Critical Flaw Discovered In DD-WRT

MagicM writes "A critical flaw has been discovered in DD-WRT, a Linux based alternative open source firmware for WLAN routers such as the fan-favorite Linksys WRT54GL. The flaw can give an attacker instant root access to the router merely by embedding an image with a specially crafted URL in a Web page (CSRF attack)." The linked page notes that a fix is being rolled out (build 12533) and gives firewall rules to thwart the attack if the fix is not available yet for a particular device.

This is a common stack in wifi APs

[BadAnalogyGuy]

Yes, there's a fix for this, but what is the likelihood of every person who owns a Wifi router fixing this flaw?

We talk about the dangers of homogeny, but this is exactly the type of thing that homogeny causes. All the routers with DD-WRT implemented to save costs, but in the end everyone is screwed.

Just because we love Linux doesn't mean that we should sacrifice the entire ecosystem to that love. We need to nurture other implementations to prevent this type of virus from wiping out our entire networking infrastructure.

Re:This is a common stack in wifi APs

[qoncept]

What are you talking about?

1. If people not only updated the firmware on their router, but had to do hacks to get it on there, don't you think they're probably at least a tad more likely to keep the firmware up to date than Joe Blammo with the factory firmware installed?

2. Do you think DD-WRT was really all that much more susceptible to having a flaw than, say, something from Cisco? Or, by the same thought process, do you think open source Linux is inherently more vulnerable than Windows?

3. Homogeny? Huh?! Do you mean the homogeny that's defined has "a significant portion of huge nerds (though certainly not even close to a majority) uses this software" ? How many routers are being used in homes and small businesses around the world? You think enough of them are running DD-WRT to call it a homogeny? Name a router that you think has more instances of DD-WRT installed than the factory firmware.

Software bugs happen. You don't need to get all philosophical about it. And besides, this is no more dangerous than the much larger number of people probably still using the default password on their router, and probably only slightly more dangerous than the huge number of people who don't have any kind of security. Relax.

Re:This is a common stack in wifi APs

[nitsew]

Yes, there's a fix for this, but what is the likelihood of every person who owns a Wifi router fixing this flaw?

We talk about the dangers of homogeny, but this is exactly the type of thing that homogeny causes. All the routers with DD-WRT implemented to save costs, but in the end everyone is screwed.

Just because we love Linux doesn't mean that we should sacrifice the entire ecosystem to that love. We need to nurture other implementations to prevent this type of virus from wiping out our entire networking infrastructure.

What is the likelihood of any flaw on any system getting patched? I don't see how a vulnerability in DD-WRT is any different than if Cisco announced a major vulnerability in one of their systems. I bet just about the same percentage would be patched.

Re:This is a common stack in wifi APs

[middlemen]

We talk about the dangers of homogeny, but this is exactly the type of thing that homogeny causes. All the routers with DD-WRT implemented to save costs, but in the end everyone is screwed.

As opposed to using the base software from Linksys/Cisco where you don't know where the flaws lie, and if someone figures it out, it rarely ever gets published on the web openly or gets fixed soon enough in a firmware update. How is that different ? At least if you use Linux, you have people who care, and only people who care about their networks or improved experience with their routers use DD-WRT/OpenWRT/Other in the first place. Most just use the default software on their routers, which remains unpatched for a large portion of its use if at all.

Re:This is a common stack in wifi APs

[Mad+Merlin]

It's hardly an issue with every wireless router. For example, the Tomato firmware is not vulnerable to this. Furthermore, most routers with DD-WRT are custom flashed, they don't come stock with it.

Re:This is a common stack in wifi APs

If you had a PIX, Sonicwall, Monowall, Linksys, Netgear etc.. router and it had a similar flaw, you would be equally screwed because you still have to fix it. I hope you don't think using those products is 100% risk free and that they never need patched/updated.
It doesn't matter if 1000 people are using [Router_X] or 100 million people are using it. This type of flaw on your equipment is not safer, better, worse, or any less of a flaw or risk to you and your network regardless of the overall penetration of that router in the field. Would you honestly feel safer and feel your network is better protected if you were using a different brand router and it had a similar flaw?

   

Re:This is a common stack in wifi APs

3. Homogeny? Huh?! Do you mean the homogeny that's defined has "a significant portion of huge nerds (though certainly not even close to a majority) uses this software" ? How many routers are being used in homes and small businesses around the world? You think enough of them are running DD-WRT to call it a homogeny? Name a router that you think has more instances of DD-WRT installed than the factory firmware.

WRT54GL

http://www.linksysbycisco.com/US/en/products/WRT54GL

Re:This is a common stack in wifi APs

[yakumo.unr]

I'd mod you up if I had points atm :)

Re:This is a common stack in wifi APs

[Shads]

What you're advocating, in a round about way, is security through obscurity.

Security through obscurity doesn't work.

All security through obscurity does is propagate a false sense of security that you're safe because you've not heard any major news headlines telling you that you're vulnerable... meanwhile, you've been rooted for 3 months.

Re:This is a common stack in wifi APs

[HockeyPuck]

1. If people not only updated the firmware on their router, but had to do hacks to get it on there, don't you think they're probably at least a tad more likely to keep the firmware up to date than Joe Blammo with the factory firmware installed?

You're assuming that all these people that installed dd-wrt on their router installed it on their own routers only. Not their parents, friends etc, and forgot about it.

Do most open source projects have a mailing list in which ONLY important notifications like this go out? In comparison, two years ago I bought a coffee pot from Amazon, and the manufacturer issued a recall for the pot itself. Amazon notified me via email that there was a recall for the pot and provided instructions on how to get a new replacement glass pot. Trolling forums or slashdot isn't exactly my idea of customer service.

If I had bought a Cisco/linksys router and there was a similar problem would I have been notified after registering the product?

Re:This is a common stack in wifi APs

[narfspoon]

[Citation Needed]

If you read the comments on NewEgg.com for that router model, not everyone mentions DD-WRT. Some use other 3rd party firmwares like Tomato or Open-WRT or custom builds. And believe it or not, some even write a positive review for the default factory firmware. The nice thing about that model ("L" version) is the extra memory headroom. Earlier models were stripped and crippled to run a really crappy default firmware from Linksys. BitTorrent crashes these small memory models often.

http://en.wikipedia.org/wiki/Linksys_WRT54G_series#Hardware_and_revisions

Re:This is a common stack in wifi APs

[Shads]

In reality I would wager less of the dd-wrt routers would get patched, but only because a lot of them were deployed by non-professionals who will likely not see the news.

Re:This is a common stack in wifi APs

[Shads]

/me winces as he remembers all the web vulnerabilities on the PIX.

Re:This is a common stack in wifi APs

+1 for Tomato, that firmware is awesome and rock solid.

Re:This is a common stack in wifi APs

[nitsew]

In reality I would wager less of the dd-wrt routers would get patched, but only because a lot of them were deployed by non-professionals who will likely not see the news.

That is a good point, but I would have to disagree. I think that if someone is going to deploy DD-WRT, they would probably be as likely to see an article or two on it. Most of the people I know that use DD-WRT are geeky security types anyway. :)

Re:This is a common stack in wifi APs

If you're complaining about Linux as 3rd party firmware on WRTs then you are sorely misinformed. The one I recently purchased proudly states "powered by Linux" on the box and offers details about obtaining the source code:

http://imgur.com/1SWbL.jpg

Re:This is a common stack in wifi APs

[troll8901]

The router appears to glow in the picture.

Does that mean the router has biochemical reactions involving free radicals as well?

Someone call Greenpeace! There's a lack of environmental progress from router makers!

