Slashdot Mirror
Linksys WiFi Gateway Remote Attack Risk Discovered
Glenn Fleishman writes "According to InternetNews.com, a tech consultant discovered that even if you turn the remote administration feature off on a Linksys WRT54G -- the single bestselling Wi-Fi device in the world -- you can still remotely access it through ports 80 and 443. Linksys sets the HTTP username to nothing and password to 'admin' on all of its devices by default. Web site scanning from anywhere in the world to devices that have routable Internet-facing addresses would allow script kiddie remote access, at which point you could flash the unit with new firmware, extract the WEP or WPA key, or just mess up someone's configuration and change the password."
1) 90% of the people that buy these are your basic at home user. They don't ever change the default settings. It's just a setup and go. There are 5 such ones in my apartment alone in range of my apartment
2) 99% of people aren't going to update the firmware when it comes out so this bug will be floating around for some time.
The average joe 6 pack needs to be forced to use the security with it. If you give it as an option then it many times will be ignored. Security needs to be made part of the setup and updates need to be easy to install.
Evolution or ID?
How does changing the default password help if you don't turn on WEP? Can't someone get on the network using the default SSID(linksys) and sniff for passwords?
Manufacturer: LinkSys (a division of Cisco)
Product: Wireless-G Broadband Router
Model: WRT54G
Product Page:
http://www.linksys.com/products/product.as
Firmware tested: v2.02.7
In a recent client installation I discovered that even if the remote
administration function is turned off, the WRT54G provides the
administration web page to ports 80 and 443 on the WAN. The implications
are obvious: out of the box the unit gives full access to its administration
from the WAN using the default or, if the user even bothered to change it,
an easily guessed password.
I reported this to LinkSys (along with a number of other non-security
related issues) on April 28. I received no reponse addressing this, and no
updated firmware has yet appeared on their firmware page
http://www.linksys.com/download/firmware.as
To work around this, you can use the port forwarding (irritatingly renamed
to Games and whatever) to send ports 80 and 443 to non-existant hosts. Note
that forwarding the ports to any hosts -- inluding listening ones if you are
actually running servers -- will override the default behavior.
On a personal note, there are a number of reasons for which I am thoroughly
disappointed with LinkSys since the acquisition by Cisco. For the sake of
what was once a rock-solid product and great brand name, I hope things
change soon.
--
Alan W. Rateliff, II : RATELIFF.NET
Independent Technology Consultant : alan2@rateliff.net
(Office) 850/350-0260 : (Mobile) 850/559-0100
[System Administration][IT Consulting][Computer Sales/Repair]
-Tolerate my intolerance
I have one such router(HW revision 1.0, firmware 2.02.7) so I gave it a guick check (again ... I tested it when I bought it) and I can't get the remote administration page on the WAN. Currently, I only forward port 22 and I disabled the DMZ.
Thoughts on tech, Software Engineering, and stuff
From the article:
"As a workaround until a firmware upgrade is issued, Rateliff recommends the use of port forwarding send ports 80 and 443 to non-existent hosts. "Note that forwarding the ports to any hosts -- including listening ones if you are actually running servers -- will override the default behavior," he explained."
So you're ok. As am I, or at least as I will be after I've just finished forwarding 443...
Cheers,
Ian
You can flash the firmware to one from sveasoft http://www.sveasoft.com and avoid the whole problem. You also get a nifty linux environ to work with.
Mine does - I've got a "Wireless SSID Broadcast: Enable/Disable" option on the Wireless page. I'm running firmware 2.02.2
Cheers,
Ian
Its not that bad... The thing is a linux box, with an admin password.
:-)
If you did the right thing and changed you admin password, then what you've really got is a linux box on a wan, with a hard to guess password.
Besides which, your running the Sweadish firmware anyway arn't you.
Official GOD FAQ.
You cannot disable the SSID broadcast on the Linksys WRT54G? Funny. When I change the radio button in the admin page to "Disable SSID Broadcast", it stops broadcasting the SSID.
Please make sure you either clarify such statements or don't make them when they are false (as in the current situation).
It's only "moderately" critical (for now) because a simple hardware reset button fixes the problem. Once reset, go into the admin and set a bloody password -- problem never happens again.
It would be more critical if the exploit permanently wrecked the router. As it is, most of them have their simple boot code in flashable ROM. Just grab the last good copy and work with it (if someone figures out a way to update the firmware to a bad version, well, then people are screwed).
Linksys routers have no way to stop broadcasting the SSID
Which Linksys WAP? The WRT54G certainly does allow you to turn off SSID broadcast, it's a setting under the "Wireless" tab on the administration page. When I first set up my wireless network, I initially left the SSID on to make it easier for me to verify that all my machines were within range and had good signal. Once satisfied, I turned off the SSID broadcast and took other steps to secure the network.
Changing the default SSID doesn't help.
I do agree with you here: the exploit we're discussing has nothing to do with the SSID broadcast, it deals with remote administration from the internet.
Isn't it interesting how you come to recognize posters based solely on their sigs???
I should correct this because some people with the 2.02.07 version that this guy claimed to be using are reporting they cannot reproduce the problem.
This could be basic user error. By the way, the remote admin function is disabled by default in the WRT54G firmware.
What gets me is that if you want to bitch about the WRT54G firmware, there are plenty of better reasons than this apparently bogus one. Only the hacked firmwares really make this hardware shine (and have all functions plus new ones work properly).
