nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
 ·AT&T Midwest
| Ouch! Security problem in linksys routers Quoting from a recent bugtraq message (from Steve Scherf):
Subject: Serious flaw in Linksys wireless AP password security
It appears that firmware version 4.50.6 for the Linksys WRT54GS (hardware version 1) wireless router allows wireless clients to connect and use the network without actually authenticating. With WPA Personal/TKIP authentication enabled, the unit allows both clients using encryption with the correct settings and key, and clients not using any encryption. It disallows clients attempting to use encryption with the wrong settings and/or key. | |
|
 
Techless
Like I care
Premium
join:2002-07-19
Hypoluxo | Re: Ouch! Security problem in linksys routers A link ??? | |
|
 | |
|
| |
| | 
Bill
Light Up The Halo
Premium,VIP
join:2001-12-09
clubs:
| Re: Ouch! Security problem in linksys routers said by funchords  :said by Bill :Are you guys gonna make me flash the Linksys firmware onto my WRT54GS to test this?  :p C'mon, you can't tell me you're not curious. I gave it about 2 seconds of thought, then decided to do it 
Downloading the Linksys stuff right now. Will report back..
--
Folding Monitor
Network Status
Weather Stats | |
|
| | | |
| | | seezar
Premium
join:2001-07-01
Rochester, NY
 ·ViaTalk
| said by Bill :I gave it about 2 seconds of thought, then decided to do it Downloading the Linksys stuff right now. Will report back.. {patiently sits by and awaits the results} | |
|
Bill
Light Up The Halo
Premium,VIP
join:2001-12-09
clubs: | I don't see it...
I tried setting up the wireless card with a blank WPA-PSK key. I tried setting the wireless card with no security.
Nothing.
Maybe I'm doing something wrong? | |
|
| |
| 
Scherf
@gracenote.com
| Hi, I'm the original poster to Bugtraq. I wouldn't be surprised if this was a hard one to reproduce. To recount what I did in the hopes that someone else will be able to make it happen: I set the AP to use WPA personal/TKIP with a very long and random password (generated with /dev/random). At the time I was using an older firmware, perhaps a year old. I don't recall what version. I was not getting great reception, so I installed two aftermarket directional antennas. Not a lot of improvement, but not surprising given that there are something like 10 networks in my neighborhood. So I upgraded the firmware in the hope that perhaps they improved some of the connectivity issues. I upgraded through the usual web browser interface without changing any settings before or after. It all seemed to work fine, and I ran with it for a month until a friend noted that my network seemed to be open. His Win XP box showed my net as open, and he connected without a password. I cranked up Macstumbler, and it showed the network as open as well, even though my 4 Macs are configured to use TKIP and were working just fine that way. The Linksys AP was definitely configured to use TKIP, no question, but the network still showed up as open in the scans I ran. The original post tells the rest of the details. I wonder if the firmware update process put the unit into a weird state or something? | |
|
| |
Bill
Light Up The Halo
Premium,VIP
join:2001-12-09
clubs:
| Re: Ouch! Security problem in linksys routers When you upgraded the firmware from the previous version, did you "Restore Factory Defaults" after the upgrade?
If you didn't it is possible it was in a "weird state".
I upgraded a few months ago from Alchemy to DD-WRT and since I didn't "Restore Factory Defaults" some settings would not take and I was getting random errors in the web GUI. It's like random garbage was stored in memory instead of the values I tried setting.
I will try flashing to DD-WRT, then back to Linksys, without restoring defaults and see what happens.
Thanks
Bill.
--
Folding Monitor
Network Status
Weather Stats | |
|
| 
Kabanos
Premium
join:2001-06-29
| said by Bill :...Maybe I'm doing something wrong? Do not use the newest Firmware Version: 4.70.6; try it with the old one (Firmware Version: 4.50.6)
--
non nova, sed nove | |
|
|
| 
funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC | Re: Ouch! Security problem in linksys routers Is it expected that this router would retain its memory across firmware updates?
-- Robb (not a Linksys router user) | |
|
| |
Bill
Light Up The Halo
Premium,VIP
join:2001-12-09
clubs:
| Re: Ouch! Security problem in linksys routers I don't know much about the internal workings of this router, but I do know they act weird when they aren't "Restoring" after updates. I am not sure why the web config is reporting inaccurate data.
As an update, I got the same results when flashing from DD-WRT to Linksys 4.50.6, without "Restoring". When I did the flash, with "Restoring", everything worked fine (no WPA problem).
--
Folding Monitor
Network Status
Weather Stats | |
|
| scherf
join:2005-08-16
| Good job reproducing this! I guess it actually is an issue with updating. I don't agree about WPA actually being disabled, though, because password validation is functioning. If your password is wrong, you can't connect. Also, my computer reports that it is connected with WPA. The bug is that WPA is "optional". 
