Slashdot Mirror
Linksys WiFi Gateway Remote Attack Risk Discovered
Glenn Fleishman writes "According to InternetNews.com, a tech consultant discovered that even if you turn the remote administration feature off on a Linksys WRT54G -- the single bestselling Wi-Fi device in the world -- you can still remotely access it through ports 80 and 443. Linksys sets the HTTP username to nothing and password to 'admin' on all of its devices by default. Web site scanning from anywhere in the world to devices that have routable Internet-facing addresses would allow script kiddie remote access, at which point you could flash the unit with new firmware, extract the WEP or WPA key, or just mess up someone's configuration and change the password."
Whereas I (owning one of these boxes) rate the flaw as a combination of 'wide open', 'come and hack me, here I am', and 'criminally stupid'. What the [insert expletive] is the point of the 'turn off remote administration' option, if it doesn't turn off remote administration ??!!
I always make sure I enter my own password into every system of mine that lets me. At least that way it's only ever *my* mistakes that will trip me up...
Simon
Physicists get Hadrons!
Now all the script kiddies who read the news now know how to hack into my system....
I am grabbing my laptop right now and going to my newfound open access point!
don't tell to my neighbour...
All your gateways are belong to us
"No matter where you go, there you are." -- Buckaroo Banzai
Seems like a rather obvious issue, I'm suprised nobody noticed this before.
Since 70%+ of the wireless users on my block do not activate WEP, or change the default channel, or use a non-default SSID, I'm willing to bet that nobody went through the effort to manually deactivate the admin interface, or change the password. You could argue that that is merely a de facto flaw, while the listed vulnerability is de jure, but from a practical perspective, this is no less secure than everything was anyway.
I want to delete my account but Slashdot doesn't allow it.
Yes, but could they reconfigure the WAP to turn on that "unrestricted access to internet" feature that maps every inbound port on the router to one internal machine? Lesee - they know your internal IP block from the router config, and even the addresses of your DHCP workstation. If you haven't kept your patches up to date.....
pWN3D!
Maybe it's just the way the summary was written, but for some reason the original article poster makes this sound like more of a nuisance than the serious problem it really is.
"Lawyers are for sucks."
- Doug McKenzie
I mean honestly, if a Surgeon said that they sewed up a hole in your stomach but really didn't they would be considered criminally negligent wouldn't they? How is a company allowed to release something as obviously dangerous as this to the public without having some sort of liability?
1) 90% of the people that buy these are your basic at home user. They don't ever change the default settings. It's just a setup and go. There are 5 such ones in my apartment alone in range of my apartment
2) 99% of people aren't going to update the firmware when it comes out so this bug will be floating around for some time.
The average joe 6 pack needs to be forced to use the security with it. If you give it as an option then it many times will be ignored. Security needs to be made part of the setup and updates need to be easy to install.
Evolution or ID?
What happens if you are fowarding port 80 to an internal box? Thats what I currently do. If i access my external ip I get my webpage, I can only get my routers admin page by using its internal IP.
How does changing the default password help if you don't turn on WEP? Can't someone get on the network using the default SSID(linksys) and sniff for passwords?
1) This problem is specific to one version of firmware. I can guarantee it has not been there in many of the versions I have used. 2) It only affects units that have not had their default password changed. I agree it is a security risk but it should be kept in perspective. If a user does not change the password, that is not a design problem of the firmware. The only real problem is that the function to turn off remote administration on the WAN port stopped working in the specific release of firmware. The article does not mention which version of firmware this guy was using, so we cannot confirm it. I personally use a modified version of the Linksys firmware, of which there are now quite a few.
Recent articles show that this little thing is pretty powerful. What stops someone from flashing a box, running an open relay, ftp server, web server, or anything else of the sort (besides a strong, non-default password)? Just what we need is spambots on these damn Linksys routers..
Manufacturer: LinkSys (a division of Cisco)
Product: Wireless-G Broadband Router
Model: WRT54G
Product Page:
http://www.linksys.com/products/product.as
Firmware tested: v2.02.7
In a recent client installation I discovered that even if the remote
administration function is turned off, the WRT54G provides the
administration web page to ports 80 and 443 on the WAN. The implications
are obvious: out of the box the unit gives full access to its administration
from the WAN using the default or, if the user even bothered to change it,
an easily guessed password.
I reported this to LinkSys (along with a number of other non-security
related issues) on April 28. I received no reponse addressing this, and no
updated firmware has yet appeared on their firmware page
http://www.linksys.com/download/firmware.as
To work around this, you can use the port forwarding (irritatingly renamed
to Games and whatever) to send ports 80 and 443 to non-existant hosts. Note
that forwarding the ports to any hosts -- inluding listening ones if you are
actually running servers -- will override the default behavior.
On a personal note, there are a number of reasons for which I am thoroughly
disappointed with LinkSys since the acquisition by Cisco. For the sake of
what was once a rock-solid product and great brand name, I hope things
change soon.
