-
-
路由器再度躺枪:主流厂商设备中被发现后门
-
发表于: 2014-4-28 23:22
-
路由器中存在后门已经不是什么新鲜事了,我们曾经在主流路由器中发现了很多固件的缺陷,现在我们发现Netgear 和 Linksys 所生产的路由器中也包含相同的问题。法国黑客Eloi Vanderbeken在主流路由器如Netgear, Linksys 和 Cisco中发现了后门。
这名叫做Eloi Vanderbeken的法国软件工程师在几乎所有的Netgear and Linksys的路由器中都发现了这个可以重置管理员密码的后门。
他把研究成功共享在了GitHub,上,可以让其他基友继续他的研究。
在上个圣诞节假期的最后一天,这个无聊的hacker把他的路由器密码忘记了,所以他决定使用黑掉路由器的方法,把他的密码找回来。在尝试过程中,他发现了一个可疑的端口32764,他果断对路由器固件进行了逆向分析。
令他惊奇的是,路由器包含一个后门,利用这个后门他可以在没有授权的情况下,给路由器发送指令。
在还原了路由器出厂设置之后,Eloi开始对这个后门进行暴力破解。
上面的脚本可以从GitHub,下载,这个后门不可以在远程被利用,但是这也是一个严重的安全漏洞。
其他黑客在Eloi的研究成果之上,又做了很多其他的尝试,很多路由器厂商纷纷躺枪。
以下是躺枪厂商名店
Linksys WAG200G
Netgear DM111Pv2 (146K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6@1N6$3W2@1N6r3g2J5i4K6u0W2j5$3!0E0i4K6u0r3k6h3N6#2j5h3A6Q4x3V1k6K6N6r3q4@1N6i4y4Q4x3V1j5@1x3e0R3I4y4o6x3H3x3U0b7H3x3e0V1^5x3e0j5@1y4o6S2Q4x3U0V1`.
Linksys WAG320N (692K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4A6S2N6h3k6S2L8X3q4@1M7Y4A6W2j5$3W2S2M7%4c8J5L8$3&6S2i4K6u0W2M7r3I4Q4x3V1k6H3i4K6t1$3L8X3u0K6M7q4)9K6b7W2)9J5k6g2)9J5k6g2)9J5k6g2)9J5y4X3&6T1M7%4m8Q4x3@1u0G2M7r3!0V1L8$3u0F1K9h3g2Q4x3X3c8F1k6i4c8Y4k6h3q4J5j5g2)9J5c8W2)9J5z5b7`.`.
Linksys WAG54G2 (7f0K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6@1N6$3W2@1N6r3g2J5i4K6u0W2j5$3!0E0i4K6u0r3i4K6g2X3P5r3W2K6N6r3g2F1j5$3g2Q4x3V1k6K6N6r3q4@1N6i4y4Q4x3V1j5@1x3e0R3$3x3e0j5$3z5e0p5H3y4o6l9K6y4e0l9J5x3o6S2Q4x3U0V1`.
DGN1000 Netgear N150 (276K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6W2L8s2k6S2L8X3c8W2M7X3u0Q4x3V1k6f1b7#2m8Q4x3X3b7K6x3U0M7$3y4q4)9J5c8X3W2K6M7%4g2W2M7#2)9J5c8U0y4Q4x3U0V1`.
NETGEAR DGN1000 (don’t know if there is a difference with the others N150 ones… 9abK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6W2L8s2k6S2L8X3c8W2M7X3u0Q4x3V1k6f1b7#2m8Q4x3X3b7K6x3U0M7$3y4q4)9J5c8X3W2K6M7%4g2W2M7#2)9J5c8U0t1%4i4K6t1&6
Netgear DG834G V2 firmware 4.01.40 (thanks Burn2 Dev)
Diamond DSL642WLG / SerComm IP806Gx v2 TI (307K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6F1k6i4N6K6i4K6u0W2P5h3y4G2L8h3u0A6L8X3q4@1L8%4u0Q4x3X3g2U0L8$3#2Q4x3V1k6A6N6r3g2E0i4K6y4r3K9h3c8Q4x3@1b7$3z5e0V1^5y4U0R3J5i4K6t1&6
Linksys WAG120N (ea3K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6@1N6$3W2@1N6r3g2J5i4K6u0W2j5$3!0E0i4K6u0r3M7q4)9#2k6Y4M7&6z5e0W2Q4x3V1k6K6N6r3q4@1N6i4y4Q4x3V1j5@1x3e0R3^5y4e0j5J5y4U0l9&6y4K6x3J5y4e0t1$3x3o6S2Q4x3V1k6H3K9r3!0@1L8#2)9J5c8U0q4Q4x3U0V1`.
