bl4h
join:2002-11-17
Reading, PA
|  [Security] linksys dhcp exploit
Dunno if its been posted(i searched, saw nothing), but is linksys working on a firmware fix for this?
»www.packetstormsecurity.com/file···t.c.html |
|
rwhitby
join:2002-01-22
Australia | I tried running the exploit code against my WRT54GS running Sveasoft Satori-3.8 firmware and found no vulnerability (the router just drops the nefarious BOOTP packets and logs the fact in /var/log/messages).
-- Rod |
|
ElJay
join:2004-03-17
 ·Great Works Internet
1 edit | reply to bl4h
The comments on the source code mention that he has successfully spied on users with this hack. I'm a bit confused as to whether this is a vulnerabilty limited to the LAN side of the router or if this effects the WAN connection as well. Since the DHCP server only works on the LAN ports, does this mean that this exploit can only be used by people on the LAN?
This is certainly something that needs to be fixed immediately, but if it's only vulnerable on the LAN side then I'm not going to worry too much about it. |
|
bl4h
join:2002-11-17
Reading, PA
| If it was a local exploit he would have labeled it as such. He says remote
* Tested on a fully updated Linksys BEFSR41 and BEFW11S4, but
* will likely work on all Linksys devices that have a DHCP
* server. Currently, this looks to include at least the BEFN2PS4,
* BEFSR41, BEFSR81, BEFSX41, RV082, BEFCMU10, BEFSR11, BEFSR41W,
* BEFSRU31, BEFVP41, WRT55AG, WRV54G, WRT51AB
|
|
ElJay
join:2004-03-17
·Great Works Internet
| What he wrote is ambiguous. "Remote" in this context means to me that it is performed without having direct access to the router via a login (e.g. telnet or web interface) or input device like a keyboard (which our routers obviously don't have.) "Remote" could mean a person accessing the router via the LAN ports, the WAN port, or both.
He thinks it is a flaw which affects models with a DHCP server "on any of its ports if it's a hub/switch," so I don't understand why the DHCP server in the router would be responding to stuff coming from the WAN port. |
|
fggd
| reply to bl4h
Ok iam amazed on how little information iam seeing on this new exploit.I rely on dhcp server because i dont have a static ip and now i dont feel safe being online when someone could hack my router then my pc with a easy script.Whats the official linksys word on this??? |
|
Fidel Castro
@69.158.x.x
| reply to bl4h
It's very surprising that we're not really discussing this issue, which seems to be very serious. Anyways, Linksys did update some firmware for some of thier products to deal with the exploit, not sure which exact products though. I know they've fixed it on the BEFSR41. In the mean time, you should set everything to static IP and disable the DHCP server.
Post what you think. |
|
bl4h
join:2002-11-17
Reading, PA | Dunno, but I emailed linksys tech support with this same link yesterday. It appears to be serious, but i know as much about it as you guys. I dont have a unix box to compile and run the exploit code. Someone needs to play with it and get it working |
|
ElJay
join:2004-03-17
·Great Works Internet
1 edit | reply to bl4h
I don't have a unix machine either, but today I hacked together a program that would send bogus BOOTP requests to my BEFSX41. It is definitely replying to these packets with data from its memory when sent these requests from a LAN port. I tried it similarly via the WAN port and couldn't get it to respond. Unfortunately I don't know if this is because I'm doing something wrong or if it's simply not vulnerable from the WAN port. |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to Fidel Castro
said by Fidel Castro:
It's very surprising that we're not really discussing this issue, which seems to be very serious. Anyways, Linksys did update some firmware for some of thier products to deal with the exploit, not sure which exact products though. I know they've fixed it on the BEFSR41. In the mean time, you should set everything to static IP and disable the DHCP server.
Post what you think.
The only firmware update I see for the BEFSR41 version 3 is dated April 1 2004. So, where do I get this fix?
--
"Everything can be taken from a man or woman but one thing: the last of the human freedoms - to choose one's attitude in any given set of circumstances, to choose one's destiny." Victor Frankl - Man's Search for Meaning |
|
hg1981
join:2003-08-10
Los Angeles, CA | reply to bl4h
No fix yet,but us with befsr41 v3 can forward port 80 to a non existant ip...iam not sure 100% that this will helps around this..but it's better than nothing. |
|
avd706
insert annoying animated gif here
Premium
join:2003-02-06
Union, NJ | reply to bl4h
bootp is not port 80 but 67 and 68 |
|
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
1 edit | reply to bl4h
Linksys User Exploit
1. How are you going to have the router block them before they get to the router?
2. This explicit announcement creates a need to replace the router. It is a good marketing exploit for other router makers and security consultants to publicaly broadcast explict exploit code.
