How Sercomm saved my Easter!
Another backdoor in my router:
when Christmas is NOT enough!
Released 18/04/2014
By

Eloi Vanderbeken - Synacktiv

I don't know about you, but I love Easter!


And with Sercomm, it's Easter every day!

2 / 18

Remember the TCP/32764 router
backdoor?


Introduced by Sercomm



Gives root shell, no authentication



Dump entire configuration



4 affected manufacturers (Cisco, Linksys,
NetGear, Diamond)



24 router models confirmed vulnerable



6000 vulnerable routers on the Internet



(more info: https://github.com/elvanderb/TCP-32764 )
3 / 18

It was patched!

4 / 18

No, it can't be a *feature*!
It was a simple mistake... wasn't it?

5 / 18

Let's have a look!


'binwalk -e' to extract the file system



scfgmgr (the backdoor binary) is still
present...



But it's now started with a new -l option

6 / 18

What's this -l option?


scfgmgr now listens on a Unix domain
socket :'(

7 / 18

Wait... what?


There is an alternate option: -f that makes
scfgmgr listen on TCP

8 / 18

Let's see if it's used...

9 / 18

What's this 'ft_tool'?


Opens a raw socket



Waits for packets



–

with ethertype = 0x8888

–

coming from the Ethernet card or broadcasted
(check of the destination MAC address)

Packet format

10 / 18

If payload == md5(''DGN1000'')...

11 / 18

And if packet type == 0x201...

system(''scfgmgr -f &'')!!!
12 / 18

So you can reactivate the
backdoor again...


If you're on the LAN



Or if you're an Internet provider (if you're one-hop
away, you can craft Ethernet headers)



It's DELIBERATE



You can also use the 0x200 packet type to ping
the router (it will respond with its MAC address)
and 0x202 to change its LAN IP address

13 / 18

I don't always patch backdoors...

14 / 18

Because a root shell is not enough...


You can now (among other things) make
the router LEDs flash with the 33, 34 and
35th message :)

15 / 18

But where does it come from?


The 0x8888 ethertype and packet structure
is used in an old Sercomm update tool:
http://wiki.openwrt.org/_media/toh/netgear/dg834.g.v4/nftp.c

lazy guys, they didn't even code their new
backdoor from scratch ;)
 It may be present in other hardware but
hard to tell:
–

–

No easy way to scan

–

MD5 signature will certainly be different as it's
based on the router commercial name
16 / 18

How to detect it?


For DGN1000, simply use the PoC from
your LAN



For other routers, the simplest way is to:
–

Use 'binwalk -e' to extract the file system

–

Search for 'ft_tool' or grep -r 'scfgmgr -f'

–

Use IDA to confirm

17 / 18

We hope you enjoyed this
presentation :)


PoC is available here:
http://synacktiv.com/ressources/ethercomm.c