Re:This is a common stack in wifi APs

[cenc]

I would say likly the bufflow routers, as they get bad reviews for their factory firmware but great reviews for their hardware.

By the way I run Tomato on both types.

Re:This is a common stack in wifi APs

[Co0Ps]

Maybe in theory, but in the real world security trough obscurity works, even if you like it or not. It works in the sense that it makes potential exploits harder to find. Have you ever tried reverse engineering? Digging trough ASM code looking for potential exploits IS a lot harder when you don't have the source code. This is a fact.

Software with more potential explotits is not automatically less secure. You got to take the probability that they will be found into account. And other factors.

Re:This is a common stack in wifi APs

1. If people not only updated the firmware on their router, but had to do hacks to get it on there, don't you think they're probably at least a tad more likely to keep the firmware up to date than Joe Blammo with the factory firmware installed?

You're assuming that all these people that installed dd-wrt on their router installed it on their own routers only. Not their parents, friends etc, and forgot about it.

Do most open source projects have a mailing list in which ONLY important notifications like this go out? In comparison, two years ago I bought a coffee pot from Amazon, and the manufacturer issued a recall for the pot itself. Amazon notified me via email that there was a recall for the pot and provided instructions on how to get a new replacement glass pot. Trolling forums or slashdot isn't exactly my idea of customer service.

If I had bought a Cisco/linksys router and there was a similar problem would I have been notified after registering the product?

You are probably referring to the 'add me to the blabla-product mailing list? receive product updates and security notifications!! Just type your email address here' link when you download the software. Amazon probably put you on their list without your permission.

Re:This is a common stack in wifi APs

[DavoMan]

Zomg they have discovered a vulnerability in EARTH! My infastructure runs on earth! Oh noes!! F1 key! F1!!!

Re:This is a common stack in wifi APs

[Deadstick]

Name a router that you think has more instances of DD-WRT installed than the factory firmware.

Linksys WRT54GL. The one they market through online dealers (no brick-and-mortar stores that I know of) specifically for people who want a Linux-based router that's friendly to third-party firmware.

rj

Re:This is a common stack in wifi APs

[TypoNAM]

but in the real world security through obscurity works, even if you like it or not.

It's working alright, for those who exploit unknown vulnerabilities to create problematic disasters such as botnets. And then there was those instances of flaws discovered in Diebold Election Systems (now known as Premier Election Solutions ) voting machines too.

Re:This is a common stack in wifi APs

The nice thing about that model ("L" version) is the extra memory headroom. Earlier models were stripped and crippled to run a really crappy default firmware from Linksys.

No, you've got it the wrong way around. Earlier models (up to v5.0) were hackable out-of-the-box. Linksys received quite some flak when they introduced the v5.0 model that had less memory and as such could not be easily re-flashed with third-party firmware. As a remedy they introduced the 54GL model that again had more memory (and a higher price of course).

I have the 54GL as well. It is still one of the very few routers that supports IPv6, exactly because of the ability to use third-party firmware. I do not intend to buy another router unless it supports IPv6 at least as well as my current device.

And to add to the statistics: I run the v23sp2 firmware, so I'm still vulnerable. Now that there's a iptables workaround I'll apply that, but currently the site is slashdotted.

Re:This is a common stack in wifi APs

[Minwee]

No, you've got it the wrong way around. Earlier models (up to v5.0) were hackable out-of-the-box. Linksys received quite some flak when they introduced the v5.0 model that had less memory and as such could not be easily re-flashed with third-party firmware. As a remedy they introduced the 54GL model that again had more memory (and a higher price of course).

So you agree that earlier models which were released shortly before the WRT54GL, were stripped and crippled. Except for the part where you said he was wrong you just agreed with everything the grandparent poster said.

Re:This is a common stack in wifi APs

[ccool]

Also, as pointed in the text :

an only be used directly from outside your network over the internet if you have enabled remote Web GUI management

How many of the people who installed dd-wrt did that?!?

Personally, I was worrying about that until I read that quote. I mean, I installed DD-WRT at my uncle's house and my parents, but I never enable remote management. So all in all, I'm not planning an emergency upgrade anytime soon.

Re:This is a common stack in wifi APs

[Co0Ps]

Botnet building malware actually use common exploits, that are known and patched. And the reason they are found so quickly is becouse they are used on souch a large scale, to build botnets. Your example has nothing to do with security trough obscurity. The reason botnets exist is becouse people leave their computers turned on and unpatched.

Re:This is a common stack in wifi APs

[eredin]

I couldn't agree more. After a long history of sketchy routers that I had to reboot every other day, I bought the WRT54GL just so I could put third-party firmware on it. The rave reviews led me to Tomato. Simple to set up, great interface, lots of cool stats and graphs, and -- most importantly -- my up time is now determined by power outages.

Re:This is a common stack in wifi APs

[oakgrove]

Bought mine at Fry's Electronics here in Atlanta so there is at least one B&M you can pick it up at. Only criticism I can really throw at it is the lack of draft n.

I'm also running dd-wrt so I think I'll be updating it now.

Re:This is a common stack in wifi APs

[damien_kane]

Security through obscurity doesn't work by itself .

There, FTFY

Re:This is a common stack in wifi APs

[Paul+Carver]

So, you want the DD-WRT people to email you when a bug is discovered? Cisco would not email you either.. Neither does Microsoft, Adobe or... ANYONE.

Umm, what? Cisco emails me all the time about bugs. Granted, they email me about larger equipment. I don't have anything as small as a Linksys router associated with my CCO ID, but Cisco most certainly has the capability to send out notifications whenever there is a bug discovered in a piece of hardware or software they sell.

I don't deal with Microsoft or Adobe so I can't speak to them, but email notifications when bugs are found are hardly an uncommon idea. I can only conclude that your comment is based out of ignorance. You act like the idea of email notification of bugs is some exotic idea that could never happen when in fact it's day to day business as usual for lots of companies.

Re:This is a common stack in wifi APs

[Repossessed]

I almost never update the DD-WRT firmware on mine.

According to TFA the problem is with remote web gui control though, and thats pretty trivial to turn off (and since its off by default, I don't even have to do it).

Re:This is a common stack in wifi APs

[rawr_one]

That doesn't mean it's not third-party. Third-party means that it's not made by the manufacturers or anybody sponsored by the manufacturers, so Linux IS 3rd-party firmware.

At the very best it could be 2nd-party firmware, but 2nd-party is such a lost concept in this day and age that I would hesitate to refer to it as such.

Re:This is a common stack in wifi APs

[Mister+Whirly]

Microsoft sends out patch advisories every month explaining what is coming out on Patch Tuesday, in other words, what bugs the patches will fix. Either you have never had any MS, Adobe, or Cisco products that you have registered, or you are deliberately trolling.

Re:This is a common stack in wifi APs

You obviously didn't get what he said. Homogeny means that everyone uses the same software. A single flaw makes everyone vulnerable. As opposed to where people use 10 different products you need 10 flaws to hit everyone. Additionally the chance of on of these hacks to work on a randomly selected router would be a lot lower.

It is not about open source vs. closed source.

Re:This is a common stack in wifi APs

[Mister+Whirly]

Sorry, didn't mean to reply to you, but to OP.

Re:This is a common stack in wifi APs

[InvisiBill]

1. If people not only updated the firmware on their router, but had to do hacks to get it on there, don't you think they're probably at least a tad more likely to keep the firmware up to date than Joe Blammo with the factory firmware installed?