--
Alan W. Rateliff, II : RATELIFF.NET
Independent Technology Consultant : alan2@rateliff.net
(Office) 850/350-0260 : (Mobile) 850/559-0100
[System Administration][IT Consulting][Computer Sales/Repair]
-Tolerate my intolerance
...anyone dumb enough to leave the router with the default password deserves to be h4x0red. I assume that by now pretty much anyone that owns a computer knows the need to create their own password not only for their PC but other devices/peripherals.
Although, I tried changing mine to "penis" and it returned a message saying: "Password is too small."
Go figure...
Rican
Want a free iPod?
Just add a router with firewall in front of your .. router with firewall .. Hmm. Well, maybe if you keep adding routers with firewalls like the "elephants all the way down" theory?
Does anyone know if the Wifi-box firmware is also at risk? I just flashed my WRT54G with it last night to get SNMPd to make pretty pictures. While this is a really terrible flaw, the source code is GPL. I am sure someone will come up with a fix even if Linksys doesn't in a reasonable period of time.
Strange women lying in ponds distributing swords is no basis for a system of government.
This shows a lack of proper testing, quality assurance and security. THey either brought it to the market to fast or don't have the right people checking these things out.
Evolution or ID?
Understand, I'm not advocating any kids actually do this -- its just a fun, if slightly whacked, idea.
Seastead this.
If I remember correctly, you cannot turn on the remote administration feature without first changing the default password.
Wouldn't that make things even marginally more secure (or obscure)?
I have one such router(HW revision 1.0, firmware 2.02.7) so I gave it a guick check (again ... I tested it when I bought it) and I can't get the remote administration page on the WAN. Currently, I only forward port 22 and I disabled the DMZ.
Thoughts on tech, Software Engineering, and stuff
Isn't it safe to say that if someone finds the "remote administration feature" and turns it off, they're also going to change the default password while they're in there? Or do people think oh, since you can't remotely administer this thing from outside, it doesn't matter? Sounds sketchy to me, I don't think it's going to be a big deal.
It has been my experience that if you use a combination of wireless and wired technology (ie, a carrier pigeon tied to a really long string so you can pull it back really fast--the cats really love to chase the carcass, but you'll get your data back without incident).
So whats the big deal here? If you change the password etc then the problem is solved right? Ohhh thats right you're talking about people not READING the damn manual telling them what they need to do!
Well tell you what, tough. You didn't read, you didn't listen, then pay the consequences. It TELLS you that you need to change the password etc and what you should do. If you choose not to do it, then face the consequences.
See a Red Light means stop, if you choose not to obey that and get in an accident and get hurt, well sorry but you pay the consequences of your actions.
I hate being so negative sometimes but damn, there comes a time when even the Big red letters not the widespread panic across the news won't help.
Yes, I agree, the companies should make these things where you have to create a new password and username etc, but there's only so much they can do. B/c we all know that most people would leave the password field blank. I know this all to well as the CEO of my company has a blank password on his personal email addy.
does anyone know if these are the access points they use at all those starbucks?
Evolution or ID?
Fair play to the guy for spotting it and warning Linksys but to go and post it in a public board a couple of days later (after the weekend) is just asking for trouble. Could he not have waited a week to give Linksys a chance to notify as many customers as possible before going public ?
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
blackhats that hang on irc and frequent the infamous no-delay list :
i sc losure
http://lists.netsys.com/mailman/listinfo/full-d
knew for ages and ages.
Mwaa ha ha haaaaa!!!
is only the wifi
not the non wifi, so is not the most popular linksys, but is the most popular wifi
I never trust the nsa/nro/fbi from getting into the router anyways. I firewall it one more level.
PLUS there are now three new ajencies with no-knock warrent tasks to grab your pgpkeyphrase.
The US Gov under the Executive branch (not the secret service, a new dep) writes keyphrase snatch trojans.
The US Gov under the military has a new dept to write keyphrase snatch trojans
The US Gov under the Judicial branch (Not the DOJ-FBI) a new small department, writes keyphrase snatch trojans.
tons of funding to infiltrate popular osses, firewalls, and most importantly deliver keyboard sniffer trojans that can phone home or store locally.
bu this wifi is only the tip of it all.
You can flash the firmware to one from sveasoft http://www.sveasoft.com and avoid the whole problem. You also get a nifty linux environ to work with.
Yeah I checked mine, I don't see this problem either. Something smells off about this whole thing anyway. Where is the "official" CERT advisory on this?
First off its only on the model listed above, the rest of the linksys models, I beleive actually do disable the remote admin features (web page) by defualt.
Of course that doesn't mean 70% of *ALL* wireless routers can't be 'war-drivin' and reprogramed once you get in thier wireless range anyhow
dlink,3com,MS,Dell, whatever whoever makes routers all have defualt passwords that are normally not changed.
Why don't they just make it RSA-key password encoded from the get-go that is automatically configured upon installation? Contest with me that this would be difficult to integrate. If people couldn't handle a random password that isn't as easy as "admin", then maybe they don't need a router in the first place.
;0
In all honesty, I hate routers, but that's because I work for a cable ISP as technical support.
Use Minidisc? Join the Minidisc.org forums.
I'm sure this isn't what Cringly meant but this should provide plenty of disruption for people all round.
where have you been? you can also extract their ISP password.
