According to DefenseCode: "exploit shown in this video has been tested on Cisco Linksys WRT54GL, but other Linksys versions/models are probably also affected."
That article said Linksy was issuing a fix...for that old of a Linksy router? I am surprised if that is true. I'm sure they won't be issuing a fix for my nine year old Linksy router which isn't even the last version of that router. The last version would be about eight years old.
quote: Months ago, we've contacted Cisco about a remote preauth (root access) vulnerability in default installation of their Linksys routers that we've discovered. We gave them detailed vulnerability description along with the PoC exploit for the vulnerability.
They said that this vulnerability was already fixed in latest firmware release... Well, not this particular vulnerability, since the latest official Linksys firmware - 4.30.14, and all previous versions are still vulnerable.
Exploit shown in this video has been tested on Cisco Linksys WRT54GL, but other Linksys versions/models are probably also affected. Cisco Linksys is a very popular router with more than 70,000,000 routers sold. That's why we think that this vulnerability deserves attention.
What is being demonstrated in their video is not a remote exploit. Launching an application targeting 192.168.1.1 is not going to access a remote router.
Perhaps they have more that they are not showing in the video, but accessing a router from its LAN interface is not necessarily the same as accessing it from its WAN interface (which would be a requirement to be called a remote exploit). If an intruder already has access to your LAN, it is not your network anymore (whether they get root access to your perimeter router or not).
Do these routers have a serial (RS-232) interface? Evidently using anything other than that is "remote access". I've always considered that to be from the WAN side as well. That's what most of us are worried about (and cascaded routers helps somewhat against that).
Do these routers have a serial (RS-232) interface? Evidently using anything other than that is "remote access". I've always considered that to be from the WAN side as well. That's what most of us are worried about (and cascaded routers helps somewhat against that).
Many of the Linksys routers have an internal header that can be converted to a serial interface, but I have never run across a Linksys router (and make no mistake, it is Linksys routers that are being discussed, not real Cisco routers) that had an actual external serial interface from the factory (not even their business class routers have them). However even if the router(s) in question had serial ports, one would not be accessing a serial port via 192.168.1.1 as is shown in the POC video.
Ahhh. I have a non big box store router (i.e. not a Linksys, Netgear etc) and it has a serial interface. I find that handy at times.
Actually Cisco/Linksys uses the 192.168.1.1 LAN IP address accessibility as a pseudo replacement for a serial interface so that the device can be accessed easily if the user (or an intruder) doesn't know that router's LAN IP address. They do this by making the router respond to http requests on 192.168.1.1 no matter what IP address/subnet is actually assigned to that router's LAN interface. I have complained to Cisco/Linksys about this vulnerability, but their reply was that it was a feature, not a vulnerability. This practice may not be universal for all Linksys routers, but I have found it to be so on many of them...my Cisco/Linksys/Vonage RTP300 seems to be an exception to that rule, but it uses Vonage firmware instead of Linksys firmware.
They do this by making the router respond to http requests on 192.168.1.1 no matter what IP address/subnet is actually assigned to that router's LAN interface.
is this true? If I have router A (192.168.1.xxx) plugged into router B (192.168.22.xxx) and I have a device with a browser on "B"'s lan and type 192.168.1.1 do I still get "B"s admin page? I can't say I've ever encountered this, and I've been in this environment many times.
If an intruder already has access to your LAN, it is not your network anymore (whether they get root access to your perimeter router or not).
I don't agree, think public access to a coffee shop or whatnot. A public user on the wlan should not be able to root the router. This is not the same a physical/software security.
Actually Cisco/Linksys uses the 192.168.1.1 LAN IP address accessibility as a pseudo replacement for a serial interface so that the device can be accessed easily if the user (or an intruder) doesn't know that router's LAN IP address. They do this by making the router respond to http requests on 192.168.1.1 no matter what IP address/subnet is actually assigned to that router's LAN interface.
In order for this to be exploited from a WAN side or wireless client, I'd think that remote administration and wireless HTTP and HTTPS would need to be enabled.
The attack appears to be a LAN attack only at this time. This seems to involve busybox, and port 5555 with default 192.168.1.1. From the youtube link in the video -
We're still investigating some tricks to exploit this vulnerability from the internet, but for now, yes - it seems safe from the outside of the network. Of course, unless services are available from the internet.
Regards,
Leon Juranic
CEO
DefenseCode
It isn't clear if this exploit affects Tomato, Tomato USB, DD-WRT or any other open source variant of Linux based routers.
If an intruder already has access to your LAN, it is not your network anymore (whether they get root access to your perimeter router or not).
I don't agree, think public access to a coffee shop or whatnot. A public user on the wlan should not be able to root the router. This is not the same a physical/software security.
And a properly setup public WiFi hotspot will not allow access by WiFi guests to the underlying infrastructure, or between WiFi clients. I have setup many such hotspots, and I used at least small business class routers and separate access points that can be setup to be secure. I have never setup a public WiFi hotspot using a residential grade WiFi router (although I have replaced those with proper equipment).
[sermon]Any business that operates a public WiFi hotspot without using the proper equipment that has been securely configured is just begging to be owned.[/sermon]
The attack appears to be a LAN attack only at this time. This seems to involve busybox, and port 5555 with default 192.168.1.1. From the youtube link in the video
I'm not sure I agree with that. The video shows them access busybox after gaining access to the router. And port 5555 seemed to me to just be the port opened by the previously successful exploit. Of course I could be mistaken. I don't think they actually show any detail as to how the exploit is done.
Actually Cisco/Linksys uses the 192.168.1.1 LAN IP address accessibility as a pseudo replacement for a serial interface so that the device can be accessed easily if the user (or an intruder) doesn't know that router's LAN IP address. They do this by making the router respond to http requests on 192.168.1.1 no matter what IP address/subnet is actually assigned to that router's LAN interface.
In order for this to be exploited from a WAN side or wireless client, I'd think that remote administration and wireless HTTP and HTTPS would need to be enabled.
Yes, that (like the vulnerability this thread is about) is strictly a LAN side vulnerability, but an unnecessary one in my opinion. It just makes an XSS attack (which the vulnerability this thread is about seems to be) that much easier. Changing the default values for the LAN side of a residential/soho router has long been a sage security recommendation, and a deliberate bypassing of that measure by the manufacturer just does not seem like a wise move to me.
I'm not sure I agree with that. The video shows them access busybox after gaining access to the router. And port 5555 seemed to me to just be the port opened by the previously successful exploit. Of course I could be mistaken. I don't think they actually show any detail as to how the exploit is done.
Cisco's patch is up for the WRT54GL, says it fixes issue with XSS (cross site scripting).
The vulnerability enables one-liner ownership of DD-WRT boxes. For example, typing the following into your browser while within a hot spot served by a DD-WRT router will provide root shell access on port 5555:
With the spaces removed, you can see this is just a call to the venerable netcat (i.e. nc) command, which sets up a tiny server on port 5555 running the shell (/bin/sh). Once the shell service is thus initiated, you can log in using telnet and execute commands note that the shell prompt is not displayed: