Slashdot Mirror
Vulnerability In Linksys Cable/DSL Router
ispcay writes "Yahoo has published an article on a Linksys vulnerability. An easily exploitable software vulnerability in a common home networking router by Linksys Group could expose thousands of home users to denial of service attacks, according to a security advisory issued by iDefense, a software security company." The article's kinda sparse on details, but does mention that the vulnerability is fixed in the latest firmware release. Upgrade 'em if ya got 'em!
check Popular Linksys Router Vulnerable to Attack
on eWeek also
According to the article, if you have remote management turned off, then people out on the internet can't use the exploit against you.
While I agree that the vast majority of home users will either lack the technical expertise or poise to flash the firmware, these are the people who will plug in the router and forget it, which means remote management won't be turned on so the attack won't be possible (unless the user opens up a telnet or SSH port for NAT pass-thru.
--CTH
--Got Lists? | Top 95 Star Wars Line
http://www.linksys.com/download/default.asp
It looks like in order to cause the crash you have have remote management enabled. Why on earth you would allow your router to be configured from outside on the internet boggles my mind. I would assume that this feature would be disabled by default, but then again who knows. I've owned a few cheap routers before and in order to use remote management you had to be connecting from an internal ip address, along with not coming through the wan port.
Just my 2 cents.
Here is the location of the Linksys BEFSR41 firmware upgrade utility v1.43 released Sept 4, 2002. Its the newest one I could find.
I have one of these, and the remote administration isn't enabled by default.
So for Aunt Tilly, there's no real danger unless the malicious person is on the network.
Anyone remember the Bud Ice commercials? "...I REPEAT! THAT CALL WAS PLACED FROM INSIDE THE HOUSE!!"
I upgraded by BESFR11 and it used the same firmware update as the *41 (4 port switch model) so its pretty safe to assume this version is vulnerable as well.
The firmware updates can be had here:
http://www.linksys.com/download/firmware.asp
Netgear home routers are rock solid when attached to cable modems, but are kind of flakey when attached to PPPoE DSL modems. But, then again, DSL is flakey itself. Just say NO to DSL! And a bigger fucking 'no' to the abortion of a protocol called PPPoE.
When will the media realize that not all DoS attacks are DDoS? DDoS is when the attacker gets a bunch of machines to all send data to the target machine, causing the target to run out of resources to handle all connections, swallowing the legit traffic in the process.
"Normal" DoS is what this is - crashing the target. For example, an old flaw in Wu-FTPD allowed a core dump - crashing the deamon and creating a DoS to anyone who needs it. All it took was a malformed request during a session. One machine required, not many.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
While this is true, it's really not that big of a deal. The article states that for this attack to work from outside your internal network the remote management functionality needs to be turned on. I own a Linksys router and know for a fact that this feature is not enabled by default. Chances are that those knowledgible enough to require, and enable, remote management will be the same tiny percentage who will bother to update their firmware.
While the attack will still work from inside the local network regardless of the state of the remote management function, it's really not a danger. The worst that someone could really do is DOS themselves, and wouldn't that be a shame...
I hate Linksys. I have that router, and it kept crashing on me. Changed the cable, everything, etc. Nothing. Even thought it was the cable modem for a while (would lose net access, but I finally found out the router wouldn't accept internal pings either). They sent me a new one (made ME pay for shipping), and it did the same thing. Tried all firmware versions, nothing.
Well, guess what. When you fire a bunch of UDP packets at it, the NAT routing table overflows and the router crashes (it happens faster if you have your DMZ host address set to a nonexistent address on the network), only to reboot itself in a few minutes. This has been tested and proven, but Linksys' response to me is "it's your software firewall, sir, you shouldn't run both at the same time." What a bunch of ignorant assholes. I informed them of the routing table overflow bug, but they ignored me.
Now, this bug shouldn't really affect anybody cause you really shouldn't run remote admin on your router, but with their shoddy firmware, it doesn't surprise me in the bit!
The following showed up on the NetStumbler site yesterday:
- GlobalSunTech develops Wireless Access Points for OEM customers like Linksys, D-Link and others. Capturing the traffic of a WISECOM GL2422AP-0T during the setup phase showed a security problem.
-
- WISECOM GL2422AP-0T
- D-Link DWL-900AP+ B1 version 2.1 and 2.2
- ALLOY GL-2422AP-S
- EUSSO GL2422-AP
- LINKSYS WAP11 v2.2
(And I just got a WAP11, dammit.)Sending a broadcast packet to UDP port 27155 containing the string "gstsearch" causes the accesspoint to return wep keys, mac filter and admin password. This happens on the WLAN Side and on the LAN Side.
Systems Affected:
Vulnerable, tested, OEM Version from GlobalSunTech:
Possibly vulnerable, not tested, OEM Version from GlobalSunTech:
In other news, JWZ's DNA Lounge is having troubles with their Linksys WAP11-based wireless link, which is their only connectivity right now.
- "...the best sustained throughput they can handle is on the order of 64k."
Ouch.(They lost their T1 due to XO's bankrupcy and above.net closing a facility. Another T1 is on the way, but it'll be a couple weeks...)