I actually got into my neighbors device by accident, thinking it was my own, (not hard to do when they haven't changed the default pw!) and was horrified to see that his password to ISP was saved... in an unpassworded wireless router. The genius of some people, mostly linksys, never ceases to amaze me.
Linksys needs to fix their software. They should not allow anything to be saved in this router until the default password is changed. Period.
scary. I pulled it up to set up DSL, and there was my neighbor's id and password saved...imagine my confusion, when not knowing my neighbor even had one, thinking it was mine, and seeing his name in it. It took a moment, but I put 2+2.
After all, if you didn't change it in the first place, you'll probably never notice the "upgrade".
Agile Artisans
... at which point you could flash the unit with new firmware, extract the WEP or WPA key, or just mess up someone's configuration and change the password.
Automate checking out the DHCP reserverations that that device is likely managing and then try rpc/dcom , or lsass exploit against that host (automate setting port forward). A lot of people behind firewalls don't make patching top priority.
This was posted on Bugtraq recently, someone there suggested forwarding port 80 to a non-existant IP address. Apparently this works, port forwarding tcp/80 overrides the web servers use of 80 on the WAN.
On another note, the WRT54G's are the units with the Linux firmware people have been tweaking. Perhaps someone should make a new update available (although if your going to hunt for a third-pary firmware update, I'm guessing you picked an ok password)
I've bought lots of Linksys products for my company. I won't do it any more. They just stop working sometimes. They're flakey. It's not a security issue.
Netgear is consistently better.
Anyone know of another WiFi gateway company that would be good to buy stock in? They might suddenly be getting a massive number of orders.
One line blog. I hear that they're called Twitters now.
According to InternetNews.com, a tech consultant discovered that even if you turn the remote administration feature off on a Linksys WRT54G -- the single bestselling Wi-Fi device in the world -- you can still remotely access it through ports 80 and 443.
Just because it's there, doesn't mean it works
The author of this report is likely to be using an earlier firmware version that did not have a firewall setting.
I don't know if Firewall/enable is the factory default now, but it might be. Problem solved? Not exactly -- there are lots of older units out there, and very few users have the ability or knowledge to do a firmware update.
-mse
Fiat Lux.
It sounds like web administration is just enabled out of the box. If those two ports are being forwarded to actual services inside your firewall it doesn't matter at all. This is stated clearly in the report itself along with a simply workaround for those that don't host their own web and mail servers.
Sound. Words. Motion.
The Independent Media Project
I have one, as do several of my friends.
Pretty much the first thing I did when I took mine out of the box was to try to access port 80 and 443. No go.
After seeing this, we tried again. None of us can access the box from the WAN port, only the LAN side.
I wonder if this guy got a refurb or one that had been returned to a store after a user screwed with it?
Gee who would have thought that ignoring the warning to change your password would be a bad idea.
Yes, but could they reconfigure the WAP
Yes, if you didn't change the default login and pass from " / admin", but in that case you probably were
pWN3D!
a long time ago.
Doesn't mean it's broken either. In this case it's easy to see: bring in a WiFi device and see if the SSID is picked up. And it wasn't, by two separate devices.
Cheers,
Ian
Just forward these ports to a non-existant device on the network, or to a machine not running anything on these ports.
Most of slashdot readers already know that there are a bunch of modified firmwares for the wrt54g such as this one. You should also be aware to realise that they are already backdoored/rootkit version (custom version of teso's adore of the wrt54g which will hide specific clients, processes, mac address and connections. It should also be noted that vulnerable linksys access point are trivial to detect using kismet (runs on linux, *bsd, zaurus, wrt54g) or kismac (runs on Mac OS X).
I have a similar but different model, the WAG 54G. It has an integrated ADSL modem. Just tested here and it's not affected by the bug.
I noticed this on my router at home about six months ago, but figured it was already known about. Doesn't matter much to me, since the default password was the first thing to go. Next time I see something fishy like that, I'm definitely going to call the media, though, for some nice real-life karma whoring.
Sorry, is it just me, or is it kinda obvious that if you don't change the default password on ANY DEVICE you're pretty much opening yourself to the rest of the world? That's totally user foolishness imho; gotta be smarter than your equipment. Jeez.
I'am running the Sveasoft - version Samadhi2 - v2.00.8.6 revision, and everything seems fine. I've tried to connect to port 80 and 443 from another external ip and could not connect. And even if anyone could connect he has to type in my password, a big fuss for nothing...
With the firmware I have been using (acquired from Linksys) it would not allow remote administration until you changed the default password. How is this vulnerability possible as described?
A basic problem with factory settings are the well-known usernames and passwords. Why not simply set them to the device's serial number?
Mission-critical software is LOTS AND LOTS more expensive than off-the-shelf stuff from Microsoft or whoever. That's because they didn't leave off the most important part of stable software, testing. Hardened software is usually stripped down to the barest functionality, then tested to death under extreme conditions. It takes a lot of manpower and time, the most expensive commodities, and is why most software is beta-tested on the public. It's also a good argument for open-source software; if you want a stable OS check out OpenBSD.
http://www.openbsd.org/
Linksys are really notoriously cheap and shonkey though, so this short of thing shouldn't really come as a surprise to anyone (not a troll).
