OpenWAG200

[ghost]

Vulnerable even with this installed http://sourceforge.net/projects/openwag200/files/OpenWAG200/1.4/
-download configuration with cleartext http admin password
-in shell with command "reboot" the router obeys
-work on WAN (Internet)

[elvanderb]

Interesting, thank you :)
I added it to the list, maybe OpenWAG200 is a little bit too open :P

[ghost]

UPDATE:
thanks of the ssh/telnet access present on OpenWAG200 and killing all of the processes called scfgmgr like you suggested in issue#61, the backdoor is not usable:

$ python poc.py --ip 192.168.200.253 --shell
probably not vulnerable (error: [Errno 111] Connection refused)

But the WebInterface become broken:
-the SETUP page is not complete
-the STATUS page display no information

[vittee]

This work for me

iptables -I INPUT -i ppp0 -p tcp --dport 32764 -j DROP

[elvanderb]

So?

[329229]

Maybe that's a little bit late, but i'd like to point out that the now dead openwag200g wasn't listening on the internet after all.
(snippet from original firewall script:
SYSLOG "# ------ [ Special Port Handling ] ------------------- #"
$IPTABLES -A INPUT_TCP -i $WANIF -m multiport -p tcp --dport 23,80,32764 -j DROP
)