funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC
 ·Verizon Online DSL
 ·Skype
| reply to Yoofer
Re: Ouch! Security problem in linksys routers
said by Yoofer  :So am I correct that the consensus is this is an issue related to old settings not being purged after a firmware update? Yes, you are correct. |
|
Yoofer
Play It Loud
join:1999-11-20
Beulah Land | reply to Yoofer
Quick update to my settings: just switched to WPA-AES.
--
Ken S. |
|
Yoofer
Play It Loud
join:1999-11-20
Beulah Land
| reply to Glen T
Okay, I'm not new to networking, but extremely new to wireless (under 1 week with the Linky WRT54G, firmware 3.03.6). So am I correct that the consensus is this is an issue related to old settings not being purged after a firmware update? Has anyone been able to confirm this behavior in the G? Or only the GS? Am I okay with my currently installed firmware? How does MAC filtering figure in? Mine is currently set to permit only, with just the MAC of my notebook's built-in wireless adapter entered. Sorry for all the questions, still learning...
Some (relevant?) settings:
SSID broadcast disabled
Firewall enabled
WPA-TKIP enabled
MAC filtering (permit only) enabled
I have a friend coming over to the house in a couple of days - I'll have him bring his wireless notebook (it's never seen my router) and see if he can connect. I'll post back with the results...
--
Ken S. |
|
Glen T
join:2003-11-03
BC
1 edit | reply to Glen T
Well here are the results of my test:
1. I saved a config file from firmware v3.03.6 on my WRT54G v1.1 router.
2. I used the HTML interface to apply the firmware update to v4.20.6.
3. Tried logging on from my laptop using a Linksys WUSB11 v2.6 adapter on my neighbour's laptop (which has seen my secure connection in the past). I could not log on. However, he is running WinXP without SP2, so it saw my connection as WEP (not WPA).
4. I brought his WUSB11 v2.6 connector to my laptop, installed it, and set it up. It identified my connection as secure, but I could not log on.
5. My other wireless PC which was on and connected throughout the upgrade, remained connected.
6. I did a factory reset on the WRT54G. All settings including password for log on were purged.
7. I successfully logged onto the newly unsecured connection from my laptop.
8. I then applied the saved config file made from firmware v3.03.6. My settings appear to be completely restored with no problems. The router never complained or warned in any way about the different version of the config file.
Conclusions:
1. This was not a clean test for reproducing the problems with unsecured logon following the firmware upgrade. I didn't have access to a clean client that had not previously seen my router. However, the router did end up in a state where I could not log on from my laptop prior to do a factory reset.
2. My test showed that it is at least feasible to save your config to file prior to upgrading the firmware, and then restoring your settings after a factory reset. On the WRT54G, this could be a recommended work around. Linksys support confirmed this (for what that's worth). |
|
Glen T
join:2003-11-03
BC
| reply to Glen T
Here is the question that I asked Linksys support:
Thanks for your reply. I just want to confirm your answer:
I can use the Config Managment tool to restore a previously saved config file, saved before I did a firmware upgrade. In other words, the following:
1. My router is using firmware version X. I create a back up config file from version X.
2. I upgrade my router to firmware Y.
3. I do a factory reset following the firmware upgrade.
4. I do a restore of my config file to restore my settings.
This will work? Here is the response:
Yes. It is the configuration or the settings that you need to save and not the firmware. Create a back up first then restore it after. I have not had time to try this yet, but I plan to do the entire procedure on my WRT54G -- hopefully today. After all, who wouldn't want to miss the opportunity of turning their router into a doorstop?
I'll post my findings when I'm done. Please allow time for me to run to the store and by a new WRX router!
My objective is to establish whether or not I can reproduce the reported conditions, and whether or not you can restore a saved config file after an upgrade of firmware. This would at least provide a decent workaround.