As for whether it is expected for this unit to keep config after updating, I'm not sure what the vendor advertises. But the unit does seem to keep config and report it exactly as it was before the update. But apparently what it reports doesn't necessarily match what's going on inside. | |
|
| 
Greg_Z
Premium
join:2001-08-08
Springfield, IL
 ·Comcast
| What gets me is that you are reproducing the error on a machine that has already been connected to the router that is supposedly connected prior to the upgrade.
In order to do a real world test, you have to use a machine that has never been connected via wifi to the router in order to see if there is a true claim in this possible security hole.
--
One man's customer loyalty is another man's misguided arrogance. | |
|
| |
Bill
Light Up The Halo
Premium,VIP
join:2001-12-09
clubs:
| Re: Ouch! Security problem in linksys routers I only have one machine with wireless.
I changed the SSID and wireless MAC address on the router prior to connect to it with my laptop, so that should make it like the computer has never seen it before, hopefully.
If anyone else has a WRT54GSv1, or even a regular WRT54G, I'd be interested in seeing what results you get.
--
Folding Monitor
Network Status
Weather Stats | |
|
| | | justageek
join:2002-03-07
Marietta, GA
| Re: Ouch! Security problem in linksys routers Ask SW Bill and you shall receive
I can't recreate the issue on the G...
using 4.00.7 = No issue
using 4.20.6 = No issue
Dare I speculate that this bug is confined to the GS routers or am I just not testing things right??
Equipment Tested
1 Dell C600
1 Linksys WPC54G version 2 with no firmware updates and standard Linksys drivers
1 Linksys WRT54G version 3
1.) Flashy Flashy to 4.20.6
2.) Run Netstumbler
3.) Found other networks, mine was "missing".
4.) Flashy Flashy to 4.00.7
5>) See step 2
6.) See step 3
7.) Flashy Flashy to 4.20.6
8.) Router cranky at first, but works fine now.
Laptop is a unit that I took out of work and has never been wireless.
XP installed on it from ground zero (No slipstreamed SP2)
After I got all the fun fun stuff on it (at the office), I popped in the NIC and gave it the drivers.
Maybe I have a sooper router??? | |
|
| |
| 
Nerdtalker
Working Hard, Or Hardly Working?
Premium,MVM
join:2003-02-18
Tucson, AZ
clubs:
| said by Bill :•Flash from Linksys 4.50.6 to DD-WRT. •I looked in the web GUI after the flash and the WPA settings from my previous Linksys firmware were still in there. •I set my wireless card to "Disabled" for security settings I was able to connect right up (see attached image). I'm guessing that even though the WRT54GS web config is reporting WPA is enabled, it's not really enabled. Wow, interesting vulnerability.
Are 3rd party firmware distros built on the 4.50.6 linux-GPL code also affected?
--
"Some people never see the light till it shines thru bullet holes." -Bruce Cockburn
I'm testing Gmail's spam filters: Broadbandreports1@gmail.com
Spam: 8800+ messages currently using 268 MB (11%) of my 2442 MB | |
|
| |
Bill
Light Up The Halo
Premium,VIP
join:2001-12-09
clubs: | Re: Ouch! Security problem in linksys routers I was able to produce this problem on both Linksys 4.50.6 and DD-WRT v22.
I'm not sure which Linksys version DD-WRT v22 is based on. | |
|
| | |
funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC | Re: Ouch! Security problem in linksys routers Isn't Bill the best for putting in the time on this one?
Great job!! | |
|
| | | |
Greg_Z
Premium
join:2001-08-08
Springfield, IL | Re: Ouch! Security problem in linksys routers Definitely he is doing something that is going to help everyone out in the long run. I am wondering how far into the WRT line this problem goes..
--
One man's customer loyalty is another man's misguided arrogance. | |
|
| | | | |
| | | | | Glen T
join:2003-11-03
BC
| Re: Ouch! Security problem in linksys routers said by Bill :It gives me something to do until school starts again  Greg_Z , I'm also interested in seeing which other WRT's this applies to. If I had another WRT54G, or WRT54GS, I'd test it out  . I'm still waiting for he definitive response from Linksys support regarding the feasibility of using the save/restore settings after a a firmware upgrade/reset.