By posting a direct link to the exploit we reduce our own security.
We are exploiting ourselves. 
Over in the regular BBR Security Forum links to explicit exploits are banned. It might make sense to consider such a policy here.
(And no the scriptkiddies didn't know about it already. If they did the announcement would have been made a long time ago.)
------------------
Your router's DHCP hands out IP addresses on your LAN.
The bypass for the problem is to turn off DHCP on your router, and to configure each device on your LAN with its own static IP address.
This has no effect on the DHCP that your ISP runs. That DHCP hands out IP addresses on the Internet. |
|
hg1981
join:2003-08-10
Los Angeles, CA
| reply to bl4h
Re: [Security] linksys dhcp exploit
Forwarding port 80 might apply for this new exploit »www.securitytracker.com/alerts/2···357.html
As for the bootp exploit i have read to just disable dhcp server (but that would be pointless to all of non static ip users) |
|
guesting
@sympatico.ca | reply to bl4h
»theinquirer.net/?article=16298
is this the same exploit?
Are the beta FWs proof against this problem? |
|
ElJay
join:2004-03-17
·Great Works Internet
| said by guesting:
»theinquirer.net/?article=16298
is this the same exploit?
Yes, that's the same exploit. It only works from the LAN side of the router so the "lots of script kiddies" they refer to in the article aren't going to get very far unless they're in your house or on your wireless network. |
|
planet
join:2001-11-05
Olmsted Falls, OH
 ·Cox HSI
| In regards to the exploit from securitytracker dated 6/1/04, how can someone access the administrator set up page via port 80 if it's password protected (meaning the default password has been changed of course). And, why does port 80 show stealthed when scanned online if exploitable? I assume port forwarding to a non existent private ip will result in a stealth response (destination unreachable, packet dropped as well). Can someone fill in the blanks for me?
TIA  |
|
GPorter
It Always Works Better When It's On
join:2001-03-21
San Antonio, TX
| reply to bl4h
If you have "Remote Management" turned off, the router is supposed to just ignore any command-type traffic from the WAN side anyway. Further, the DHCP server should ONLY see the LAN side of the router. Sure, I can do all sorts of nasty things to the other computers on my LAN, but I may as well go do it on them directly rather than playing through the network.
(personal opinion only) I get the feeling that this "exploit" is really somebody trying to get a bit of press for himself by using a non-existent vulnerability. (/personal opinion only)
--
Glenn-Remembering 9-11-01 "Let's Roll!" |
|
jofallon
Premium
join:2002-01-05
Oak Park, IL
·Lightning Bolt DSL
2 edits | One note on all of this - there are four or five different news and security sites reporting these possible vulnerabilities, and I'd guess all of them are likelier to be read by the evil-minded than this forum. Citing a link to these sites is not likely to increase anyone's danger. Given the wide number and variety of problems people seem to have with just about every version of Linksys firmware, though, it would be a real trick to write a program that actually worked correctly with all the various "beta" and near-beta firmware versions (my BESFX41 shipped with 1.45.3, which was apparently just a shipping beta).
That is not to say that exploits can't or don't exist. If a non-default administrator password can be pulled out of the router by a remote exploit, that could be very ugly, given all the data that flows through the router that is not encrypted, including (perhaps) local network traffic. I know that no cheap router is perfect; I've seen all the complaints about Netgear and SMC and D-Link. But the problems with these Linksys things seem a good bit more serious, and the company's seeming indifference to these problems makes me want to consider a real, expensive router. Perhaps if you pay more, you can get some sort of quality control. Of course, I did pay quite a bit more for the BEFSX41. It's been several weeks since the first report of these problems. It would be good to see a comment or new firmware or a workaround from Linksys. Their lack of comment suggests that there is something to these exploits. |
|
ElJay
join:2004-03-17
·Great Works Internet
| reply to planet
said by planet  :
And, why does port 80 show stealthed when scanned online if exploitable?
No clue. This makes no sense to me, but I don't own a WRT54G or BEFSR41 so I can't test it out. |
|
