Firmware Version: 2.0.26 (issue 53)
  • Linksys RV082 v02 fw2.0.2.01-tm (issue 94)
  • Linksys WAG354G V.2 EU (issue 69)
  • Linksys WRT100 fwv 1.0.00 (Issue 71)
  • Linksys WRT110 fwv 1.0.07 (issue 70)
  • Linksys WRT120N fwv 1.0.07 (@viniciuskmax)
  • Linksys WRT160Nv2 (issue 43)
  • Linksys WRT160Nv3
  • Linksys WRT320N (issue 31)
  • Linksys WRT54GL(v1.1) Firmware v4.30.16
  • Linksys WRT54GS v1.52.8 build 001 (thanks Helmut Tessarek)
  • Linksys WRT600N running 1.01.36 build 3 (@shanetheclassic & issue 46)
  • Linksys WRT610N V1 fwv 1.00.03 B15 (issue 60)
  • Netgear CG3100 (issue 6)
  • Netgear CG3700EMR as provided by ComHem Sweden (issue 20)
  • Netgear DG834G v5 (manufactured by Foxconn as opposed to the previous versions, nice finding anthologist issue 28)
  • Netgear DGN2200Bv3 (V1.1.00.23_1.00.23) (issue 41)
  • Netgear DGN3500 (amod 9.3.1 based on official 1.1.00.34 - http://alfie.altervista.org/amod)
  • Netgear DGND3700 (issue 33)
  • Netgear DGND4000 (V1.1.00.14_1.00.14) (issue 67)
  • Netgear ProSafe FVS318G fwv 3.1.1-14 (thank you Jason Leake :) )
  • Netgear R4500 firmware V1.0.0.4_1.0.3 (issue 64)
  • Netgear R6300 (issue 15)
  • Netgear R7000 (@LRFLEW)
  • Netgear RP614v[4,2] V1.0.8_02.02 (issue 22 & issue 24)
  • Netgear VMDG480 (aka. VirginMedia SuperHub) swv 2.38.01 (issue 16)
  • Netgear VMDG485 (aka. VirginMedia SuperHub 2) swv1.01.26 (issue 16)
  • Netgear WGR614v3 (issue 8)
  • Netgear WGR614v7 (thanks "Martin from germany" [your e-mail doesn't work])
  • Netgear WGR614v9 (issue 7)
  • Netgear WN2500RP (issue 15)
  • Netgear WNDR3700 (@juliengrenier)
  • Netgear WNDR4000 (issue 10)
  • Netgear WNDR4500 (@TechnicalRah)
  • Netgear WNR2000v3 (issue 43)
  • Netgear WNR3500L firmware V1.2.2.30_34.0.37 (issue 65)
  • Netgear WNR3500Lv2
  • Sercomm AD81ABA

Some clarifications: I didn't want to waste my time in writing a full report, it's a very simple backdoor that really doesn't deserve more than some crappy slides. Moreover, my English is quite bad.

I had a lot of fun in writing / drawing the slides, all the necessary information is in them. If people don't understand them or find them "too full of meme" then - well - it's too bad for them. :)

Something went wrong with that request. Please try again.