I tend to not update DD-WRT on my routers all that frequently, because they just work. I do occasionally check for new versions and update as appropriate (as with most of my other apps, drivers, etc. as well). But when you're not constantly having problems with something, it's a lot easier to forget it's even there. You tend to check for Linksys firmware updates when your router locks up every few days, but months of uptime generally don't make you run out and try to find something new.

Re:This is a common stack in wifi APs

[narfspoon]

He's right also. I should've said "some of the earlier models (versions 5.0 -> 8.2)".

I would have said "pre-2005" models, but that's not entirely accurate either.

Last time I checked recently, stores mostly had the non-Linux versions in stock or they had the WRT54G"L" side-by-side with the low-memory non-Linux version of the same router. I know NewEgg sells both versions also. Local brick&mortar stores only carried the bad version.

Re:This is a common stack in wifi APs

[olsmeister]

Software bugs happen. You don't need to get all philosophical about it. And besides, this is no more dangerous than the much larger number of people probably still using the default password on their router, and probably only slightly more dangerous than the huge number of people who don't have any kind of security. Relax.

ummm...proximity???

Re:This is a common stack in wifi APs

[element-o.p.]

Botnet building malware actually use common exploits, that are known and patched. And the reason they are found so quickly is becouse they are used on souch a large scale, to build botnets. Your example has nothing to do with security trough obscurity. The reason botnets exist is becouse people leave their computers turned on and unpatched.

How do you think the common exploits were found? When $Random_Software_Company releases software -- say, perhaps an operating system -- do they publish all of the "common exploits" on their web site so black hats can create botnets? Do the black hats have the source code for $Random_Commercial_Operating_System so they can find exploits?

Of course not! That's absurd. Therefore, it stands to reason that at one time, the common exploits were unknown exploits that someone with a lot of time, perseverance, luck and skills discovered, despite security through obscurity. And therefore, security through obscurity is NOT sufficient security.

I have no problem with security through obscurity as another layer in your security model. But to say that security through obscurity in and of itself works in the real world is deluded, at best.

Re:This is a common stack in wifi APs

[Extide]

No, the very easrly versions actually have more ram & flash than the GL version. I have a v2.0 at home and it has 8MB of flash and 32MB of ram. I believe the GL only has 4MB of flash and 16MB of ram.

Re:This is a common stack in wifi APs

[Khyber]

"You think enough of them are running DD-WRT to call it a homogeny? Name a router that you think has more instances of DD-WRT installed than the factory firmware. "

Buffalo WHR-HP-G54DD comes with it installed by default.

Re:This is a common stack in wifi APs

[Khyber]

Will the semi-crippled WRT-54GL that I have finally quit bugging out every time I use bittorrent if I used Tomato instead of DD-WRT, and does Tomato come with wireless bridging/repeater functionality?

Re:This is a common stack in wifi APs

[Khyber]

Security through obscurity DOES work. I invite you to try exploiting any MenuetOS box. Good luck without knowing the actual hardware of the system and having the source code to the ASM-coded drivers written for each individual piece of hardware!

Re:This is a common stack in wifi APs

[Technician]

In reading the flaw, it seems to require the browser send info to the router to change a configuration from inside the network, and item that is password protected in the router. Honestly, who has a auto login to their router stored in their PC. Sheesh. People using the firmware should have enough network security sense to never permit the browser to store the router password.

I have to type in my password anytime I log into my router which is rarely.

Some simple security is in order here. The the web page can try to send configuration info to the router to make a change, but it doesn't get auto login unless you have it enabled.

Re:This is a common stack in wifi APs

[Ungulate]

Wow, how did this get modded up to 5? The WRT54GL is intended for the hacker-hobbyist, but ships with standard Linksys firmware just link the rest of their routers.

Re:This is a common stack in wifi APs

[Cramer]

Software bugs happen.

True. However, seeing how noone is learning the damned mistake... Linksys firmware has had the same type of flaw (repeatedly) for a very long time. (In fact, it was how people first got 3rd party firmware on the things.)

The problem is the horrible, lame, stupid practice of using system() with non-sanitized user input. If people would stop using the system() function call -- which many modern compilers will warn you about in the first place -- these problems wouldn't pop up. The example in the alert turns into system("/www/;reboot>/tmp/shellout.asp"). That is so wrong, I'd fail you as a computer science student -- and fire you as an employee.

And no, they did not fix the issue. They turned off (#if 0/#endif) the block of code handling cgi-bin (rev 12532) and then moved the connectivity check (no access via wireless) higher @12533. The bug is still there. a) don't use system(), b) filter out "bad input", and c) start the shell with -e so it will exit on the first error, thus eliminating chaining.

Re:This is a common stack in wifi APs

They're only up to version 8 IIRC, so only half the versions are stripped. And the stripping didn't start until 5, 1 through 4 are not stripped.

Ergo, the earlier versions were not crippled, and the later ones were.

Re:This is a common stack in wifi APs

[Ant+P.]

What I don't get is how Linksys can possibly think it's good business sense to piss off so many customers with price-gouging and crippled products. Then again, they see Microsoft getting away with it...

Re:This is a common stack in wifi APs

I've got the WRT-54GS. Not sure about the GL, but after running tomato for a few years I literally go down for power outtages only. It's quite amazing and I use BT regularly. I've used a lot of routers and was never a huge fan of linksys but never has anything been so stable.

I can't comment on bridge/repeater as I haven't used it personally but I do believe it's there if I remember correctly.

Re:This is a common stack in wifi APs

If I had bought a Cisco/linksys router and there was a similar problem would I have been notified after registering the product?

Well, I certainly haven't been notified by Cisco in similar circumstances, despite having registered products with them for decades now. I usually find out online, places like bugtraq and slashdot.

Allah helps those who help themselves, I've heard.

Re:This is a common stack in wifi APs

[thejynxed]

I hope the following tale satisfies your curiosity.

Back in the day, you had a company named Linksys. They made excellent home routers. I dare say the best you could get on the market. They release several versions of a certain wireless router, model WRT54G. People everywhere rejoice, because they can hack away at this machine to their heart's content. Modding the firmware, modding the hardware. You name it.

During this period, a certain, shall we say, rather shitty manufacturer of 'Enterprise' routers, named Cisco, decides to buy this rather successful smaller company. They want a piece of that vast home router market that Linksys enjoys.

So, the corporate behemoth decides to take a good look at the hardware that Linksys has been selling, and lo and behold, it is as good as or even better than the shite they sell to their 'Enterprise' customers! "Oh noes!" they exclaim, "We can't have THIS nonsense going on! What do we do if our 'Enterprise' customers see our webpage and start buying the Linksys branded routers instead of our over-priced 'Enterprise' Cisco-branded crap?"

Henceforth, it was decreed by the demi-dogs of Cisco Corporate Headquarters that "There shall not be any extra features or better hardware in the 'Consumer' class routers that already exist in our 'Enterprise' class routers!"

Narrator's Note: We ended up with the crippled turds known as the WRT54G v5 to v8.2.

Soon the Corporate demi-dogs started noticing they were swiftly losing sales and receiving MANY customer complaints about their latest iterations of the WRT54G. To save their own hides from the proverbial pitchforks and torches of their 'Consumer' class customers, and their cousins, called 'The Shareholders', they quickly released a version of the WRT54G, and designated it the WRT54GL v1.1 (US).

There was much rejoicing, as now we could happily hack away at our precious WRTs again, even if not quite so spectacularly as before.

Narrator's Note: For some odd reason, the US got a v1.1 and Europe started off with a v1.0c at the same time.

Re:This is a common stack in wifi APs

[dodongo]

"a significant portion of huge nerds ... uses this software"

I'll pass up this opportunity to rave about your excellent long-distance subject-verb agreement and just accuse you of being an insensitive clod, how's about that?