Note that I am using an access restriction table on router which limits access to the Internet for several computers based on their MAC numbers and time of day. Should be interesting to see if that survives the restore, along with other settings. |
|
Glen T
join:2003-11-03
BC
| reply to Bill
said by Bill :It gives me something to do until school starts again  Greg_Z , I'm also interested in seeing which other WRT's this applies to. If I had another WRT54G, or WRT54GS, I'd test it out  . I'm still waiting for he definitive response from Linksys support regarding the feasibility of using the save/restore settings after a a firmware upgrade/reset.
If I get the green light from Linksys, I'd like to try the whole process along with restoring from a saved conf file on my WRT54G v1.1. I'll be upgrading the firmware from v3.03.6 to v4.20.6. I don't have a 'virgin' client, though, so I'd have to wipe one to give this a try. I may also be able to grab my nextdoor neighbour's laptop. |
|
Bill
Light Up The Halo
Premium,VIP
join:2001-12-09
clubs:
| reply to funchords
It gives me something to do until school starts again
Greg_Z , I'm also interested in seeing which other WRT's this applies to. If I had another WRT54G, or WRT54GS, I'd test it out .
--
Folding Monitor
Network Status
Weather Stats |
|
Greg_Z
Premium
join:2001-08-08
Springfield, IL | reply to funchords
Definitely he is doing something that is going to help everyone out in the long run. I am wondering how far into the WRT line this problem goes..
--
One man's customer loyalty is another man's misguided arrogance. |
|
jebz
join:2002-05-19
·OptusNet
| reply to nwrickert
said by nwrickert :With WPA Personal/TKIP authentication enabled, the unit allows both clients using encryption with the correct settings and key, and clients not using any encryption. This happened to me on my WRT54G v2.2 when upgrading from 4.00.7 to 4.20.6 .
I checked all my security settings and they were in place after the upgrade and the wireless network was operating well. I tried to connect a second laptop but it developed a wireless hardware fault. I substituted another card and it reported the wireless network was insecure. This was quite a surprise. This was confirmed by Netstumbler.
I looked at the security settings again and found the latest version of the firmware has a button icon with a lock in it in the Wireless/Basic Wireless Settings. The button showed an open lock. I clicked on the lock and all hell broke loose. It changed all my security settings. I then re-entered my security settings to restore operation. The network then indicated secure on the clients and all operations continued as per the old firmware version. |
|
funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC | reply to Bill
Isn't Bill the best for putting in the time on this one?
Great job!! |
|
Bill
Light Up The Halo
Premium,VIP
join:2001-12-09
clubs: | reply to Nerdtalker
I was able to produce this problem on both Linksys 4.50.6 and DD-WRT v22.
I'm not sure which Linksys version DD-WRT v22 is based on. |
|
Nerdtalker
Working Hard, Or Hardly Working?
Premium,MVM
join:2003-02-18
Tucson, AZ
clubs:
| reply to Bill
said by Bill :•Flash from Linksys 4.50.6 to DD-WRT. •I looked in the web GUI after the flash and the WPA settings from my previous Linksys firmware were still in there. •I set my wireless card to "Disabled" for security settings I was able to connect right up (see attached image). I'm guessing that even though the WRT54GS web config is reporting WPA is enabled, it's not really enabled. Wow, interesting vulnerability.
Are 3rd party firmware distros built on the 4.50.6 linux-GPL code also affected?
--
"Some people never see the light till it shines thru bullet holes." -Bruce Cockburn
I'm testing Gmail's spam filters: Broadbandreports1@gmail.com
Spam: 8800+ messages currently using 268 MB (11%) of my 2442 MB |
|
Greg_Z
Premium
join:2001-08-08
Springfield, IL
 ·Comcast
| reply to Bill
If you are just changing the Wifi A/P MAC, are you changing the MAC on the NIC at the time of reboot. MAC address scheming can work both ways, and if the A/P is still associating the MAC of the NIC at the time of reboot, then you may still have problems.
The problem lies that the A/P still remembers the MAC of the NIC at the time of the reboot along with the Key that it has to send to confirm the key on the A/P and the MAC of the A/P. Unless the IPTables is being flushed at the time of reboot, everything stays in the memory of the A/P.