While Linksys devices are a option if your looking for something thats very cheap and easy to administer (the CLI and Web based interfaces on their more complex switches are really user friendly), but they are historically flakey (to lack of support for key options, non upgradability or straight forward incompatibility with other devices) as well as insecure.
I wouldn't use a linksys device (even for my home wireless access point or as a switch) based purely on how unreliable an incompatible they have proven to be, you really do get what you pay for in this case, all I can say is I am completely conviced it's worth spending a little extra to get something which will save you trouble later.
This is not important. If you pull something out of a box, plug it in, and pray to the gods of technology that it works; this is what you get.
Any fool knows that default passwords are for faulty individuals.
It's all good.
*Don't get any ideas; they both use WPA and MAC address limiting, so neither of them are open.
I'm in the hole of the broadband donut.
I noticed this a couple of weeks ago on my Router. I bypassed the issue by enabling port-forwarding and I forwarded those two ports to a non-existant IP address. Problem solved. YMMV.
There's several cases where software failure has been fatal.
How about the case of the THERAC-25, where several died or were seriously injured.
This is a typical case study shown in any ethics course involving software design. It turns out the cause of the severe radiation burns was from the operator entering commands and parameters faster than the unit could handle.
Then there's the Soviet pipeline that blew up due to delibrately buggy software stolen from the US.
Then there's the Osprey , had software bugs that killed 30 Marines in 3 accidents.
There's also 2 commercial jet crashes due to software problems with either radar, or just reporting position properly to the pilot, killing over 300 people in the 2 accidents.
This problem is very real. So when people joke about getting a BSOD while driving a car, it's highly plausable.
Well in Manhattan, the most densely populated county in the U.S. (67,000 people / square mile), I've generally had no fewer than 3 WiFi access points available in the various apartments I've lived in... I can reach 7 access points from different corners of my 400 square foot apartment now.
Not that WiFi is the reason to live here, but hey, free Internet is nice when you're paying through the nose for the apartment!
four nine eighteen twenty-7 thirty-nine forty-7 fiftyeight sixty-nine seventy-9 eighty-8 one-hundred-and-nine one-twenty
to build your own wireless router? Well, what I mean is, take the normal ethernet router you can make with some nics, and add a wifi card, or some other radio transceiver dealie. I know you can build a hard wired router using linux and an old pentium, just wondering on this wifi deal. Inside the house I can deal with ethernet, just wanting the *potential* to get wireless to the router. Just add a pci wifi card, or what? Any recommendations? I haven't fooled with wireless yet, just thinking about it now, want to go *cheap* as possible and perhaps go to an external antenna.
See Microsoft Link
Microsoft even tells you that this is a "good thing" at the link:
Disabling SSID broadcasts on an access point is not considered a valid method for securing a wireless network.
And just this morning, I was shopping for this because Amazon sent me a 'last day to get deals on Linksys products' message. Fortunately (or unfortunately, I guess) I don't yet have a *need* for it, so I didn't buy it.
Actually I was able to reproduce the 'problem' It is not mentioned in the article, but you can access the admin page from the WAN port if 'firewall protection' is disabled.
... although it is NOT at all obvious at first glance.
In hind sight this sort of makes sense
In any case I wouldn't consider this to be a HUGE problem since 'firewall protection' is on by default and 'Joe 6pack' is unlikely to turn it off since the general perception amoung nongeeks (at least in my experience) is that Firewalls are magical good things that block bad stuff (for varying definitions of bad).
Thoughts on tech, Software Engineering, and stuff
Out here in Queens, NYC, I see 1 or 2 WiFi networks from my living room. (Not including mine). One is secured, the other isn't (it isn't up all the time either).
When I'm in the park across the street I can see several networks.
How hard would it be for Linksys and other manufacturers to create a random administration password for each access point they sell, and just plant a sticker on the owner's manual containing this password? (or even a sticker on the side of the access point would do, since you're screwed anyway if an unwanted person has physical access to your hardware)
It seems that this would solve some of the problems of access points being so insecure by default...
This is stupid of course considering the default install for the Linksys router is a bigger vulnerability then turning off the remote admin.
I think the key phrase in your post is "used to work." My brand new Linksys wireless-g router has the option to turn off the broadcast of SSID. So it looks like the management did finally listen to the developers, just not while you were around to witness it.
Eh. I used to be a big netgear proponent, but they've been flakey too (go google for BellSouth and Netgear) the last couple years. Seems like networking quality overall has gone down. Shame.
After connecting to their wireless load up Ethereal. Look at the traffic going by....
1. If you see anything Linux/Unix related, get out of there before they notice.
2. If you see Mac related stuff, it's probably OK but be careful.
3. If you see nothing but Windows spew (and believe me it spews over the network), have fun. The users are clueless.
Indeed. I just set up a Linksys WRT54G router this past weekend, and sure enough, it had the option to disable the SSID broadcast. Strangely enough, it actually seemed to do it, too!
And yes, I was sure to change the default admin password ASAP. First step in configuring the box, really.
I just want to take over the world...Why does that automatically make me EVIL?
... does it prove Linux is inherently insecure (mean, just as those windows based ATM machines are insecure) ?