Re:This is a common stack in wifi APs

I would say likly the bufflow routers

WTF?

Re:This is a common stack in wifi APs

Buffalo.

Re:This is a common stack in wifi APs

The WRT54GL isn't "crippled", it has 16Mb of RAM and 4Mb of flash. Crippled units, like the newer WRT54G, only have 8Mb RAM and 2Mb flash. The only router in the WRT54 family to have more RAM than the GL is the -TM, sold by T-Mobile. It has 32Mb of RAM.

It's easy enough to upgrade GL's (or any other G, for that matter) to 64 or even 128Mb of RAM, anyway. There's ample documentation on the DD-WRT forum on that.

Standard Practices

[karnal]

I was wondering: How can this attack be carried out if the external web management is turned off? From the article:

Note: The exploit can only be used directly from outside your network over the internet if you have enabled remote Web GUI management in the Administration tab. As immediate action please disable the remote Web GUI management. But that limitation could be easily overridden by a Cross-Site Request Forgery (CSFR) where a malicious website could inject the exploit from inside the browser.

The Shashdot blurb does state "The linked page notes that a fix is being rolled out (build 12533) and gives firewall rules to thwart the attack if the fix is not available yet for a particular device." but that statement doesn't curb a lot of the "The Sky is FALLING!" reactions....

Basically, I would NEVER allow remote web management of a device if it's on the internet. I believe the default for DD-WRT is to disable it as well, so you'd have to go in and tell the device that you want to enable this feature. All in all, I think for most users, this issue is a non-issue.

Re:Standard Practices

[BigHungryJoe]

Maybe I'm misunderstanding, but if the exploit is "injected from inside the browser" then won't the management of the device be coming from the local interface, not the internet side?

Re:Standard Practices

[karnal]

Alright, I'm a n00b. I didn't read that second line fully before posting regarding the injection.

Re:Standard Practices

[gamefreak1450]

Basically, I would NEVER allow remote web management of a device if it's on the internet.

Good idea, but this is a critical exploit because hackers can make an img tag load the malformed URL. If they can trick you into viewing that image, then your router will be compromised from your computer on the network. Disabling the external management will prevent internet users from compromising your router, but it is still vulnerable to local threats, as executed through the CSRF method.

Re:Standard Practices

[tonyreadsnews]

Yea, thats what I got from that statement too.

The easy way is to go directly in through the remote Web GUI.

slightly harder to go in through the browser running inside the network.

Re:Standard Practices

Good idea, but this is a critical exploit because hackers can make an img tag load the malformed URL.

What about dentists? Can dentists make an img tag to load the malformed URL too, or just hackers?

Re:Standard Practices

[Culture20]

Thus why you don't allow web management even on the local interfaces except with a specific IP that isn't your workstation. The possibilty of http redirects to default local IPs that routers use (attempting default password logins) has been around since their inception.

Re:Standard Practices

[Alarash]

Yes. Only if you enabled the management from the WAN interface, as I understand, are you vulnerable. And you deserve to be hacked if you did that, really.

Re:Standard Practices

[Xua]

Basically, I would NEVER allow remote web management of a device if it's on the internet. I believe the default for DD-WRT is to disable it as well, so you'd have to go in and tell the device that you want to enable this feature. All in all, I think for most users, this issue is a non-issue.

Sure in DD-WRT external web access is disabled by default so it is necessary to enable it manually. But it is a quite convenient thing because DD-WRT provides a Wake-On-Lan functionality and it is possible to turn computers on in the LAN. When I go to work I can leave my home computer off and if I need it, I can turn it on using my router. Now I had to disable external web access until I update firmware to a safe version.

Re:Standard Practices

[camperdave]

Yes, but you're hardly likely to try to exploit your own device, are you? Attempts to exploit the flaw will be coming from the internet. By turning off remote configuration, a malicious hacker would have to find a proxy server on your LAN and bounce the attack off that to your device.

Re:Standard Practices

Nope

Re:Standard Practices

Actually you will fit right in with the general crowd here, although you are being an over-achiever by neglecting to read the summary.

Re:Standard Practices

[ekimminau]

Maybe Im missing something here but:

1) If you have your DD-WRT installed router inside your home network and assigned a private, not pulic IP

and

2) You do not port forward from the internet to your private VLAN the port for the administrative interface

and

3) You only allow administration from your LAN or Wireless LAN

and

4) your Wireless LAN is securely configured to only allow connections from people using the appropriate security

then

My understanding of the vulnerability is that unless someone is on your LAN or wireless LAN, they would have no way to submit the crafted URL to your DD-WRT installed router and this is all a bunch of hoopla.

Am I misunderstanding something?

Re:Standard Practices

[BigHungryJoe]

coming from the internet, but executed from YOUR browser. That's the danger they're talking about.

Re:Standard Practices

[tolan-b]

Indeed. Though CSRF flaws are also dependent on you being logged into the vulnerable application at the time that you visit the compromised website (or that the application doesn't require any login but I'd be very surprised if that were the case here).

Re:Standard Practices

They are refering to exploiting your browser and then using that to exploit the router device. A round about way but...

Re:Standard Practices

[Minwee]

I was wondering: How can this attack be carried out if the external web management is turned off?

<A HREF="http://192.168.0.1/webmanagementinterface/ownyourfrakkingrouter.pl">Hey, since you're inside your network and able to access the web interface directly, why don't you click on this for me?</a>

That's how. For bonus points load the exploit as an image and inline it on as many web pages as you can find.

Need anything else explained? The London police probably won't arrest be for telling you that for at least another hour.

Re:Standard Practices

Replying to self... Sorry I thought the attack was a CSRF flaw, not a login-related flaw as it seems to be, which can be exploted *via* CSRF.

Re:Standard Practices

[jd]

The only Evil Dentist I know of, from The Avengers (From Venus With Love), was more into lasers. No sharks, though.

Re:Standard Practices

[camperdave]

Ah... I missed that bit. So they're talking about two vulnerabilities, then: The router's and the browser's?

Re:Standard Practices

[X0563511]

So why don't you SSH into the router and use SSH forwarding?

Safer that way anyways.

Re:Standard Practices

Hey mods, how can a person's own mea culpa be redundant?

Worse than that

[tomtomtom]

It's worse than a specially crafted image - there's a code injection flaw in the httpd server so merely accessing a URL that looks like "http://routerIP/cgi-bin/;command_to_execute" will do the trick. That URL can be put in a malicious tag on an HTML page and the user most likely won't even notice it.

See the Register article on it from a couple of days ago.

Re:Worse than that

[Lumpy]

disable http.

only use https for router config access.

All of a sudden the attack vector is useless.

Re:Worse than that

[michaelhood]

Congrats on not understanding how the internet works.

Re:Worse than that

[hoosbane]

Um... no. The URLs that break this work just as well over HTTPS. And the firewall rule they offer to protect against the hack won't protect the HTTPS port, so you're actually *more* vulnerable over HTTPS. Of course, the CSFR attack can be mitigated by just not using the default IP range for your router.

Re:Worse than that

[twistah]

Did you bother even reading the article? The code is in httpd.c, which obviously handled both types of connections. I almost hate SSL sometimes because people equate it with security -- but not encryption or integrity, but that somehow it's a magical fix-all for whatever the security flaw is. I see this kind of thinking in IT people in charge of the enterprise and it scares me. Security is not about having a setting enabled, and it certainly requires much more analysis than a simple dismissive suggestion.

Re:Worse than that

[noidentity]

It's worse than a specially crafted image - there's a code injection flaw in the httpd server so merely accessing a URL that looks like "http://routerIP/cgi-bin/;command_to_execute" will do the trick.