"...America's great minds of today, teaching America's great minds of tomorrow. Poor bastards." -- A Beautiful Min
Providing another 4 ports (one extra bit?) requires the firmware to be that different?
Having used both, I can tell you that they are not "exactly the same" as you put it.
The two models are very different.
For starters, the 8 port version is NOT a few inches wider. It's the exact same width and looks identical from the front except the light arrangement which is slightly different.
Secondly, it's a 4 port Switch AND a 4 port Hub, (4 switched ports, and 4 hub ports).
The 4 Switched ports have QoS options, and the 4 port hub can be given a priority of it's own (higher or lower than the switched ports, I believe).
There are also a few other details in the 8 port version that are not present in the 4 port version so we can safely assume they are functionality that is not present in the 4 port model for obvious reasons (it doesn't need them.)
"Everything you know is wrong. (And stupid.)"
Moderation Totals: Wrong=2, Stupid=3, Total=5.
Here is a mailing list archive or yet another redundant reference of this problem. It's almost a year old. Come on slashdotters, don't get sloppy in the deluge huh?
LinkSys only offers a specialized Windows firmware upgrading tool. The router itself has a Java applet that it supposed to work, but didn't for me in Mozilla 1.2b or IE 5.2.2. A friend directed me here. It has instructions on how to upgrade the firmware in Mac OS 9/X using their specialized tool. I worked for me.
It doesn't take much to implement a TCP/IP stack, apparently. Check out a matchhead-sized web server. http://www-ccs.cs.umass.edu/~shri/iPic.html
In one firmware update last year, the "WAN UPDATE" setting was defaulted to yes. This would enable anyone to connect to a linksys router and update the configuration to their hearts content, or write a script to scan through an IP range and automate it.
= tp c&s=50009562&f=469092836&m=5300962863
I reported this to linksys, they quickly gave me another firmware update, but other users reported the same thing.
http://arstechnica.infopop.net/OpenTopic/page?a
fslg503-985-8686503-985-8686503-985-8686503-985-8
Did the same thing, and after digging through linksys's site, i found out there IS a way to correct it. (check the docs, basically you just toss a new firmware up to it even if it doesn't respond. The router portion is seperate from the switch, which seems to be able to flash it.)
tftp address of router
tftp> mode binary
tftp> put code.bin
tftp> quit
After you're done, reset your password.
Obvious once someone else points it out.
Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
If you've seen slapper in action, you know this is true. A host behind the router gets infected by the slapper.* worm, and first thing it does (after building itself a new home) is start probing subnets for others. It finds friends, they talk, and much traffic ensues.
The Linksys can stand maybe 6, maybe 10 hours of that much UDP traffic before it reboots. Since the traffic is still coming in when it comes back up, it runs about a 10% chance (guestimate) of restarting successfully. It hangs otherwise. Power cycling restores functionality, and resets the inevitable cycle.
I don't think it's a fault of Linksys. They have a product aimed at a certain market; judging from its popularity it does quite well there. If you have special needs beyond the average SOHO user, you need either an SDK or another vendor.
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
The third reason is that Block WAN Request is enabled by default. This is how these routers make themselves invisible to the web: they just drop the packets that come from outside. This can be combined with opening a specific port (forwarding), in which case the traffic on that port is directed to a SPECIFIC machine on the LAN.
The Lazy Way to deal with this is to turn remote management off. If you have no problems, leave it alone until you have some other reason to flash it.
BTW, the last firmware upgrade on the "41" works great with WinXP UPnP. Fairly easy to set up safely (update Windows), and it lets me put my dad behind NAT and still fix his system remotely using XP Remote Assistance. It actually works, much to my amazement, and AFAIK, there are no serious vulnerabilities if it's done right.
Actually I just flashed mine and it kept all my settings. Port forwarding, IP address, subnet mask, all of it. I feel I should mention that I was unable to flash the firmware from linux. Mozilla simply didn't upload the file containing newer firmware (I have no clue why) and when I tried to use Konqueror it got about halfway through the update process when the router reported a "pattern error" in the binary file and aborted the upgrade. So I booted to Win2k and ran their little update program and it flashed it just fine. Although I did have to turn off the Proxomitron.
We're going to make information free Mr. Anderson, whether you like it, or not.
Why bother with a laptop disk?
It's just a firewall. It doesn't need mass storage, or at least nothing more than few megs. It just needs to be reliable.
So. Just beg your friend for the throwaway 8- or 16-meg compactflash card that came with his camera, and plug it into one of these.
Less power (can we say "fanless PSU"?), more speed, and superb reliability. With proper research, the adapter should be in the same price range as the 2.5" IDE adapter kit that you'd need for a laptop drive...
Save the hard drive for things that can benefit from the space.
Kid-proof tablet..
If you own this router and you own IE 5 or above, please visit this upgrade page, substituting the IP of your modem for 192.168.1.1 [Default].
On the linksys there is another option, Block WAN Request, that locks down all machines on the intranet behind it pretty effectively. The only connections allowed are those that originate from inside the LAN.
I don't remember if it is turned on by default. Settings are saved through firmware upgrades and it has been a long time since I bought my router.