You have my respect for living in such a shoebox!
I'm in the hole of the broadband donut.
And on a side note, the exact same public list to which the vulnerability was originally posted has since debunked this vulnerability. I'm on said list, and the only WAN ip that is allowed to connect to the device is the WAN's IP itself. (http://securityfocus.org/archive/1/364994/2004-05 -31/2004-06-06/0)
/., Bugtraq, and Full Disclosure is appalling.
Now is this still a security issue? Sort of, because a small business employing the device might have one employee who could access the admin page, but he'd still have to have access to the router. The FUD on
I read the article and I'm not sure they found the vulnerability by "dumb luck" or if they were able to analyze the open-source firmware posted on Linksys' site. Given Cisco's resources, and recent theft of some of their router code, it kind of makes you wonder how something like this could have gone under the radar. Then again, maybe they're too busy writing Linux drivers for their wireless cards!
Like I'm going to publish what I use at home. Just know it is not this model.
You can lose something that is loose, so tighten the loose item so you don't lose it.
This was reported on the BugTraq mailing list (archive on www.securityfocus.com). There is some debate as to the findings. I've seen at least one post where the person was unable to reproduce the vulnerability. In fact, being able to get to port 80 and 443 coming from the inside trusted network to the external WAN interface is not a big deal. Coming from an external address does not work on all versions of this device. Looks like they implement a simple firewall that blocks access from external but not internal.
Do really dense people warp space more than others?
I have one of these fine units running Firmware v2.02.7. I got to poking around with this 'exploit' and noticed the following items:
When you are on the LAN with the device, you *are* able to access the Administration page from the WAN IP address on both ports 80 and 443.
When you are on a remote network and you make an attempt to access the WAN IP on either port 80 or 443 (with no forwarding turned on) you get nothing. No admin page, no prompt for a password.
This is just the behavior I have seen. That isn't to say that somewhere out there this problem isn't happening, but I am just curious how many people have tried it from outside the networks they are seeing this on.
~.Evanrude
I live in a mill building on both sides of a river. There's 310 apartments with about 700 to 1100 people, I guess. When I moved in during May 2003, there was 7 broadcasting wireless networks. When we renewed our lease this May, we warwalked it again and there were 22. Both times, about 60% were completely wide open, and about 75% of them were linksys devices. One fellow across the river must have a booster or something because his network punches through way too many walls. He would seem to be on the interior side, facing the river, and I can get him on the opposite side of his building, as well as into my own building on the opposite side of the river. My roommate's girlfriend lives down the hallway and she can see exactly 6 wireless networks. 3 are wide open.
With people giving away USB 802.11b cards for free, the temptation to steal all that free interenet is just well, it's inevitable that it gets used.
Oh, and we had this great idea! See, there's so many open wireless networks at our place, and so many people with open filesystem shares, that one of the things we do to make a little spare cash is that we use that unified network adapter linux has where you can bind interfaces together. It's a little sloppy but we effectively have an aggregate 12.0 megabit connection out, and 1.2 megabit connection in, from the internet over 4 wireless lans we connected to. Then we did some filesystem on a filesystem type things with the open file shares and made a psuedo RAID using the neighbor's unknowingly shared directories. We can sell 1.2 megabit webhosting for 12.95 a month with zero infrastucture costs. I guess if I had to describe it in a word I'd say that it's "sweet."
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
Yes, my only tool is a hammer. And you're starting to look like a nail.
-----Original Message-----
From: Alan W. Rateliff, II [mailto:alan2 rateliff net]
Sent: Wednesday, June 02, 2004 11:05 AM
To: bugtraq securityfocus com
Subject: Additional information on WRT54G administration page
I have made the effort to grab three additional units, all v2 hardware, off-the-shelf, and here is what I have found: Two of three units came with the firewall enabled, while one of the three came with it disabled. The packaging leaves no evidence as to whether any of these items were previously opened and returned.
Interestingly, all three units from local resalers came with v2.02.2 firmware, while the second unit from CDW I tested in March came with v2.02.7. BOTH of the units which came off-the-shelf with v2.02.7 behaved as previously described in my original notice; I do not have records of the firewall setting of the units from March, although they both did behave as predicted after a factory reset.
I would like to assume that the one-of-three v2.02.2 firmware units which came with the firewall disabled was an anomoly, and possibly a customer return. Nicely, flashing these units to v2.02.7 retains all settings, including the firewall status.
Now the catch. In v2.02.7 with the firewall disabled and remote admin turned off, the admin page becomes available on ports 80 and 443 on the WAN. This works whether the unit is in DHCP or PPPoE mode.
Port State Service
80/tcp open http
443/tcp open https
Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
So part of the original notice is valid, with the exceptions noted. I don't have any more v2.02.2 units to test as they have all now been flashed with v2.02.7, I have no more unmolested v2.02.7, and I am out of petty funds to purchase more :)
So, I will eat some crow on the original notice. To sum up, the admin page is most definitely available to the WAN if the firewall is disabled, regardless of the remote admin setting. And at best the potential for getting a unit off-the-shelf with this behavior is somewhat like an Easter egg hunt. I have received an even mix of responses positive and negative to the original notice, so others are reproducing this OTS.