I tried to go to that URL but I just got a message "command 'command_to_execute' not found". Why doesn't it work?

Re:Worse than that

[twistah]

I am guessing this was meant as a troll/joke, but, you may to actually put a real command in there.

Re:Worse than that

[tepples]

only use https for router config access.

Most home router owners can't afford $$$ per year for an SSL certificate for their routers. Or what am I fundamentally misunderstanding?

Besides, let me fix the post to which you replied: It's worse than a specially crafted image - there's a code injection flaw in the httpd server so merely accessing a URL that looks like "https://routerIP/cgi-bin/;command_to_execute" will do the trick. That URL can be put in a malicious tag on an HTML page and the user most likely won't even notice it.

Re:Worse than that

[0123456]

Most home router owners can't afford $$$ per year for an SSL certificate for their routers.

Which is good. Because if anyone ever feeds you a malicious https:/// URL trying to hack your router, you'll get a bunch of dialog boxes coming up telling you that the certificate can't be validated... and you'll know something bad is going on.

Basically, though, this is merely demonstrating again that web-based hardware admin is a really, really, really bad idea. It's an even worse flaw than my router which has a bug that allows any remote site to reconfigure DNS without a password by sending you a malicious URL (which, fortunately, can be worked around by not using the DNS server in the router).

Re:Worse than that

[egburr]

I almost hate SSL sometimes because people equate it with security -- but not encryption or integrity

Yeah, SSL really bugs me. Most of the time, I don't care about authenticating the server I'm connecting to. Most of the time, all I want is encryption between me and the server I'm talking with. In fact, unless I actually examine the certificate the server presented, my browser authenticating the server just tells me that the server has a certificate from a certificate authority my browser knows about. And all the warnings that recent versions of browsers generate when the receive a certificate they can't authenticate is just annoying.

Re:Worse than that

[tepples]

[Lack of a certificate for SSL to a home router] is good. Because if anyone ever feeds you a malicious https:/// [https] URL trying to hack your router, you'll get a bunch of dialog boxes coming up telling you that the certificate can't be validated... and you'll know something bad is going on.

Then how do you get past the dialog boxes when you are trying to legitimately manage your router?

Basically, though, this is merely demonstrating again that web-based hardware admin is a really, really, really bad idea.

What protocol for administration of a home-office network appliance would you recommend, if not HTTP or HTTPS?

Re:Worse than that

[profplump]

I agree that HTTPS will not solve this problem. But if you're paying $$$ you're paying too much. You can get 99+% of web users with certificates that cost $30/year or less.

Moreover, if it's your own browser and your own computers, you can simply set up your own CA, add the CA cert to your local X.509 authority lists, and then issue a many certs as you'd like for $0. There's a small time investment if you don't already have OpenSSL setup and configured somewhere, but probably not even $30 worth if you know what you're doing. Of if you only need one certificate it can even be self-signed, so long as you only trust that particular certificate (as opposed to any self-signed certificate with the same CN).

Re:Worse than that

[j_sp_r]

SSH. You only lose the fancy GUI.

Re:Worse than that

[tepples]

SSH. You only lose the fancy GUI.

And your competitor can use its fancy GUI as a bullet point against your product.

Re:Worse than that

[0123456]

Then how do you get past the dialog boxes when you are trying to legitimately manage your router?

You, uh, go through the dialog boxes and set a temporary exception for that session, then restart your web browser afterwards.

What protocol for administration of a home-office network appliance would you recommend, if not HTTP or HTTPS?

Anything that isn't hooked into a web browser by default: SNMP, for example. Firefox, at least, doesn't support snmp:// URLs.

Re:Worse than that

[0123456]

And your competitor can use its fancy GUI as a bullet point against your product.

And then your bank account details get stolen due to their flawed GUI and suddenly their product don't look too good anymore.

Re:Worse than that

[tepples]

You, uh, go through the dialog boxes and set a temporary exception for that session

If you train home users to go through the dialog boxes for a legit connection to the router, they'll go through the dialog boxes for a phisher.

Anything that isn't hooked into a web browser by default: SNMP, for example. Firefox, at least, doesn't support snmp:// URLs.

As I understand it, a graphical SNMPv3 client doesn't come with Windows, so what would the user use to configure the router for the first time?

Re:Worse than that

[wastedlife]

Do you know how HTTPS works? Granted, your browser will give you a warning that it cannot verify your self-signed certificate against Verisign or any of the other SSL certificate issuers, but all you need to do is install the certificate when you connect the first time and it is no longer a problem. Also, unless you are worried that something else on YOUR network is spoofing your router, you can be reasonably sure that when you connect to "https://192.168.1.1/" or whatever that you are on a secure channel with your own router. Self-signed certificates are only defeated when you have no way to verify that they are who they say there are, not that the encryption is less secure.

On the other hand, you are correct that HTTPS does not fix it in this case, because it has the same vulnerability. This doesn't invalidate the need for secure communications through.

Re:Worse than that

Looks like you not only know how the internet works but how a router with https works.

What are you a 13 year old n00b?

https = warnings will pop up about a bad Certificate.

DUH!

Mod Parent Up

[zarthrag]

You know, as much as I used to complain about the many different distros - you've got a damn good point.

Re:Mod Parent Up

[TheLink]

Uh, they don't have to use different distros.

If people just disabled remote admin (which you should do anyway) and used different router IPs (e.g. not 192.168.1.1 or the usual), then attackers either need to do additional stuff to figure out what your default gateway is (and thus presumably your router IP), or they need to have significant control of a PC attached to the internal network (and presumably able to access the router webpage).

Re:Mod Parent Up

[Starayo]

I traded my gamecube for a wii and bought a 360, and hooked them both up to my computer! :D

Re:Mod Parent Up

[SCPRedMage]

DD-WRT leaves remote admin off by default, meaning that this vulnerability only affects those few people who thought they had some need for remote admin access.

I'll also agree that people should change the subnet that their network uses, but if they already have "significant control" of a PC on the network, then what's the point in going after the router?

Re:Mod Parent Up

What about public WLANs?

Re:Mod Parent Up

[SCPRedMage]

Such WLANs can, and should, be configured to not allow access to the DD-WRT config page.

Re:Mod Parent Up

[Sleepy]

>If people just disabled remote admin (which you should do anyway)

FYI, the exploit is Internet-ready even if you turn off remote management.

It's in the article, if you read it. Webpages (or flash, etc) can just craft a request to exploit this and in the process, turn remote shell ON.

Web-managed routers will always be LESS secure than router types managed via local telnet or ssh. Such designs are immune to browser and cross site attacks... but they're more difficult to manage for novice users, which is why these days only the serious and high-end routers lack web interfaces.

Re:Mod Parent Up

[TheLink]

There were a few other words and sentences in my post, if you read it.

Re:Mod Parent Up

[zarthrag]

This sig gets me more flak...

Re:Mod Parent Up

[douglips]

Not true. If someone in a forum you visit adds to their post and you read it, your box is owned. Remote access not required, password access not required. It's a bad vulnerability.

I'd download the patch but...

my router keeps redirecting me to porn sites and scrolling "pWnD by c0d3k177y" in HTML marquee tags at the top of my browser.

Re:I'd download the patch but...

It means you should cancel your FARK account.

Oh no!

[AtomicDevice]

Because attackers will certainly have difficulty cracking your crappy wep key in 5 minutes or less, or guessing that your username and password is "linksys"/"admin"
And it's only if you have web management enabled? who does that anyways? "Yeah I like to change my wifi password from work sometimes, or maybe forward some ports without having to log into my home machine"

Re:Oh no!

