How Sercomm saved my Easter

Another backdoor in my router: when Christmas is NOT enough!

Released 18/04/2014
By

Eloi Vanderbeken - Synacktiv

! don"t know abo#t yo#$ b#t ! love Easter

And with Sercomm, it's Easter every day!

2 / 18

Remember t&e '()/%2*+4 ro#ter backdoor,

Introduced by Sercomm Gives root shell, no authentication Dump entire configuration affected manufacturers !"isco, #in$sys, %etGear, Diamond& ' router models confirmed vulnerable ())) vulnerable routers on the Internet
!more info* https*++github,com+elvanderb+-"./0'1( &
% / 18

!t was -atc&ed

4 / 18

/o$ it can"t be a 01eat#re0 !t was a sim-le mistake222 wasn"t it,

. / 18

3et"s &ave a look

'binwal$ /e' to e2tract the file system scfgmgr !the bac$door binary& is still present,,, 3ut it's now started with a new /l option

+ / 18

4&at"s t&is -l o-tion,

scfgmgr now listen on a 4ni2 domain soc$et *'!

* / 18

4ait222 w&at,

-here is an alternate option* /f that ma$e scfgmgr listen on -".

8 / 18

3et"s see i1 it"s #sed222

5 / 18

4&at"s t&is "1t6tool",

5pens a raw soc$et 6ait for pac$ets

wit& et&erty-e 7 088888 comin9 1rom t&e Et&ernet card or broadcasted :c&eck o1 t&e destination ;<( address=

.ac$et format

10 / 18

!1 -ayload 77 md.:"">?/1000""=222

11 / 18

<nd i1 -acket ty-e 77 08201222

system!''scfgmgr /f 7''&!!!
12 / 18

So yo# can reactivate t&e backdoor a9ain222

If you're on the #A% 5r if you're an Internet provider !if you're one/ hop away, you can craft Ethernet pac$ets& It's DE#I3E8A-E 9ou can also use the )2')) pac$et type to ping the router !it will respond with its :A" address& and )2')' to change its #A% I. address
1% / 18

! don"t always -atc& backdoors222

14 / 18

Beca#se a root s&ell is not eno#9&222

9ou can now !among other things& ma$e the router #EDs flash with the 00, 0 and 0;th message *&

1. / 18

B#t w&ere does it come 1rom,

-he )2<<<< ethertype and pac$et structure is used in an old Sercomm update tool*
http*++wi$i,openwrt,org+=media+toh+netgear+dg<0 ,g,v +nftp,c

la@y 9#ys$ t&ey didn"t even code t&eir new backdoor 1rom scratc& A= It may be present in other hardware but hard to tell*

/o easy way to scan ;>. si9nat#re will certainly be di11erent as it"s based on t&e ro#ter commercial name
1+ / 18

How to detect it,

>or DG%?))), simply use the .o" from your #A% >or other routers, the simplest way is to*

Bse "binwalk -e" to e8tract t&e 1ile system Searc& 1or "1t6tool" or 9re- -r "sc19m9r -1" Bse !>< to con1irm

1* / 18

4e &o-e yo# enCoyed t&is -resentation D=

.o" is available here*

http*++synac$tiv,com+ressources+ethercomm,c