Netgear router listening on port 32764?

I've got a Netgear DG834G running firmware V5.01.01. From the LAN side, if I port scan it, it's listening on tcp port 32764. Trying to telnet into this port gives me the response MMcS\xff\xff\xff\xff\0\0\0\0 (in hex, obviously).

I've got UPnP disabled, it's not a remote management port, and it's not open on the WAN side. I can't find anything in Netgear's documentation, and searching online doesn't find anything either. A few people seem to have noticed, but no one actually has an answer. I've also created a firewall rule blocking outbound access to that port, and it's still open, so it's actually the router that's listening on it.

Does anyone know what this could be?

Dentrasi

Posted 2010-07-22T20:42:51.177

Reputation: 10 115

What telnet client are you using? When I use Putty all I get with my netgear router is "MMcSÿÿ"... – Mokubai – 2010-07-22T22:15:07.460

1A y with double dots over it is hexadecimal 0xff, you're getting the same as me. – Dentrasi – 2010-07-23T21:00:31.693

Just to add to this because I came across this recently, here's the output now: SF-Port32764-TCP:V=5.61TEST4%I=7%D=5/8%Time=4FA9A45B%P=i686-pc-linux-gnu%r SF:(GenericLines,C,"MMcS\xff\xff\xff\xff\0\0\0\0")%r(Help,C,"MMcS\xff\xff
SF:xff\xff\0\0\0\0")%r(X11Probe,C,"MMcS\xff\xff\xff\xff\0\0\0\0")%r(LPDStr SF:ing,C,"MMcS\xff\xff\xff\xff\0\0\0\0")%r(TerminalServer,C,"MMcS\xff\xff
SF:xff\xff\0\0\0\0"); Any more insight as to why this port is open by default would be nice. – None – 2012-05-08T22:57:04.367

3https://github.com/elvanderb/TCP-32764 – mpontillo – 2014-01-03T04:28:03.720

Since this device belong to you and you are on a LAN, Maybe you can try nmap -sV --version-all the_device_hostname. – user2284570 – 2014-01-04T01:52:59.117

Possibly a TR-069 thing. – Tom O'Connor – 2014-04-11T05:54:03.337

Answers

Hmm, weird.

Hex ff = Decimal 255, so logically the response you are receiving is equivalent to

MMcS 255.255.255.255 0.0.0.0 (dots added for networking clarity) which to me is basically a broadcast address on your network. It could be stating that any ip on your network can use the MMCS service, i.e. 255.255.255.255 net mask 0.0.0.0.

There are a number of things that MMCS could be, such as the MultiMedia Class Scheduler that Vista is able to use to get priority for multimedia traffic over the network. It would explain why the port is only open on your local network too.

Also a bit of info on point 5 of the first post of this page

I doubt it would be something to do with MIP-MANET Cell Switching which appears to be something to do with mobile phone networks. Wow there is some weird stuff that gets returned when you Google for MMCS 255.255.255.255. Like this.

So I'd say it's most likely a port that allows the Windows MultiMedia Class Scheduler to talk to the router to prioritize traffic, but it could be some weird funky mobile phone network stuff.

Mokubai

Posted 2010-07-22T20:42:51.177

Reputation: 64 434

Your post is in backdoor_description.pptx :)

– kenorb – 2015-03-07T10:56:58.610

@kenorb I'm not sure whether to feel proud, ashamed or slightly violated... – Mokubai – 2015-03-07T13:09:51.630

I think proud that you helped some people to not ruin their Christmas time:) – kenorb – 2015-03-07T13:12:21.323

Actually, this appears to be a software back-door included by the manufacturer as described here and exploitable using this script.

So far non-vendor related persons have reported there are back-doors in the following routers: Linksys WAG200G, Linksys WAG320N (Firmware V1.00.12) and Netgear DM111P. But it seems the following devices (yours included) may also be present, Netgear DG834, DG834G WPNT834 DG934, WG602, WGR614 router, Linksys WAG160N and DGN2000, WAG120N wireless-WRVS4400N. It seems likely this back-door is present in other devices as well.