Some thoughts...
It could be resonable that units which come v2.02.2 OTS then flash to v2.02.7 may not experience this behavior due to stored factory settings from original v2.02.2 system carried over to v2.02.7. That would explain the exception of the OTS behavior of the v2.02.7 units received in March.
Now I am also aware that other LinkSys items I have received have come with firmwares not yet available on the website -- most recent example, a WPS54GU2 which came with firmware 6032 while only 6031 was available on the website. It may be more reasonable that since the firmware v2.02.7 is dated March 17, my order for the WRT54G was placed on March 23, maybe a pre-release of the firmware? I cannot imagine that there would be such a diverse distribution of this product direct from LinkSys?
Alan W. Rateliff, II : RATELIFF.NET
Independent Technology Consultant : alan2 rateliff net
(Office) 850/350-0260 : (Mobile) 850/559-0100
[System Administration][IT Consulting][Computer Sales/Repair]
I do security
I live in a small-ish town on the North Shore (north of Boston), and for a long time my old AirPort was the only base station in the area.
Over the last year or so, though, 3 others have popped up in range of my house. They all broadcast SSID, and only one of them is secured with WEP.
And here in the huge office complex I have my office in, there's 2 more unsecured broadcasting AP's just within easy access of my little office suite. Walking around the place with my iPaq turns up lots more of them, too.
-- Josh Turiel
"2. Do not eat iPod Shuffle."
On a large scale though, this could be a very big problem. The percentage of routers that are vulnerable, the percentage that are directly connected to the internet, (say controlling the PPPoE of a DSL modem), and the percentage that still have the default password all factor in. It may not be enough to matter, but it may be so many that it becomes a signifigant attack vector to both home users and as a jumping point for internet attacks.
Also, it begs the question of whether other linksys routers and/or broadband modems might be vulnerable.
I do security
I can reach 7 access points from different corners of my 400 square foot apartment now.
Damn! My bedroom's just under 400 sq feet (18'x20'). The whole house is just a hair under 1700 sqr feet. This on an income of 60k a year.
I drank what? -- Socrates
Did you hear something? It was the joke flying over your head.
Since this is a remote administration hole, Linksys should use this hole they left to remotely administer and upgrade the firmware on all vuneralable devices. Maybe if they do it fast enough, they can beat the script kiddies to it.
~ there are 10 types of people in this world, those that can read binary and those that can't
a month or so back I replaced my old dead router with a netgear FR328S which also had that problem
with the remote administration disabled, a remote port scan showed port 80 open
netgear fixed this in newer firmware
v1.4 (09) is ok
Hehe, I sometimes wonder that too, but the 3 other people that share my condo building didn't even have computers so I'm not that worried. On the other hand I am suspicious of the young woman that is moving into my ex-neighbor's condo. I need to find out if she has a computer. If so, perhaps I'll be nice and offer her free Internet access as a way to break the ice.
I wonder if my wife would mind...
I thought the same thing. The problem I found is that XP will select based upon signal strength. In my case, I was at a friend's apartment. His router was in the next room, but his neighbor's router was immediately behind us next to the wall. So I could specify the non-SSID connection and have it at the top of the priority list, but it would eventually drop it in favor of the SSID one because it had a stronger signal strength.
I have one of these, and changed the default password as the -very- first thing I did, before it even got connected to the cable modem.
I then locked it down as best as I knew how, and took my laptop outside for a walk.
I hadn't walked down a full flights of stairs (I'm on a third floor walkup) and the signal dropped to nil. No problem, metal siding, metal stairwell, should get -some- signal at least, lets walk to the car. Get to my car, parked just outside, and not a blip. I've repeated this test more than a few times.
If anyone is feeding off my connection, they're sitting on my doorstep. I do know my neighbors pretty well, and the ones in range, I've told them that they're welcome to use it if they have guests (Since they all have Cable modems themselves) who have wifi. Sort of a "Scratch my back, I won't get pissy if you ask me to turn my stereo down at 1am" good neighbor thing. They know to just come knock and I'll give them the wep of the week... It happens, it gets me beer. "Hey, a buddy of mine needs to borrow your wireless to check his mail, here, have a Guinness."
Now, thats not to say that there isn't a point where a good wifi antenna and an interested geek couldn't probably -find- it and eventually crack my wep key. But they've probably already scanned the local library and found that, gasp, they left their wifi on their isdn partly open. (The admin is mostly clued, the only thing open outbound, is http, anything else is eaten. However, I've not tested this...)
Perhaps "Security through having stupid neighbors" is at play...
I always change default, since if user name is empty, I cant save the password and have to input it every time.
My wife would hate it if her download speed dropped...
I drank what? -- Socrates
The point is that if you have an SSID broadcasting WAP with a stronger signal than a non-SSID broadcasting WAP, XP will drop the non-SSID one for the SSID one.
Read the Microsoft link...
That makes me feel a lot better.
But in retrospect, my friend (who's apartment I had this trouble at) was using Windows 2000 and using a netgear wireless card's app and didn't have this problem... But we attributed it to Windows XP's new behavior over 2000... (which is sort of true...)