Yes, this is only moderately critical because (a) the overwhelming majority of owners of these devices have them either directly or indirectly behind a NAT'ing cable modem or DSL connection, and (b) the "exploit" (if it can even be called that) is a known entity that any owner of one of these devices (myself included) should have realized the possibility of from day 1 and changed that password immediately, possibly before even connecting it to the cable modem.
This doesn't rate a critical or severe like the script kiddies' worms that keep coming out because short of installing a custom firmware version, there's not much that can be done with the device once owned other than to screw with its owner's networking.
Rule #1 -- Politics always trumps technology.
This is so not true. My WRT54G has had an enable/disable toggle for SSID broadcasting included in the firmware since the day I purchased it about 18 months ago. Perhaps you're referring to an old version of firmware, but most anything purchased from Linksys since the WAP boom began has had this option.
Rule #1 -- Politics always trumps technology.
Strange, thats exactly opposite to my experience - my linksys WRT54G can turn off SSID brodcast (and has WPA support incidentally), whereas the netgear access point (WG502) that I replaced with the linksys was pathetic with respect to security, providing only WEP (with a broken promise of upgrade to WPA), and not allowing me to hide the SSID.
Most of slashdot readers already know that there are a bunch of modified firmwares for the wrt54g such as this one. You should also be aware to realise that they are already backdoored/rootkit version (custom version of teso's adore of the wrt54g which will hide specific clients, processes, mac address and connections. It should also be noted that vulnerable linksys access point are trivial to detect using kismet (runs on linux, *bsd, zaurus, wrt54g) or kismac (runs on Mac OS X).
Even better than that.
I picked one of these up last night.
The admin page is set at 192.168.1.1, a route unreachable from my nat'ed router (which even resides on another subnet).
As long as people set up WPA or something, these devices are fine. You would have to have physical access to the network to run the noted compromise, as the page in question is only accessible from the air if you first compromise whatever wireless security the user has in place.
There's several cases where software failure has been fatal.
How about the case of the THERAC-25, where several died or were seriously injured.
This is a typical case study shown in any ethics course involving software design. It turns out the cause of the severe radiation burns was from the operator entering commands and parameters faster than the unit could handle.
Then there's the Soviet pipeline that blew up due to delibrately buggy software stolen from the US.
Then there's the Osprey , had software bugs that killed 30 Marines in 3 accidents.
There's also 2 commercial jet crashes due to software problems with either radar, or just reporting position properly to the pilot, killing over 300 people in the 2 accidents.
This problem is very real. So when people joke about getting a BSOD while driving a car, it's highly plausable.
I noticed this a couple of weeks ago on my router. I by-passed the issue by enabling port-forwarding and forwarded those two ports to a non-existant IP address. This solved my issue but YMMV. Hope it helps.
Actually I was able to reproduce the 'problem' It is not mentioned in the article, but you can access the admin page from the WAN port if 'firewall protection' is disabled.
... although it is NOT at all obvious at first glance.
In hind sight this sort of makes sense
In any case I wouldn't consider this to be a HUGE problem since 'firewall protection' is on by default and 'Joe 6pack' is unlikely to turn it off since the general perception amoung nongeeks (at least in my experience) is that Firewalls are magical good things that block bad stuff (for varying definitions of bad).
Thoughts on tech, Software Engineering, and stuff
Actually, the article says WAN, not WLAN. WAN == Wide Area Network, meaning the Internet, which you are probably connected to if you have a device like this. WLAN == WireLess Area Network, I guess, and is the wireless part you're talking about.
- installed *ANY* wireless access point
- didn't set up the *EASILY HACKABLE* security available on *ANY* WAP
- didn't change the password
Yeah, fire him and sue him for your millions of dollars lost pr0n.Did you READ the fscking article?
"The implications are obvious: out of the box the unit gives full access to its administration from the WAN using the default or, if the user even bothered to change it, an easily guessed password," he said.
So, if you set a password, then it's *obvously* going to be an easily guessed password.
Hellooooo, *SENSATIONALISM*!
Try doing it from the internet side... :(
It works from the outside as well.
This has actually been a problem for a long time. I first noticed it on one of their 802.11b series WAP/firewalls. I don't remember the model; it was an early one and died of over-heating a couple years ago, like most of their stuff does.
(Tip for anybody w/a LinkSys WAP - put a fan on/in it!)
Like somebody else commented, I just forwarded to ports to a bogus IP. I also sent a note to their tech support who told me to update to the latest firmware but that didn't help. I've seen it many times since on other models so it doesn't surprise me that even the latest and greatest is still wide open.
I thought the same thing. The problem I found is that XP will select based upon signal strength. In my case, I was at a friend's apartment. His router was in the next room, but his neighbor's router was immediately behind us next to the wall. So I could specify the non-SSID connection and have it at the top of the priority list, but it would eventually drop it in favor of the SSID one because it had a stronger signal strength.
check it every now and then, if it's expired. it seems to cycle through after each expiration. i grabbed mine after the first time i saw it expire.
= 345833&adcampaign=email,PWB02474
http://www.pcmall.com/pcmall/shop/detail.asp?dpno
there's a vendor that has it til june 30th. there's a ton of these, just google for "free usb wifi" or something.
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
I've been following this on BugTraq. As others in this discussion have pointed out, it's not that big a deal, since most people turn the firewall on. There's also an interesting post about someone who bought a few of them and checked whether the firewall was enabled by default--it turns out that two of the three units he tested came with the firewall enabled.
Much more terrifying, though, is the fact that Netgear WG602 Access Points have a default admin account that can't be turned off, with the username "super" and the password "5777364". So expect anyone on the WLAN/LAN to be able to own your router if you have this product and enable the admin interface.