NULLZ

Posted 2010-07-22T20:42:51.177

Reputation: 331

Actually this question was the main result that this back-door was created as it's in the original slide show: backdoor_description.pptx :)

– kenorb – 2015-03-07T11:01:00.453

English write-up about the issue from ArsTechnica – ernie – 2014-01-02T22:40:59.193

@D3C4FF : The thing which would be the most interesting, would be know what is the destination ip_address of the service, when it work normally. I'm curious to know which person automaticly colect the data. – user2284570 – 2014-01-04T03:02:32.563

This is MIPS port which is present in SerComm manufactured, routers and home gateways devices (Linksys, Netgear, Cisco) used for firmware upgrades.

This is managed by scfgmgr process which is listening on port 32764.

When accessed via telnet, data prefixed by ScMM or MMcS (depending on the system's endianess) seems to be returned.

It's very simple binary protocol with header (0xC bytes) followed by a payload.

Header structure:

typedef struct scfgmgr_header_s {
    unsigned long   magic;
    int             cmd;
    unsigned long   len;
} scfgmgr_header;

This is based on Cisco GPL sources (e.g. wap4410n_v2.0.1.0_gpl.tgz at decommissioned ftp-eng.cisco.com).

For actual info, see elvanderb's description and sample Python code.

Currently it's famous for heap based buffer overflow which can give you full access to the device (a backdoor). This was discovered by Eloi Vanderbeken in Christmas 2013, however it was probably known by Chinese hackers back in 2008 (cgi file).

Here is how to works.

Heap based buffer overflow:

Heap based buffer overflow

Messages:

Messages

So using simple overflowing message can give a lot of interesting details:

screenshot - WiFi username and password

However this could cause the configuration to be reset, so don't do it at home.

Here are few reversed commands performed by the router executed via this port.

nvram - Dump configuration.
get var - Get configuration var

possible stack based buffer overflow (if variable is controlled by the user)
set var - Set configuration var

stack based buffer overflow, output buffer (size ≈ 0x10000) is on the stack.
commit nvram - Read nvram /dev/mtdblock/3 from /tmp/nvram and check CRC

set nvram (/dev/mtdblock/3) from /tmp/nvram ; check CRC

Set bridge mode ON (not sure, I didn’t have the time to test it)

nvram_set(“wan_mode”, bridgedonly)
nvram_set(“wan_encap”, 0)
nvram_set(“wan_vpi”, 8)
nvram_set(“wan_vci”, 81)
system(“/usr/bin/killall br2684ctl”)
system(“/usr/bin/killall udhcpd”)
system(“/usr/bin/killall -9 atm_monitor”)
system(“/usr/sbin/rc wan stop >/dev/null 2>&1”)
system(“/usr/sbin/atm_monitor&”)

Show measured internet speed (download/upload)
cmd (yep, it’s a shell…)
- special commands:
  - exit, bye, quit -> quit... (alive = 0)
  - cd : change directory (a little bit WTF)
- other commands:
  - integer overflow in stdout handling (?) not exploitable but still ...
  - buffer overflow on cmd output (same buffer again)…
write file
- file name in payload
- root dir = /tmp
- directory traversal might be possible (not tested but it’s an open(sprintf(“/tmp/%s”, payload))… )
return version
return modem router ip
- nvram_get(“lan_ipaddr”)
restore default settings
- nvram_set(“restore_default”, 1)
- nvram_commit
read /dev/mtdblock/0 [-4:-2]
- dunno what it is, I didn’t have the time to test it
dump nvram on disk (/tmp/nvram) and commit

Source: (slide show) How Linksys saved my Christmas!

Normally that kind of ports should be officially by IANA.

This is what unSpawn replied at LinuxQuestions in 2007 related to this port:

If it's an officially IANA-assigned port (with a number between 0 and roughly 30000) then its number should correspond with a service in /etc/services ('getent services portnumber'), the services file of a scanner like Nmap or an online database like Sans' ISC.

Note that ephemeral port usage can be configured locally using the /proc/sys/net/ipv4/ip_local_port_range sysctl. An old default was 1024-5000, for servers a value of 32768-61000 is used and some applications want something like 1025-65535.

Also note these are static number-to-service mappings and while for instance /etc/services will say TCP/22 matches SSH that doesn't have to be the case in a particular situation,

Else if it's a port of which you don't know which process did bind to it then if you have access to the host you can interrogate it using netstat -anp, lsof -w -n -i protocol:portnumber or fuser -n protocol portnumber. This is the most accurate method,

Else if you do not have access to the host you could interrogate it by for instance telnet'ting to it. This is not an accurate method and in the case of a compromised host you may alert the intruder you're on her case.