Eloi Vanderbéken recently found a backdoor on some common routers, which is described on his GitHub here. Basically, a process that listens on the 32764 TCP port runs, sometimes accessible from the WAN interface. We scanned the v4 Internet to look for the routers that have this backdoor wild open, and gathered some statistics about them. We will also present a way to permanently remove this backdoor on Linksys WAG200N routers.
Note that despite this backdoor allows a free access to many hosts on the Internet, no patch is available as it is not maintained anymore. So we thought about some tricks combined with our tools to imagine how to fix that worldwide.
This backdoor doesn't have any kind of authentication and allows various remote commands, like:
remote root shell
NVRAM configuration dump: Wifi and/or PPPoE credentials can be extracted for instance
Let's see how many routers are still exposed to this vulnerability, and propose a way to remove this backdoor.