 antdudeA Ninja AntPremium,VIP
join:2001-03-25
United State
kudos:4 | Dangerous remote Linksys 0-day root exploit discovered 01:51PM »www.net-security.org/secworld.php?id=14234
Uh oh. I have that old router too!  |
|
 stormbowFreedom isn't FREEPremium
join:2002-07-31
Simi Valley, CA | Which models though, all of them? It doesn't seem like the author has a clue that Linksys is a brand not a model. |
|
 Smokey Bearveritas odium paritPremium
join:2008-03-15
Annie's Pub
kudos:4 | reply to antdude
DefenseCode Security YouTube vulnerability demonstration:
»www.youtube.com/watch?v=cv-MbL7KFKE&hd=1
According to DefenseCode: "exploit shown in this video has been tested on Cisco Linksys WRT54GL, but other Linksys versions/models are probably also affected."
--
»bit.ly/gUqYaH - C. Brian Smith: Think of the exclamation point as a car horn: a little goes a long way. Lay on it too hard and everyone’s going to think you’re a moron. |
|
 StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2 | I think Linksys routers are Linux or VxWorks based so the exploit might be general to the product line.
--
Don't feed trolls--it only makes them grow! |
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | reply to antdude
That article said Linksy was issuing a fix...for that old of a Linksy router? I am surprised if that is true. I'm sure they won't be issuing a fix for my nine year old Linksy router which isn't even the last version of that router. The last version would be about eight years old.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson |
|
| reply to antdude
I have the WRT54GL as mentioned at the bottom of the article. But since I use DD-WRT I don't have to worry about that exploit it seems. |
|
|
|
 siljalineI'm lovin' that double widePremium
join:2002-10-12
Montreal, QC
kudos:17
 ·Bell Sympatico
| reply to antdude
»blog.defensecode.com/2013/01/def···ing.html
quote:
Months ago, we've contacted Cisco about a remote preauth (root access) vulnerability in default installation of their Linksys routers that we've discovered.
We gave them detailed vulnerability description along with the PoC exploit for the vulnerability.
They said that this vulnerability was already fixed in latest firmware release...
Well, not this particular vulnerability, since the latest official Linksys firmware - 4.30.14, and all previous versions are still vulnerable.
Exploit shown in this video has been tested on Cisco Linksys WRT54GL, but other Linksys versions/models are probably also affected.
Cisco Linksys is a very popular router with more than 70,000,000 routers sold.
That's why we think that this vulnerability deserves attention.
|
|
 trparkyApple... YUMPremium,MVM
join:2000-05-24
Cleveland, OH
kudos:2 | Are any of the routers that are running third-party firmwares such as TomatoUSB-based firmwares vulnerable? |
|
 AVDRespice, Adspice, ProspicePremium
join:2003-02-06
Onion, NJ
kudos:1 | reply to antdude
I can't see the YT, but what is the attack vector? If I have a linksys with a wpa encryption am I vulnerable?
Is the attack through the with an unassociated computer, someone on the lan or wlan or through the WAN port?
--
* seek help if having trouble coping
--Standard disclaimers apply.-- |
|
siljalineI'm lovin' that double widePremium
join:2002-10-12
Montreal, QC
kudos:17 Reviews:
·Bell Sympatico
| reply to trparky
said by trparky:Are any of the routers that are running third-party firmwares such as TomatoUSB-based firmwares vulnerable?
Best bet would be to ask Cisco or see what's going on: »Cisco |
|
 NetFixerFrom my cold dead handsPremium
join:2004-06-24
The Boro
 ·Comcast Business..
 ·Vonage
 ·Cingular Wireless
·Comcast
| reply to antdude
As I said in my reply in the other thread on this same subject: »Re: Dangerous remote Linksys 0-day root exploit discovered!
said by [NetFixer :What is being demonstrated in their video is not a remote exploit. Launching an application targeting 192.168.1.1 is not going to access a remote router. 
Perhaps they have more that they are not showing in the video, but accessing a router from its LAN interface is not necessarily the same as accessing it from its WAN interface (which would be a requirement to be called a remote exploit). If an intruder already has access to your LAN, it is not your network anymore (whether they get root access to your perimeter router or not).
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.
When governments fear people, there is liberty. When the people fear the government, there is tyranny. |
|
StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2 Reviews:
·CenturyLink
| Do these routers have a serial (RS-232) interface? Evidently using anything other than that is "remote access". I've always considered that to be from the WAN side as well. That's what most of us are worried about (and cascaded routers helps somewhat against that).
--
Don't feed trolls--it only makes them grow! |
|
NetFixerFrom my cold dead handsPremium
join:2004-06-24
The Boro Reviews:
·Comcast Business..