Cisco WAP4410N (b9eK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6W2L8s2k6S2L8X3c8W2M7X3u0Q4x3V1k6f1b7#2m8Q4x3U0k6F1j5Y4y4H3i4K6y4n7i4K6u0W2i4K6u0W2i4K6u0W2i4K6t1$3L8X3u0K6M7q4)9K6b7Y4y4#2k6h3y4G2L8h3#2W2L8Y4c8Q4x3X3b7K6x3e0b7&6x3U0b7K6y4g2)9J5z5b7`.`.
Linksys WAG160n (2a6K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6@1N6$3W2@1N6r3g2J5i4K6u0W2j5$3!0E0i4K6u0r3P5s2S2U0K9r3W2F1j5i4y4S2N6i4u0^5P5q4)9J5c8Y4y4@1j5i4c8#2M7#2)9J5c8U0b7I4z5o6R3^5y4U0p5$3y4U0M7H3x3o6f1H3y4K6p5K6y4W2)9J5z5b7`.`.
LevelOne WBR3460B (c2bK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5%4g2J5K9i4c8&6k6X3!0U0N6i4y4Q4x3X3g2U0L8$3#2Q4x3V1k6S2M7X3y4Z5K9i4k6W2i4K6u0r3x3e0l9I4i4K6u0r3y4e0l9%4x3U0p5&6i4K6u0r3x3K6m8Q4x3V1j5H3i4K6u0r3N6r3S2J5k6h3q4V1k6h3c8Q4x3U0V1`.
Netgear DGN3500 (1cdK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6W2L8s2k6S2L8X3c8W2M7X3u0Q4x3V1k6f1b7#2m8Q4x3X3b7K6x3U0M7$3y4q4)9J5c8X3W2K6M7%4g2W2M7#2)9J5c8U0p5K6i4K6t1&6
NetGear DG834 v3 (thanks jd)
Netgear DG834[GB, N, PN] version < 5 (e4eK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6W2L8s2k6S2L8X3c8W2M7X3u0Q4x3V1k6f1b7#2m8Q4x3X3b7K6x3U0M7$3y4q4)9J5c8X3W2K6M7%4g2W2M7#2)9J5c8U0p5&6i4K6t1$3L8X3u0K6M7q4)9K6b7X3S2@1N6s2m8K6i4K6y4m8i4K6u0r3i4K6u0r3k6$3W2@1K9s2g2T1i4K6u0W2j5$3!0E0i4K6u0r3k6h3I4$3j5h3&6V1k6i4u0T1i4K6u0r3g2p5y4b7i4K6u0V1x3K6t1%4y4U0c8Q4x3V1k6A6M7%4y4#2k6i4y4Q4x3V1j5J5y4g2)9J5z5b7`.`.