If I get the green light from Linksys, I'd like to try the whole process along with restoring from a saved conf file on my WRT54G v1.1. I'll be upgrading the firmware from v3.03.6 to v4.20.6. I don't have a 'virgin' client, though, so I'd have to wipe one to give this a try. I may also be able to grab my nextdoor neighbour's laptop. | |
|
| | | | | | Glen T
join:2003-11-03
BC
| Re: Ouch! Security problem in linksys routers Here is the question that I asked Linksys support:
Thanks for your reply. I just want to confirm your answer:
I can use the Config Managment tool to restore a previously saved config file, saved before I did a firmware upgrade. In other words, the following:
1. My router is using firmware version X. I create a back up config file from version X.
2. I upgrade my router to firmware Y.
3. I do a factory reset following the firmware upgrade.
4. I do a restore of my config file to restore my settings.
This will work? Here is the response:
Yes. It is the configuration or the settings that you need to save and not the firmware. Create a back up first then restore it after. I have not had time to try this yet, but I plan to do the entire procedure on my WRT54G -- hopefully today. After all, who wouldn't want to miss the opportunity of turning their router into a doorstop?
I'll post my findings when I'm done. Please allow time for me to run to the store and by a new WRX router!
My objective is to establish whether or not I can reproduce the reported conditions, and whether or not you can restore a saved config file after an upgrade of firmware. This would at least provide a decent workaround.
Note that I am using an access restriction table on router which limits access to the Internet for several computers based on their MAC numbers and time of day. Should be interesting to see if that survives the restore, along with other settings. | |
|
| | | | | | | Glen T
join:2003-11-03
BC
1 edit | Re: Ouch! Security problem in linksys routers Well here are the results of my test:
1. I saved a config file from firmware v3.03.6 on my WRT54G v1.1 router.
2. I used the HTML interface to apply the firmware update to v4.20.6.
3. Tried logging on from my laptop using a Linksys WUSB11 v2.6 adapter on my neighbour's laptop (which has seen my secure connection in the past). I could not log on. However, he is running WinXP without SP2, so it saw my connection as WEP (not WPA).
4. I brought his WUSB11 v2.6 connector to my laptop, installed it, and set it up. It identified my connection as secure, but I could not log on.
5. My other wireless PC which was on and connected throughout the upgrade, remained connected.
6. I did a factory reset on the WRT54G. All settings including password for log on were purged.
7. I successfully logged onto the newly unsecured connection from my laptop.
8. I then applied the saved config file made from firmware v3.03.6. My settings appear to be completely restored with no problems. The router never complained or warned in any way about the different version of the config file.
Conclusions:
1. This was not a clean test for reproducing the problems with unsecured logon following the firmware upgrade. I didn't have access to a clean client that had not previously seen my router. However, the router did end up in a state where I could not log on from my laptop prior to do a factory reset.
2. My test showed that it is at least feasible to save your config to file prior to upgrading the firmware, and then restoring your settings after a factory reset. On the WRT54G, this could be a recommended work around. Linksys support confirmed this (for what that's worth). | |
|
| | | | | | | | 
Yoofer
Play It Loud
join:1999-11-20
Beulah Land
| Re: Ouch! Security problem in linksys routers Okay, I'm not new to networking, but extremely new to wireless (under 1 week with the Linky WRT54G, firmware 3.03.6). So am I correct that the consensus is this is an issue related to old settings not being purged after a firmware update? Has anyone been able to confirm this behavior in the G? Or only the GS? Am I okay with my currently installed firmware? How does MAC filtering figure in? Mine is currently set to permit only, with just the MAC of my notebook's built-in wireless adapter entered. Sorry for all the questions, still learning...
Some (relevant?) settings:
SSID broadcast disabled
Firewall enabled
WPA-TKIP enabled
MAC filtering (permit only) enabled
I have a friend coming over to the house in a couple of days - I'll have him bring his wireless notebook (it's never seen my router) and see if he can connect. I'll post back with the results...
--
Ken S. | |
|
| | | | | | | | |
Yoofer
Play It Loud
join:1999-11-20
Beulah Land | Re: Ouch! Security problem in linksys routers Quick update to my settings: just switched to WPA-AES.
--
Ken S. | |
|
| | | | | | | | | |
Bill
Light Up The Halo
Premium,VIP
join:2001-12-09
clubs: | Anyone else out there with a WRT54GSv1 able to get the same results as me? | |
|
|
|
Bill
Light Up The Halo
Premium,VIP
join:2001-12-09
clubs:
| Re: Ouch! Security problem in linksys routers It's definitely a problem, but I'm not sure if it can be addressed and fixed by Linksys or the third-party providers.
Obviously, people don't want to "Restore to Factory Defaults" because they'll loose their settings and have to re-enter them, but it may have to be done to prevent this security problem.
--
Folding Monitor
Network Status
Weather Stats | |
|
| |
funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC
·Verizon Online DSL
·Skype
| Re: Ouch! Security problem in linksys routers said by Bill :It's definitely a problem, but I'm not sure if it can be addressed and fixed by Linksys or the third-party providers. Obviously, people don't want to "Restore to Factory Defaults" because they'll loose their settings and have to re-enter them, but it may have to be done to prevent this security problem. Yes, but OTOH, there's no guarantee that one firmware version is going to use the same keywords or values as the other.