There is going to defiantly be a good White paper out of this.
--
One man's customer loyalty is another man's misguided arrogance. |
|
Bill
Light Up The Halo
Premium,VIP
join:2001-12-09
clubs:
1 edit | reply to funchords
Still letting me on after a reboot, SSID change, wireless MAC change.
See picture. |
|
funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC
·Verizon Online DSL
·Skype
| reply to Bill
said by Bill :I should have been more specific; I cloned the wireless APs MAC address, not the wireless card. That should make a difference, right? It will only make a difference one way.
WPA authenticates both sides: STA auth's the AP, AP auth's the STA
If I were you, I'd repeat your previous steps, but power-cycle the router and reboot the laptop after that point I mentioned above. That way any prior auths or lockouts are forgotten.
--
Robb Topolski  http://www.funchords.com/  Hillsboro, Oregon USA
Dear Anonymous, Thank you!!! Thank you!!! |
|
Bill
Light Up The Halo
Premium,VIP
join:2001-12-09
clubs:
| reply to Greg_Z
I should have been more specific; I cloned the wireless APs MAC address, not the wireless card. That should make a difference, right?
I can try it with my Linux laptop and see what happens.
--
Folding Monitor
Network Status
Weather Stats |
|
funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC
·Verizon Online DSL
·Skype
1 edit |  reply to Bill
said by Bill :•I set my wireless card to "Disabled" for security settings "Greg Z" mentioned this above -- Just changing the SSID and Wireless NIC MAC address will not do it. The machine that is being used still remembers the MAC address of the device that you are connecting to. ...and I just want to back him up on this fact...
If you started with an EAP protocol, then switched the card to disabled, the EAPOL authenitcation service continues to run -- perhaps stupidly, but it does.
And as long as that MAC address is out there, it will enforce its last instructions.
I agree -- we need to test this with a reboot after the above step mentioned in »Re: Ouch! Security problem in linksys routers
--
Robb Topolski http://www.funchords.com/ Hillsboro, Oregon USA
Dear Anonymous, Thank you!!! Thank you!!! |
|
justageek
join:2002-03-07
Marietta, GA
| reply to Bill
Ask SW Bill and you shall receive
I can't recreate the issue on the G...
using 4.00.7 = No issue
using 4.20.6 = No issue
Dare I speculate that this bug is confined to the GS routers or am I just not testing things right??
Equipment Tested
1 Dell C600
1 Linksys WPC54G version 2 with no firmware updates and standard Linksys drivers
1 Linksys WRT54G version 3
1.) Flashy Flashy to 4.20.6
2.) Run Netstumbler
3.) Found other networks, mine was "missing".
4.) Flashy Flashy to 4.00.7
5>) See step 2
6.) See step 3
7.) Flashy Flashy to 4.20.6
8.) Router cranky at first, but works fine now.
Laptop is a unit that I took out of work and has never been wireless.
XP installed on it from ground zero (No slipstreamed SP2)
After I got all the fun fun stuff on it (at the office), I popped in the NIC and gave it the drivers.
Maybe I have a sooper router??? |
|
Greg_Z
Premium
join:2001-08-08
Springfield, IL
·Comcast
| reply to nwrickert
Just changing the SSID and Wireless NIC MAC address will not do it. The machine that is being used still remembers the MAC address of the device that you are connecting to. You really have to use something like Knoppix or another machine in order to see if there is a vulnerbility out there.
--
One man's customer loyalty is another man's misguided arrogance. |
|
Bill
Light Up The Halo
Premium,VIP
join:2001-12-09
clubs:
| reply to Greg_Z
I only have one machine with wireless.
I changed the SSID and wireless MAC address on the router prior to connect to it with my laptop, so that should make it like the computer has never seen it before, hopefully.
If anyone else has a WRT54GSv1, or even a regular WRT54G, I'd be interested in seeing what results you get.
--
Folding Monitor
Network Status
Weather Stats |
|
