Netcore and Netis Routers Remote Code Execution Vulnerability via UDP Backdoor

A remote code execution vulnerability has been identified in various models of Netcore and Netis routers, affecting firmware released prior to August 2014. This vulnerability arises from an undocumented backdoor listener on UDP port 53413, which is accessible from the WAN side of the router. The backdoor, protected by a hardcoded password, allows unauthenticated remote attackers to send specially crafted UDP packets that execute arbitrary commands on the affected device. Some router models may have a non-standard implementation of the 'echo' command, potentially impacting the exploitability of this vulnerability.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected router, with the attacker gaining root privileges. This could lead to unauthorized access to the router's administration panel, modification of router settings, and execution of man-in-the-middle attacks. Additionally, the vulnerability could be exploited to download unencrypted files containing sensitive information, such as router passwords.

Reproduction

The vulnerability can be reproduced by sending a UDP packet to port 53413 that includes the hardcoded password 'netcore' followed by a command to be executed. This can be done using a network tool or script that supports UDP packet manipulation. After the command is executed, the response can be read to confirm successful exploitation.

Remediation

Users are advised to upgrade to the latest official firmware version. If the vulnerability persists, it is recommended to replace the router.