Something like that is probably what's happening here. Between version x and y, something got flipped or skipped.
This is a good bug. Although it is security related, it's not likely going to be exploited.
--
Robb Topolski http://www.funchords.com/ Hillsboro, Oregon USA
Dear Anonymous, Thank you!!! Thank you!!! | |
|
| | | kpr92400
join:2002-06-28
Brookfield, IL
| Re: Ouch! Security problem in linksys routers This is a good bug. Although it is security related, it's not likely going to be exploited. Not likely that it's going to be exploited?!? Unless this particular firmware upgrade scenario is unlikely, it's going to happen, and it's going to get wardriven and exploited someday.
n.b. I just bought a WRT54G from newegg, and while it was hardware v4, it had some pretty ancient firmware on it... | |
|
| | | | 
avantare
Go Tribe
join:2000-02-16
Farmington, MI | Re: Ouch! Security problem in linksys routers I just purchased a WRT54G from CompUSA hw is v4 and the first thing I did was check the firmware. It's the latest.
Chuck
--
A computer is not a tool. When was the last time you had to do maintenance on your screwdriver? | |
|
dad123
join:2001-02-18
Bremerton, WA | I always wondered if you restore factory defaults can you reapply your previously saved configuration file and not mess up the settings ? | |
|
WALL_E
Premium
join:2003-05-28
USA
| When you say that it is necessary to restore factory defaults after upgrading the firmware, does that mean restoring defaults by pressing and holding the recessed button on the back of the router, or by restoring defaults through the router's web interface, or does that not make a difference? I have always restored the router by pressing and holding the button until the power light began to flash.
Thanks in advance.
I also believe that this is a pretty good bug, but as Linksys does highly recommend resetting after a firmware upgrade, it is not as big of an issue as I had originally thought. Perhaps in the future, Linksys can have their upgrade utility display a warning box after the firmware upgrade completes, which urges the user to reset the router, with several scolding warning messages if the user decides not to. Or they could even make the upgrade utility reset the router without asking after a firmware upgrade. | |
|
|
See 7 replies to this post |
|
Greg_Z
Premium
join:2001-08-08
Springfield, IL
·Comcast
| Just changing the SSID and Wireless NIC MAC address will not do it. The machine that is being used still remembers the MAC address of the device that you are connecting to. You really have to use something like Knoppix or another machine in order to see if there is a vulnerbility out there.
--
One man's customer loyalty is another man's misguided arrogance. | |
|
|
Bill
Light Up The Halo
Premium,VIP
join:2001-12-09
clubs:
| Re: Ouch! Security problem in linksys routers I should have been more specific; I cloned the wireless APs MAC address, not the wireless card. That should make a difference, right?
I can try it with my Linux laptop and see what happens.
--
Folding Monitor
Network Status
Weather Stats | |
|
| | |
| | |
Bill
Light Up The Halo
Premium,VIP
join:2001-12-09
clubs:
1 edit | Re: Ouch! Security problem in linksys routers Still letting me on after a reboot, SSID change, wireless MAC change.
See picture. | |
|
| | | |
Greg_Z
Premium
join:2001-08-08
Springfield, IL
·Comcast
| Re: Ouch! Security problem in linksys routers If you are just changing the Wifi A/P MAC, are you changing the MAC on the NIC at the time of reboot. MAC address scheming can work both ways, and if the A/P is still associating the MAC of the NIC at the time of reboot, then you may still have problems.
The problem lies that the A/P still remembers the MAC of the NIC at the time of the reboot along with the Key that it has to send to confirm the key on the A/P and the MAC of the A/P. Unless the IPTables is being flushed at the time of reboot, everything stays in the memory of the A/P.
There is going to defiantly be a good White paper out of this.
--
One man's customer loyalty is another man's misguided arrogance. | |
|
jebz
join:2002-05-19
·OptusNet
| said by nwrickert :With WPA Personal/TKIP authentication enabled, the unit allows both clients using encryption with the correct settings and key, and clients not using any encryption. This happened to me on my WRT54G v2.2 when upgrading from 4.00.7 to 4.20.6 .
I checked all my security settings and they were in place after the upgrade and the wireless network was operating well. I tried to connect a second laptop but it developed a wireless hardware fault. I substituted another card and it reported the wireless network was insecure. This was quite a surprise. This was confirmed by Netstumbler.
I looked at the security settings again and found the latest version of the firmware has a button icon with a lock in it in the Wireless/Basic Wireless Settings. The button showed an open lock. I clicked on the lock and all hell broke loose. It changed all my security settings. I then re-entered my security settings to restore operation. The network then indicated secure on the clients and all operations continued as per the old firmware version. | |
|
|
|
|
