updated 02:12 pm EDT, Tue April 22, 2014
Flaw slightly obscured by firmware patch, researcher calls exploit intentional
A security flaw in some Linksys and Netgear routers discovered this winter, thought to be patched, has only been marginally hidden. Instead of the router listening and obeying command packets on port 32764, now the command must be prefixed by a specially-crafted packet, which reactivates the flaw, and allows for remote command and seizure of afflicted routers.
TCP port 32764 is the target of the hack, which still remains free of documentation from either Linksys or Netgear. After some testing, researcher Eloi Vanderbeken gained access to a command line interface for the router, which allowed a script to be written granting him administrative access.
The special packet to reactivate the flaw was used by "an old Sercomm update tool," so the "security by obscurity" method chosen to patch the flaw out isn't particularly obscure. Simply, the packet contains an MD5 hash of the model number of the router being attacked.
The packet must either be sent from inside the network, or from the ISP itself. However, a "broadcast" from an ISP could mass-enable many routers at once to reactivate the flaw. Given the poor patching of the flaw, Vanderbeken believes the original flaw to be intentional given the haphazard nature of the "fix," and not an accident at all.