Earlier this year security researcher Eloi Vanderbeken discovered in his Linksys wireless router, and after some investigating had determined that the same vulnerability was present in dozens of popular routers manufactured by Sercomm, including those marketed by Cisco, Netgear, and Diamond.
The companies quickly issued patches for the flawed firmware that were said to mitigate the vulnerability, but Vanderbeken now claims (PDF) that the patches issued did not fix the security lapse, but merely hid the problem.
Vanderbeken has determined that a backdoor binary remains exploitable in the latest firmware versions on port 32764 which can be accessed by sending a specific network packet to the router, as documented in the proof-of-concept code he developed based on the original exploit code developed by Wilmer van der Gaast.
When the backdoor was first discovered, Cisco had acknowledged that the vulnerability could allow a remote attacker to “gain root-level access to an affected device” by way of “an undocumented test interface in the TCP service listening on port 32764,” according to the disclosure by Cisco.
“An attacker could exploit this vulnerability by accessing the affected device from the LAN-side interface and issuing arbitrary commands in the underlying operating system. An exploit could allow the attacker to access user credentials for the administrator account of the device, and read the device configuration,” the company stated. “The exploit can also allow the attacker to issue arbitrary commands on the device with escalated privileges.”
Vanderbeken says that the fact that the backdoor was never actually patched bolsters his assertion that the vulnerability was not incidental, but had actually been intentionally included in the development of the firmware.