I hadn't thought about using the linksys app... (which I had uninstalled because I didn't want all the icons cluttering up my start bar and, geez, Windows XP already provides those services anyway...)
Thanks for the heads up on that USB WiFi adapter! I need one for the kid's iMac and having it usb means I can update software and take the dongle with me when I'm done.
;) ) besides, that's what the IDS box is for.
(No, I'm not a bad father monitoring their web access, they're 18 months old.
"Draco dormiens nunquam titillandus."
Web site scanning from anywhere in the world to devices that have routable Internet-facing addresses would allow script kiddie remote access, at which point you could flash the unit with new firmware, extract the WEP or WPA key, or just mess up someone's configuration and change the password
While just a wee bit of topic...Here in the SW US I worked with a company who specializes in wireless networking and as a test, two of their techs, one with a dish/receiver connected to a laptop running Debian being held by the other tech, scanned a 360 degree "loop" (turned in a circle basically) and looked for open gateways or compromised boxes. In that one loop, they found over 20 open networks! Let me also add that this area was neither in the city proper, nor is this a terribly dense in population area.
Just some alarm to go along with your coffee this morning
I have a theory that the truth is never told during the nine-to-five hours. -- Hunter S. Thompson
..from "outside".
it does not respond on 80 or 443. Anyone knows what the trick is?
Linksys has just announced that they will change the default password on the admin account to "password", thus creating an impassible security wall.
In my case I live remotely enough that I connect to my 3Mb/s ISP via 802.11b with point-to-point antennas. My link is about 1.5 miles away. The antenna is sensitive enough that even with a super-directional link I see 4 -other- SSIDs when I scan with the antenna, 2 of which have no WEP and default passwords.
This is in a town of 1500 people.
If I could look outside of the 5degree range I am sure I would pick up 4 or 5 others (I'm on one end of town and my antenna points across downtown to the AP on the other end of town, so that 5degree vantage still grabs a significant chunk of the town).
It is more productive to voice thoughtful opinions (reply) than to judge (moderate) others.
According to the rebate coupon "Receipts dated after May 31, 2004 will not qualify."
Mea navis aericumbens anguillis abundat
We tend to blame poor programming skills but the real cause is often market pressure and bad management (no budget for secure programming training, no quality assurance process, pressure to deliver in time even if the program is buggy (e.g. Oracle 6 and Oracle E-Business Suite 11, Microsoft Windows)
I disagree!!! Dan J. Bernstein coded qmail, djbdns, and many other really secure programs. Both qmail and djbdns offers a security garantee, not much money though, but enough incentive for a hacker living in a developing country to find a security hole
Dan J. Bernstein on qmail security: (DJB is my hero!)
Why is qmail secure?
The reason I started the qmail project was that I was sick of the security holes in sendmail and other MTAs. Here's what I wrote in December 1995:
Every few months CERT announces Yet Another Security Hole In Sendmail---something that lets local or even remote users take complete control of the machine. I'm sure there are many more holes waiting to be discovered; sendmail's design means that any minor bug in 41000 lines of code is a major security risk.
Other popular mailers, such as Smail, and even mailing-list managers, such as Majordomo, seem just as bad.
As it turned out, fourteen security holes were discovered in sendmail in 1996 and 1997.
I followed seven fundamental rules in the design and implementation of qmail:
sendmail treats programs and files as addresses. Obviously random people can't be allowed to execute arbitrary programs or write to arbitrary files, so sendmail goes through horrendous contortions trying to keep track of whether a local user was ``responsible'' for an address. This has proven to be an unmitigated disaster.
In qmail, programs and files are not addresses. The local delivery agent, qmail-local, can run programs or write to files as directed by ~user/.qmail, but it's always running as that user. (The notion of ``user'' is configurable, but root is never a user. To prevent silly mistakes, qmail-local makes sure that neither ~user nor ~user/.qmail is world-writable.)
Security impact: .qmail, like .cshrc and .exrc and various other files, means that anyone who can write arbitrary files as a user can execute arbitrary programs as that user. That's it.
A setuid program must operate in a very dangerous environment: a user is under complete control of its fds, args, environ, cwd, tty, rlimits, timers, signals, and more. Even worse, the list of controlled items varies from one vendor's UNIX to the next, so it is very difficult to write portable code that cleans up everything.
Of the twenty most recent sendmail security holes, eleven worked only because the entire sendmail system is setuid.
Only one qmail program is setuid: qmail-queue. Its only purpose is to add a new mail message to the outgoing queue.
The entire sendmail system runs as root, so there's no way that its mistakes can be caught by the operating system's built-in protections. In contrast, only two qmail programs, qmail-start and qmail-lspawn, run as root.
Even if qmail-smtpd, qmail-send, qmail-rspawn, and qmail-remote are completely compromised, so that an intruder has control over the qmaild, qmails, and qmailr accounts and the mail queue, he still can't take over your system. None of the other programs trust the results from these four.
In fact, these programs don't even trust each other. T
It seems that the webmin interface is reachable only by the machines in the lan, whether you specify the lan interface ip or the wan interface ip. Accessing the webin interface via the wan port does not work
Am I the only one that thinks it's a little odd that just last week we had an article (well, two, actually) on this device vastly overstating it's usefulness?