[TheMeuge]

And the reason you cannot specify that only wired connections can access the management interface is what exactly?

Re:Oh no!

[ShadowRangerRIT]

That does block the nastier exploit (explained below). But there is another vector which that doesn't address: commands issued *from* your browser. Steps:

1. You visit a malicious webpage for one reason or another (read: porn, warez)
2. The webpage contains a malicious resource request (I'm not clear on whether it could an img tag would be sufficient, but JS could definitely do it) that occurs on page load
3. The request actually goes straight to your router, which interprets it as a perfectly legitimate management order

The bigger exploit is if you enabled remote management. In that case you don't even have to turn on your computer, they can just directly access your router from the outside. But exploits that require you to visit a malicious link, in any common browser, are still serious.

it sucks...but

[Em+Emalb]

Bravo to them for owning up to it and also posting the fix on the same page.

The interesting thing I've read a lot here is how vulnerable and worthless Microsoft is when it comes to security...but it seems the people that think this automatically point to Linux as being secure.

Linux is somewhat secure, but a LOT of the security of linux is due to a limited (unfortunately) market share. If Linux owned 30% or more of the market space for end-user goods, we'd see a HUGE influx of hacks, malware, adware, etc.

It flabbergasts me that people don't see this. The greatest thing Linux has going for it is the collaboration and freedom of the code. With that freedom comes the ability to exploit it. Wait til market share gets larger, it'll start to happen a lot more than the rare article here and there. The good news, though, is again, they identified the problem AND THE FIX on the same page. (Something MS has to be drug kicking and screaming along in order to do that)

Re:it sucks...but

Post faster, friend. Your comments are wasted so far down in the thread.

Re:it sucks...but

Linux is somewhat secure, but a LOT of the security of linux is due to a limited (unfortunately) market share. If Linux owned 30% or more of the market space for end-user goods, we'd see a HUGE influx of hacks, malware, adware, etc.

Exactly - that's the same reason why there are so many malware authors targetting Apache!

Oh wait..

Re:it sucks...but

[mini+me]

LOT of the security of linux is due to a limited (unfortunately) market share

Well, it is hard to compete with Apple's 91% market share.

Re:it sucks...but

[jabjoe]

I don't by the market share argument. Linux is already very widely spread, just not on the desktop. It should be a target for hacks now as the many web servers running it should be juicy targets.

Also, because of package management, malware and adware is never go to be an issue, not unless you add a infected repository. My bet is most "normal" linux users, don't add repositories anyway. They just think of add/remove software as if it was a less polished iStore. They don't install stuff from any random place, and chances are don't know how to.

The old home-use admin-login issue, I admit, isn't as fair to shout windows down for anymore as steps have been taken as of Vista to address this weakness.

You second argument is that open source is going to be less secure. This is a big debate. One I think the open source guys have all but won. "Security via obscurity is no security at all." etc etc. I go with that because if a company thinks no one knows, or will know, I doubt they will fix it, it's a cost analysis thing. Where as when some finds a open source one, they shout about it, which is fine, they deserve the cred.

Re:it sucks...but

[Em+Emalb]

just not on the desktop

This is what I was talking about, for the record. Hopefully I'm wrong. Hopefully linux will overtake MS and be the future of the desktop, we'll see. But if linux is the future, it will need to be more secure as more and more non-technical people use it. According to the latest market share report, linux has 1% of the desktop market. 1%.

Re:it sucks...but

For those too lazy to click on the article, that figure is specifically "retail computers that are over $1000". In other words, it doesn't include any reasonably priced retail PC or any power-users who build their own computers that come to totals over $1000. It's a meaningless statistic.

Re:it sucks...but

[tepples]

LOT of the security of linux is due to a limited (unfortunately) market share

Well, it is hard to compete with Apple's 91% market share.

This isn't market share; it's a niche. The 91 percent figure is among desktop and laptop computers whose MSRP is greater than 1000 USD. But even if all expensive computers were hardened against such exploits, the majority of computers aren't expensive.

Re:it sucks...but

[jabjoe]

I, and no doubt many others, would argue it is more secure. If anything it's even more secure for non-technical people as they aren't going to stray from the standard software repositories. At the moment, many many many many non-technical people use Windows, as admin, with little security settings, installing software from all over the place. That is just asking for the huge bot nets we have. Worse is that almost all of what security there is, is closed, so at least partly, operating on security via obscurity.

This is not just about market share.

More market share would be nice, but for that, people need to learn about computers not Windows, word processing, not Word, spread sheets not Excel, etc etc, and that requires a change of mind set. Linux will never be a better Windows. It's a whole new mind set. If it import the Windows mind set or stay small, I say stay small. How ever, I do feel 1% doesn't reflect reality, but maybe I live/work in a technical bubble.

Re:it sucks...but

[kirillian]

Wow...within a paragraph after stating that you don't buy the claim that Linux is would be less secure if widespread, you point out an extremely simple flaw to exploit - the repositories. Not only could someone just put up an infected repository, but after gaining control of a system in the first place, a hacker could inject their own repositories into the infected computer's list as a secondary means of updating their code or adding extra infections. If someone hasn't already attacked from this angle, I'd be surprised...

Point is, the problems with Linux do exist. Linux really is a case of security by obscurity...Perhaps that's actually a reason to promote it? With all the different distros, it provides a lesser chance of a hacker being able to find an attack vector that compromises most systems (unless its a kernel specific exploit).

Re:it sucks...but

[ctaranto]

Whoosh!

Re:it sucks...but

[wastedlife]

Not only could someone just put up an infected repository,

At which point the user would need to add the repository themselves. The average user will use only the default repositories, which are far more secure than downloading the applications you want from random websites.

but after gaining control of a system in the first place, a hacker could inject their own repositories into the infected computer's list as a secondary means of updating their code or adding extra infections.

This argument is moot. After gaining control of any system, the "hacker" could do whatever the hell they want. This is the point where you are fucked, doesn't matter whether it is windows, linux, mac, or a toaster. Adding an infected repository would actually be easier to fix than if they installed a rootkit that runs invisibly to most of the system.

Linux is far from security by obscurity. It is only obscure on the desktop. In server rooms and especially on web servers it has a huge marketshare. There is no "linux home edition" that is running a very different base system like there is with windows.

Re:it sucks...but

[wastedlife]

Linux on the desktop is the same as linux on the server. While the workload and applications might be different(often called the userland), the base system is very much going to be the same. Also, the security model is the same. I feel one thing keeping standard users from using it is that the security model is so much different than what they are used to. Look at the backlash against Vista. Much of it was due to the different security model that is very similar to how many of the more popular linux distributions behave. In essence, it is/was common practice in Windows to run as an administrative account ALL of the time. This means anything you do has nearly unlimited access to the rest of the system. This is why a flaw in image viewer code in Internet Explorer can infect an entire computer. In most linux distributions, you cannot even log into the desktop environment (gui) as root (administrator account). Also, when you need to install something or make a change that you need administrator access for, you will be prompted for your password and the administrator account will be invoked. This is slightly different from (and, in my opinion, better than) UAC in Vista where you run as an administrator but your privileges are limited until it prompts you to do something with the full rights. For one, not needing to enter your password means that users get accustomed to just clicking OK when the prompt comes up. Anyway, the idea is still similar and is a big part of why Vista is far more secure than XP in standard use. Another reason is that MS has actually put a heavier emphasis on coding securely to begin with, which linux has been keeping an emphasis on for much longer.

Re:it sucks...but

[mini+me]

All market share statistics are meaningless.