·Vonage
·Cingular Wireless
·Comcast
| said by StuartMW:Do these routers have a serial (RS-232) interface? Evidently using anything other than that is "remote access". I've always considered that to be from the WAN side as well. That's what most of us are worried about (and cascaded routers helps somewhat against that).
Many of the Linksys routers have an internal header that can be converted to a serial interface, but I have never run across a Linksys router (and make no mistake, it is Linksys routers that are being discussed, not real Cisco routers) that had an actual external serial interface from the factory (not even their business class routers have them). However even if the router(s) in question had serial ports, one would not be accessing a serial port via 192.168.1.1 as is shown in the POC video.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.
When governments fear people, there is liberty. When the people fear the government, there is tyranny. |
|
StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2 Reviews:
·CenturyLink
1 edit | Ahhh. I have a non big box store router (i.e. not a Linksys, Netgear etc) and it has a serial interface. I find that handy at times.
I do have "remote access" on the LAN side but only over HTTPS plus you need my personal certificate. Paranoid? You betchya 
(You're not paranoid if they really are out to get you)
--
Don't feed trolls--it only makes them grow! |
|
NetFixerFrom my cold dead handsPremium
join:2004-06-24
The Boro Reviews:
·Comcast Business..
·Vonage
·Cingular Wireless
·Comcast
| said by StuartMW:Ahhh. I have a non big box store router (i.e. not a Linksys, Netgear etc) and it has a serial interface. I find that handy at times.
Actually Cisco/Linksys uses the 192.168.1.1 LAN IP address accessibility as a pseudo replacement for a serial interface so that the device can be accessed easily if the user (or an intruder) doesn't know that router's LAN IP address. They do this by making the router respond to http requests on 192.168.1.1 no matter what IP address/subnet is actually assigned to that router's LAN interface. I have complained to Cisco/Linksys about this vulnerability, but their reply was that it was a feature, not a vulnerability. This practice may not be universal for all Linksys routers, but I have found it to be so on many of them...my Cisco/Linksys/Vonage RTP300 seems to be an exception to that rule, but it uses Vonage firmware instead of Linksys firmware.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.
When governments fear people, there is liberty. When the people fear the government, there is tyranny. |
|
StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2 Reviews:
·CenturyLink
| said by NetFixer:I have complained to Cisco/Linksys about this vulnerability, but their reply was that it was a feature, not a vulnerability. Well as software engineers say "it's a feature not a bug"
I agree that just allows anyone on any subnet to get to the router. WTF?
--
Don't feed trolls--it only makes them grow! |
|
AVDRespice, Adspice, ProspicePremium
join:2003-02-06
Onion, NJ
kudos:1 | reply to NetFixer
said by NetFixer:They do this by making the router respond to http requests on 192.168.1.1 no matter what IP address/subnet is actually assigned to that router's LAN interface.
is this true? If I have router A (192.168.1.xxx) plugged into router B (192.168.22.xxx) and I have a device with a browser on "B"'s lan and type 192.168.1.1 do I still get "B"s admin page? I can't say I've ever encountered this, and I've been in this environment many times.
--
* seek help if having trouble coping
--Standard disclaimers apply.-- |
|
AVDRespice, Adspice, ProspicePremium
join:2003-02-06
Onion, NJ
kudos:1 | reply to NetFixer
said by NetFixer:said by [NetFixer :If an intruder already has access to your LAN, it is not your network anymore (whether they get root access to your perimeter router or not).
I don't agree, think public access to a coffee shop or whatnot. A public user on the wlan should not be able to root the router. This is not the same a physical/software security.
--
* seek help if having trouble coping
--Standard disclaimers apply.-- |
|
StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2 Reviews:
·CenturyLink
| said by AVD:A public user on the wlan should not be able to root the router. Valid point.
Devices on my WLAN or other subnets (than the one my PC's are in) cannot access my router.
--
Don't feed trolls--it only makes them grow! |
|
 EGeezerGo CatsPremium
join:2002-08-04
Midwest
kudos:8 | reply to NetFixer
said by NetFixer:Actually Cisco/Linksys uses the 192.168.1.1 LAN IP address accessibility as a pseudo replacement for a serial interface so that the device can be accessed easily if the user (or an intruder) doesn't know that router's LAN IP address. They do this by making the router respond to http requests on 192.168.1.1 no matter what IP address/subnet is actually assigned to that router's LAN interface.
In order for this to be exploited from a WAN side or wireless client, I'd think that remote administration and wireless HTTP and HTTPS would need to be enabled.
--
Buckle Up. It makes it harder for the aliens to suck you out of your car.
|
|