Netgear DGN2000B (1b7K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6W2L8s2k6S2L8X3c8W2M7X3u0Q4x3V1k6f1b7#2m8Q4x3X3b7K6x3U0M7$3y4q4)9J5c8X3W2K6M7%4g2W2M7#2)9J5c8U0t1$3i4K6t1&6
Linksys WRVS4400N (Firmware Version:V2.0.2.1) (d84K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6W2L8s2k6S2L8X3c8W2M7X3u0Q4x3V1k6f1b7#2m8Q4x3X3b7K6x3U0M7$3y4q4)9J5c8X3W2K6M7%4g2W2M7#2)9J5c8U0t1&6i4K6t1&6
Lynksys WRT300N fw 2.00.17 (3c3K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6W2L8s2k6S2L8X3c8W2M7X3u0Q4x3V1k6f1b7#2m8Q4x3X3b7K6x3U0M7$3y4q4)9J5c8X3W2K6M7%4g2W2M7#2)9J5c8U0x3@1i4K6t1&6
NETGEAR JNR3210 (72eK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6W2L8s2k6S2L8X3c8W2M7X3u0Q4x3V1k6f1b7#2m8Q4x3X3b7K6x3U0M7$3y4q4)9J5c8X3W2K6M7%4g2W2M7#2)9J5c8U0x3%4i4K6t1&6
这名叫做Eloi Vanderbeken的法国软件工程师在几乎所有的Netgear and Linksys的路由器中都发现了这个可以重置管理员密码的后门。
他把研究成功共享在了GitHub,上,可以让其他基友继续他的研究。
在上个圣诞节假期的最后一天,这个无聊的hacker把他的路由器密码忘记了,所以他决定使用黑掉路由器的方法,把他的密码找回来。在尝试过程中,他发现了一个可疑的端口32764,他果断对路由器固件进行了逆向分析。
令他惊奇的是,路由器包含一个后门,利用这个后门他可以在没有授权的情况下,给路由器发送指令。
在还原了路由器出厂设置之后,Eloi开始对这个后门进行暴力破解。
上面的脚本可以从GitHub,下载,这个后门不可以在远程被利用,但是这也是一个严重的安全漏洞。
其他黑客在Eloi的研究成果之上,又做了很多其他的尝试,很多路由器厂商纷纷躺枪。
以下是躺枪厂商名店
Linksys WAG200G
Netgear DM111Pv2 (146K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6@1N6$3W2@1N6r3g2J5i4K6u0W2j5$3!0E0i4K6u0r3k6h3N6#2j5h3A6Q4x3V1k6K6N6r3q4@1N6i4y4Q4x3V1j5@1x3e0R3I4y4o6x3H3x3U0b7H3x3e0V1^5x3e0j5@1y4o6S2Q4x3U0V1`.
Linksys WAG320N (692K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4A6S2N6h3k6S2L8X3q4@1M7Y4A6W2j5$3W2S2M7%4c8J5L8$3&6S2i4K6u0W2M7r3I4Q4x3V1k6H3i4K6t1$3L8X3u0K6M7q4)9K6b7W2)9J5k6g2)9J5k6g2)9J5k6g2)9J5y4X3&6T1M7%4m8Q4x3@1u0G2M7r3!0V1L8$3u0F1K9h3g2Q4x3X3c8F1k6i4c8Y4k6h3q4J5j5g2)9J5c8W2)9J5z5b7`.`.
Linksys WAG54G2 (7f0K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6@1N6$3W2@1N6r3g2J5i4K6u0W2j5$3!0E0i4K6u0r3i4K6g2X3P5r3W2K6N6r3g2F1j5$3g2Q4x3V1k6K6N6r3q4@1N6i4y4Q4x3V1j5@1x3e0R3$3x3e0j5$3z5e0p5H3y4o6l9K6y4e0l9J5x3o6S2Q4x3U0V1`.
DGN1000 Netgear N150 (276K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6W2L8s2k6S2L8X3c8W2M7X3u0Q4x3V1k6f1b7#2m8Q4x3X3b7K6x3U0M7$3y4q4)9J5c8X3W2K6M7%4g2W2M7#2)9J5c8U0y4Q4x3U0V1`.
NETGEAR DGN1000 (don’t know if there is a difference with the others N150 ones… 9abK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6W2L8s2k6S2L8X3c8W2M7X3u0Q4x3V1k6f1b7#2m8Q4x3X3b7K6x3U0M7$3y4q4)9J5c8X3W2K6M7%4g2W2M7#2)9J5c8U0t1%4i4K6t1&6
Netgear DG834G V2 firmware 4.01.40 (thanks Burn2 Dev)
Diamond DSL642WLG / SerComm IP806Gx v2 TI (307K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6F1k6i4N6K6i4K6u0W2P5h3y4G2L8h3u0A6L8X3q4@1L8%4u0Q4x3X3g2U0L8$3#2Q4x3V1k6A6N6r3g2E0i4K6y4r3K9h3c8Q4x3@1b7$3z5e0V1^5y4U0R3J5i4K6t1&6
Linksys WAG120N (ea3K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6@1N6$3W2@1N6r3g2J5i4K6u0W2j5$3!0E0i4K6u0r3M7q4)9#2k6Y4M7&6z5e0W2Q4x3V1k6K6N6r3q4@1N6i4y4Q4x3V1j5@1x3e0R3^5y4e0j5J5y4U0l9&6y4K6x3J5y4e0t1$3x3o6S2Q4x3V1k6H3K9r3!0@1L8#2)9J5c8U0q4Q4x3U0V1`.