Re:it sucks...but

[mini+me]

The $1000+ computer market is a market as much as any other market you might want to look at. The point I was raising is that there is no one market.

For example, Windows only dominates one specific market. Windows is small peanuts if you are looking at every single computer in existence.

Re:wtf is a DD-WRT?

It's a third party firmware for most wireless routers. So, it affects whatever devices YOU install it on

Re:wtf is a DD-WRT?

[Hatta]

Your statement is exactly analogous to this one:

What the hell is a linux? Can someone find a list of actual computers that are affected by this instead of speaking in geek terms?

If you had dd-wrt, you would know.

Re:wtf is a DD-WRT?

[Pulse_Instance]

DD-WRT is custom firmware that supports more than 200 different devices. This page will tell you if your device is supported. Someone who wants to use DD-WRT needs to get one of those devices then install this firmware. To answer your question no, someone can not find a list of actual routers that are affect by this. It is likely though that only geeks have it installed and that means that it is more likely that they will patch it.

Does this affect the non-wireless router?

[improfane]

I have the non-wireless version of this router (BEFSR41)

Does anyone know if affects that too?

Re:Does this affect the non-wireless router?

Well, that depends if you installed DD-WRT on it. If you did, then you're affected. If you have the Linksys firmware, then you're not.

Re:Does this affect the non-wireless router?

[nitsew]

I have the non-wireless version of this router (BEFSR41)

Does anyone know if affects that too?

It will only affect routers that have the DD-WRT firmware loaded on them. You have to load that firmware yourself, so you would more than likely know if this flaw affected you.

Re:Does this affect the non-wireless router?

[ShadowRangerRIT]

If you installed DD-WRT, yes. This has nothing to do with any technical specs on the router; it's a software processing bug that is exploitable either via an incoming connection from the internet (if remote management is enabled) or if any local user accesses a carefully crafted malicious website.

Re:Does this affect the non-wireless router?

[mouseblue]

You have to re-flash the firmware to install DD-WRT (or Tomato, Open-WRT, etc).

I don't even see your device listed here: http://www.dd-wrt.com/wiki/index.php/Supported_Devices

It's mostly Broadcom or Atheros chipset WiFi routers that are supported.

Re:Does this affect the non-wireless router?

[improfane]

I have Tomato on my outward inner router but this doesn't seeem to be affected as it's based on Linksys' own firmware.

DD-WRT !GPL Compliant (or open source)

DD-WRT just isn't compliant with the GPL on so many levels.calling it an "open source" firmware is a lie and a disgrace to the open source community.

The open source parts are OpenWRT.

Re:DD-WRT !GPL Compliant (or open source)

DD-WRT is Harmful to open source

Re:DD-WRT !GPL Compliant (or open source)

That dude may have some good points, but something about his writing bugged me.

That dude may have some good points, but something about his writing bugged me.

Nevertheless, thank you for the link, it was an interesting read.

Re:DD-WRT !GPL Compliant (or open source)

[bcrowell]

Okay, so I'm ready to switch to Gargoyle (a downstream version of openwrt with an easier web interface) or Tomato. Any opinions?

Please look at this picture ...

[janwedekind]

... to add a firewall-rule fixing this issue.

Re:wtf is a DD-WRT?

[nitsew]

what the hell is a DD-WRT? Can someone find a list of actual routers that are affected by this instead of speaking in geek terms?

Dude... This is Slashdot. What did you expect? :) This should have all of the information you need: http://www.google.com/search?source=ig&hl=en&rlz=&=&q=dd-wrt&aq=f&oq=&aqi=g10

Re:wtf is a DD-WRT?

If you don't know what is dd-wrt, then you are not affected. Those who have it installed it themselves. There are also a few companies selling routers pre-flashed with dd-wrt but again their market isn't the average joe. By the way, google is your friend.

It's "homogeneity"

[Merdalors]

We have to nip this in the bud: it's "homogeneity" (Webster, Oxford)

Sorry about that.

Re:It's "homogeneity"

[BadAnalogyGuy]

langs morf. get use 2 it.

Re:It's "homogeneity"

[AP31R0N]

Should be modded insightful.

Gods damned descriptivists.

Re:It's "homogeneity"

[egburr]

No. Languages may morph, but that is not a good excuse for looking like a lazy idiot. Typing text messages on a cell phone is a pain, but when you have a full keyboard there is no excuse for such lazy spelling.

I have noticed, however, that all the phonics being taught in school are really making a mess of my kids' spelling abilities. They learn one way to spell a sound, and then all words with that sound must be spelled that way. Maybe it's a good thing to get all those annoying silent letters to disappear.

Re:It's "homogeneity"

[LingNoi]

Don't make the mistake in thinking that people don't read and comment on slashdot from mobile phones.

Sorry to see you go

Greetings, I am a Linksys customers service representative. While I'm sorry to hear that you'll be leaving us, I'd like to remind you that if you have to wait for your paycheck in order to purchase a piece of home networking equipment, perhaps navigating flash based websites is the least of your worries. Have you considered going back to school?

Re:Sorry to see you go

Greetings, I am a Linksys customers service representative. While I'm sorry to hear that you'll be leaving us, I'd like to remind you that if you have to wait for your paycheck in order to purchase a piece of home networking equipment, perhaps navigating flash based websites is the least of your worries. Have you considered going back to school?

what does going back to school have to do with being able to afford a piece of home networking equipment , i myself will have to wait to purchase another wrt54gl until payday . I am a Network Engineer , with over 15 years on my belt. Multiple Certs (CCNP/MCSE/A+/NET+ to name a few), bach in chem engineering. School has NOTHING to do with being able to purchase a piece of networking equipment or not. As a linksys csr you should know this as Many of my clients have called and had numerous pieces of equipment replaced through your company.Your company policy is mostly , pay for a new one , crosship, refund. you do not provide shipping cost for a broken router or wireless g cards. The end user is expected to . How many phone calls have you had where the user doesn't want to pay for it , or can't until .......... payday???? Chances are if you have worked there long, ALOT of calls are in this manner. So please do not belittle someone because of not having money to purchase something. It really has nothing to do with schooling / not enough schooling . Rich / poor . It happens to all of us bub.

Acid~

Congrats on taking almost 4 days to post this!

I submitted this story more than 72 hours ago. It's been public knowledge for at least 96 hours. I know this isn't strictly a security site, but c'mon! Four days is too long for a remote exploit on one of the most widely deployed consumer router platforms.

This issue is way overblown. FUD

This only affects users who enabled remote web management which is turned off by default. Remote web management is a setting that lets you access and change settings over the Internet which would be stupid to turn on in the first place except under special circumstances (i.e., router was behind other routers and you needed to change settings remotely.

FURTHERMORE, it only affects http, NOT https.. and if you are configuring network infrastructure settings or router passwords without a secure connection over the Internet, you shouldn't be managing networks.

It is a security issue, but this is way overblown... It's not going to affect 99.999% of the userbase.. I wish whoever submitted this fud would have actually read the article or understood the problem.

Re:This issue is way overblown. FUD

[abcabcabc]

Nope, it affects https as well. Furthermore, it does not require remote web management since the attack can be carried out via CSRF.

Re:This issue is way overblown. FUD

Forgot to say.. you can be affected by internet sources if you use http for the internal web management (a default). So.. if you get a remote site to have a browser on the internal network display a malicious image, yea you are in bad shape.

Resume panicking! This is bad.

Re:This issue is way overblown. FUD

[jafiwam]

Huh? With a URL in a web page the request comes from the browser run by the person sitting inside the network.

How is that a "remote web management" issue? Remote web management would allow a login attempt from anywhere on the internet.