What was that quote again? Oh yeah.
"With Linux capabilities and builtin VoIP any Mom and Pop can become the local equivalent of a cellular phone company"
I'm off to go hack into my cell phone company with that handy "blank password" hack I've heard so much about...sheesh.
A small 1 bedroom apartment (7th floor, mid-town Manhatten, somewhere in the low 30th st area), goes for around $250k.
IIRC, it was *maybe* 500 sq ft, probably smaller.
...is not vulnerable.
This is not a problem with the router, it is a problem with the user.
It's like saying that my car tires are faulty because they do not remove themselves from the car if not properly inflated.
My telephone must be faulty too, because it doesn't stop my wife from exceeding her credit card limit when calling the home shopping network.
Come on put the blame where it belongs, the meatware.
Published on May 17th SecuriTeam portal apparently many if of the linksys routers, non wifi and wifi are vulnerable. read here. no comment or firmware update has been offered from linksys.
I've been following this on the Security Basics list. From what I've seen, this has been brought to Linksys' attention with little response. To all of you who think things like this get released and the company never knows why, I can tell you it doesn't appear to be the case here.
WLAN1 WLAN 2 /
.-------.
|
WLAN3 -| | - WLAN 4
| |
`-------' -.
/ | \
WLAN 5 WLAN 6 WLAN 7
Check your reality.
The signals you are picking up might not be WLAN.
You might actually be living inside an experimental shoebox that's
being monitored by seven teams of scientists.
I noticed this issue on my Linksys BEFW11S4 v.4 802.11b wireless router as well, with the latest available firmware (1.50). I managed to get around the problem by telling the router to forward port 80 traffic to a non-existent host on my network - until my new, non-Linksys, router arrives in the mail, that is.
With all due respect, dude, you're full of shit. I'm a paid subscriber and I check those forums on an hourly basis. There have been no bug reports of problems of the magnitude you are implying, so either put up or shut up, bitch.
" 1. Keep it simple, stupid.
See BLURB in the qmail package for some of the reasons that qmail is so much smaller than sendmail. There's nothing inherently complicated about writing a mailer. (Except RFC 822 support; but that's only in qmail-inject.) Security holes can't show up in features that don't exist.
2. Write bug-free code.
I've mostly given up on the standard C library. Many of its facilities, particularly stdio, seem designed to encourage bugs. A big chunk of qmail is stolen from a basic C library that I've been developing for several years for a variety of applications. The stralloc concept and getln() make it very easy to avoid buffer overruns, memory leaks, and artificial line length limits."
A couple points on these bits.
1) Qmail as stated here doesn't do as much as other mail server packages. As stated here Qmail is only 11k lines of code. Between having fewer features and fewer lines of code, its going to have fewer bugs. But what do you say to the people that need features that require writing half a million lines of code? Programs that big will have bugs. QMail is trivial compared to other, buggier, programs that are depended on. For comparison, I was unable to find a reference for the lines of code in the Linksys firmware. But, going with an average of 80 characters per line, I come up with over a million lines. This is an apples to planets comparison here.
2) As stated in point 7 there, he has control over external libraries. That will dramatically decrease bugs over relying on standard facilities since hte support libraries and the application can be designed as one unit- which, if you re read my original comment, was one way to avoid bugs that I put forward. But it isn't always an option to write your own support libraries.
The smaller the program, and the more control the development team has over the programs environment, the less buggy the code will be(assuming equally competent developers). Qmail is a tiny program with significant control over its supporting libraries, bug free is not very difficult to achieve in that case.
please explain Microsoft's link in my original post.
I've been following this on BugTraq. As others in this discussion have pointed out, it's not that big a deal, since most people turn the firewall on. There's also an interesting post about someone who bought a few of them and checked whether the firewall was enabled by default--it turns out that two of the three units he tested came with the firewall enabled.
Much more terrifying, though, is the fact that Netgear WG602 Access Points have a default admin account that can't be turned off, with the username "super" and the password "5777364". So expect anyone on the WLAN/LAN to be able to own your router if you have this product and enable the admin interface.
But does it work with Linux? have you tried? any quirks to making it work? This one really is off-topic, but it is a question nonetheless.
-DrkShadow
Netgear WG602 wireless access point has an undocumented, superuser account. It's fully accessible from both WAN and LAN sides. There is no option to disable this account - it is permanently enabled.
User: super
Password: 5777364
If all you wanted to do was crash the network without caring about passwords all you'd need is a simple RF transmitter broadcasting on the same frequency as the Linksys and jam it...to me this is the biggest problem with wireless networks.
"Lack of technical competence coupled with the arrogance of power, as usual, leads to no good end."
"Additionally, when your computer is connected to an access point that is not broadcasting its SSID, and another access point that is broadcasting its SSID is enabled nearby, your computer automatically connects to the access point that is broadcasting its SSID."
Here's the scenario I experienced:
I had a friend in an apartment building with a netgear router not broadcasting an SSID. I setup a PREFERRED network for his router (coz you have to). I would connect and then consistently lose the connection and then reconnect to his downstairs neighbors router broadcasting its SSID which was NOT on my PREFERRED network list.