Cisco WAP4410N (b9eK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6W2L8s2k6S2L8X3c8W2M7X3u0Q4x3V1k6f1b7#2m8Q4x3U0k6F1j5Y4y4H3i4K6y4n7i4K6u0W2i4K6u0W2i4K6u0W2i4K6t1$3L8X3u0K6M7q4)9K6b7Y4y4#2k6h3y4G2L8h3#2W2L8Y4c8Q4x3X3b7K6x3e0b7&6x3U0b7K6y4g2)9J5z5b7`.`.
Linksys WAG160n (2a6K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6@1N6$3W2@1N6r3g2J5i4K6u0W2j5$3!0E0i4K6u0r3P5s2S2U0K9r3W2F1j5i4y4S2N6i4u0^5P5q4)9J5c8Y4y4@1j5i4c8#2M7#2)9J5c8U0b7I4z5o6R3^5y4U0p5$3y4U0M7H3x3o6f1H3y4K6p5K6y4W2)9J5z5b7`.`.
LevelOne WBR3460B (c2bK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5%4g2J5K9i4c8&6k6X3!0U0N6i4y4Q4x3X3g2U0L8$3#2Q4x3V1k6S2M7X3y4Z5K9i4k6W2i4K6u0r3x3e0l9I4i4K6u0r3y4e0l9%4x3U0p5&6i4K6u0r3x3K6m8Q4x3V1j5H3i4K6u0r3N6r3S2J5k6h3q4V1k6h3c8Q4x3U0V1`.
Netgear DGN3500 (1cdK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6W2L8s2k6S2L8X3c8W2M7X3u0Q4x3V1k6f1b7#2m8Q4x3X3b7K6x3U0M7$3y4q4)9J5c8X3W2K6M7%4g2W2M7#2)9J5c8U0p5K6i4K6t1&6
NetGear DG834 v3 (thanks jd)
Netgear DG834[GB, N, PN] version < 5 (e4eK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6W2L8s2k6S2L8X3c8W2M7X3u0Q4x3V1k6f1b7#2m8Q4x3X3b7K6x3U0M7$3y4q4)9J5c8X3W2K6M7%4g2W2M7#2)9J5c8U0p5&6i4K6t1$3L8X3u0K6M7q4)9K6b7X3S2@1N6s2m8K6i4K6y4m8i4K6u0r3i4K6u0r3k6$3W2@1K9s2g2T1i4K6u0W2j5$3!0E0i4K6u0r3k6h3I4$3j5h3&6V1k6i4u0T1i4K6u0r3g2p5y4b7i4K6u0V1x3K6t1%4y4U0c8Q4x3V1k6A6M7%4y4#2k6i4y4Q4x3V1j5J5y4g2)9J5z5b7`.`.
Netgear DGN2000B (1b7K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6W2L8s2k6S2L8X3c8W2M7X3u0Q4x3V1k6f1b7#2m8Q4x3X3b7K6x3U0M7$3y4q4)9J5c8X3W2K6M7%4g2W2M7#2)9J5c8U0t1$3i4K6t1&6
Linksys WRVS4400N (Firmware Version:V2.0.2.1) (d84K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6W2L8s2k6S2L8X3c8W2M7X3u0Q4x3V1k6f1b7#2m8Q4x3X3b7K6x3U0M7$3y4q4)9J5c8X3W2K6M7%4g2W2M7#2)9J5c8U0t1&6i4K6t1&6
Lynksys WRT300N fw 2.00.17 (3c3K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6W2L8s2k6S2L8X3c8W2M7X3u0Q4x3V1k6f1b7#2m8Q4x3X3b7K6x3U0M7$3y4q4)9J5c8X3W2K6M7%4g2W2M7#2)9J5c8U0x3@1i4K6t1&6
NETGEAR JNR3210 (72eK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6W2L8s2k6S2L8X3c8W2M7X3u0Q4x3V1k6f1b7#2m8Q4x3X3b7K6x3U0M7$3y4q4)9J5c8X3W2K6M7%4g2W2M7#2)9J5c8U0x3%4i4K6t1&6
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
