aelius Posted January 5, 2014 Report Posted January 5, 2014 In a blog post, Eloi said that During Christmas Holidays he forgot the admin interface password of his Linksys WAG200G router and in an effort to gain access back of its administration panel, he first scanned the Router and found a suspicious open TCP port i.e. 32764. To do further research on this port service, he downloaded a copy Linksys firmware and reverse-engineered it. He found was a secret backdoor interface that allowed him to send commands to the router from a command-line shell without being authenticated as the administrator. Then he tried to Brute-force the login available at that port, but doing so flips the router's configuration back to factory settings with default router administration username and password. 'The backdoor requires that the attacker be on the local network, so this isn’t something that could be used to remotely attack DSL users. However, it could be used to commandeer a wireless access point and allow an attacker to get unfettered access to local network resources.'He described the complete details of this Serious vulnerability in above slides. After his post, other hackers around the world did further research, that shows that these devices are made by Sercomm, meaning that Cisco, Watchguard, Belkin and various others may be affected as well. Source: Hacking Wireless DSL routers via Administrative password Reset VulnerabilityThe Python based exploit script can be downloaded from here: https://github.com/elvanderb/TCP-32764The Complete List of vulnerable devices can be found here: https://github.com/elvanderb/TCP-32764/blob/master/README.md Quote