This attack does not need that.

I think YOU need to go re-read the article and come back and explain how a URL on an internal machine is going to try to connect to the external interface of the router (which is what the "remote web management" does, turns on the WAN interface to accept logins.

How did this happen?

[MobyDisk]

The bug resides in DD-WRT's hyper text transfer protocol daemon, which runs as root.

Whhaaat??? And the command looks like:

http://routerIP/cgi-bin/;command_to_execute

Whhaaat???

This is a bug even Adobe would be ashamed to admit. An http server, running as root, accepts arbitrary commands, without authentication, embedded in a URL? That's not a bug thats... that's a design flaw... no... that's... unbelievable!

Is there a legitimate reason that the http daemon runs as root? (It is for embedded devices...) Or that commands are accepted over HTTP GET like that?

Re:How did this happen?

[Minwee]

An http server, running as root, accepts arbitrary commands, without authentication, embedded in a URL? That's not a bug thats... that's a design flaw... no... that's... unbelievable!

Actually, that's how the new firmware got on the router in the first place.

Seriously, look it up.

Re:How did this happen?

It's an embedded device. Specifically, it's the web interface for a router. It pretty much needs to run as root, so it can screw around with the device setup.

The bug is that it doesn't validate the URL properly. To execute a CGI script, it obviously goes through the shell, and passes everything after /cgi-bin/ directly. The ; is interpreted by the shell as the end of one command, and it then runs whatever command was sent to it.

Re:How did this happen?

[nmos]

This is a bug even Adobe would be ashamed to admit.

Some of the DSL modems around here (I think it's the 2-Wire brand) had a similar bug. Basically if you know the exact url of one of the modem's built in commands you can bypass the admin password.

Re:How did this happen?

[tibman]

I agree, it's an unbelievable mistake..

but if it was intentional, that my friend, is believable. An excellent backdoor.

Re:How did this happen?

[Eil]

It's one of the reasons I don't use DD-WRT. For an Internet-facing security device, the author seems to have little regard for security.

Also, the firmware isn't really open source and the author is a humongous hypocrite.

Use Tomato or OpenWRT.

Re:How did this happen?

I have a Linksys 350N. Aside from Tomato's confusing website (Firefox? Japanese?) it isn't supported. OpenWRT looks like it has support for bricking the router.. great..

WARNING: Flashing the pre-build openwrt-wrt350n_v1-squashfs.bin from downloads.openwrt.org could very well disable all ethernet ports on the router, forcing you to install a serial port to recover.

I've been using DD-WRT on this router for years and still the open source firmware maintainers still can't get their shit together. Don't worry though keep complaining about the freedom DD-WRT gives me when you don't even offer the same level of service.

Re:How did this happen?

[adolf]

And this, boys and girls, is why fanboys and firmware don't mix.

Re:Linksys suck

[ShadowRangerRIT]

Wait, what? Are you against the Linksys website or their routers? Of all the reasons to reject a router, poor corporate website design is not that high on my list of priorities:

1. Security
2. Compatibility
3. Ease of use
4. Performance
5. ...
6. Corporate website design

Feel free to hate Linksys for any of the other reasons. I was royally pissed off for a long time by the relentless router reboots caused by poor interaction between the logging mechanism and BitTorrent; thankfully they released fixed firmware for that a few years ago. But I'm not going to drop them just because they overuse Flash.

NoScript!

[WD]

NoScript actually mitigates this vulnerability. The ABE feature, in particular:
http://noscript.net/abe/

So although I added the firewall mitigation in dd-wrt, I was pleased to find that NoScript blocked the CSRF request before it even got to the router.

Re:NoScript!

[Vectronic]

That might help some, but what about:
1. Places that have 40 computers, running 3 different browsers.
2. Your friend/relative that comes over with their laptop
3. Embedded browsers in applications (even if they use your FF/Gecko does it load NoScript for those?)
4. That time you disabled NoScript cause something was "all fucked up", and you may as well "test"
5. What if someone got to the NoScript update servers?
6. ???
7. Loss of profit!

Re:NoScript!

ABE only works if you click a malformed link, noscript is useless against an img tag, i tried it myself.

An easy work around

[jafiwam]

An easy work around for this is make the router URL IP address on the LAN side not easily predictable.

Stick it somewhere in the 10. private IP space block and any code injection not also stumbling on the correct URL and will instead get a "Server not found" error.

This will vastly reduce the chances of getting hit by any future as of yet undiscovered security problems using a URL, updated patches or not.

Re:An easy work around

[robo_mojo]

An easy work around for this is make the router URL IP address on the LAN side not easily predictable.

Both the LAN and WAN IP addresses can be used to access the router's interface, and the WAN IP is not a secret to the attacker.

Re:An easy work around

[Tau+Neutrino]

Nope. From the LAN side, only the LAN address works. From the WAN side, only the WAN address works, and then only if the router is set up to expose the management GUI to the outside. That requires changing the default settings, and an extra helping of dumb.

Re:An easy work around

[robo_mojo]

Nope. From the LAN side, only the LAN address works. From the WAN side, only the WAN address works, and then only if the router is set up to expose the management GUI to the outside.

The WAN address does work from the LAN side as well, whether remote management is enabled or not. A quick test confirms this, on both the old and new firmwares.

Re:An easy work around

[Tau+Neutrino]

On both of mine, a quick test refutes this. No access to the WAN address from the LAN.

Re:An easy work around

[SomeGuyFromCA]

My external IP works from inside too.

Wow. This is the first time that that old fearmongering "Your computer is BROADCASTING an IP ADDRESS!" ad makes sense. :V

Comment removed

[account_deleted]

Comment removed based on user account deletion

DD-WRT is a lie!

Some jackass named brainslayer stole the openwrt source code, wrote a dinky (and obviously poorly written) web interface for it and branded the whole thing as "his" and probably said fuck the gpl and the golden goose it rode in on.

See: http://www.bitsum.com/about-ddwrt.htm

Re:DD-WRT is a lie!

After reading your link the only jackass is the GNU zealot who thought it would be a good idea to enter the #dd-wrt irc channel and cause a disturbance and the rest of it is whining about him being banned for trolling the channel and trying to justify it.

Also I had to laugh at your comment that dd-wrt is poorly written, because for a long time (I don't know if it's better now) Open wrt was horrible and never worked on almost any routers while dd-wrt ran great (and still does).

Re:Linksys suck

[ShadowRangerRIT]

If you paid even a lick of attention to TFA, you'd note that this is a vulnerability in third party software. If you've got stock firmware, you don't need to update, and if you don't have stock firmware, you couldn't get the update from Linksys anyway.

Security through obscurity works.

[TheLink]

I disagree. Security through obscurity works.

For example: in this case if you had already changed your router's IP address, it would be harder for the attackers to figure it out. For example if you use the 10.35.79.184, the same url that can exploit thousands of other dd-wrt routers (e.g. http://192.168.1.1/etcetc ), won't work on your router. So there has to be an attack specifically targeting you[1]. Which rarely happens unless you're famous or have made yourself infamous (or well-hated amongst hacker circles).

So you have more time to update your router or even have time to wait to see if the updates don't break other stuff first.

You're not as vulnerable to zero-day attacks as other people.

Same goes for putting running sshd servers on a different port. I could use port knocking or other other stuff, but so far running it on a different port works well enough for me.

I actually have my sshd server bound on an IP and port that's unreachable from outside, and my firewall has a rule to forward outside connections to it. This way if a mistake happens and my firewall rules get disabled/cleared, ssh and other crap from outside won't work.

[1] If a top hacker was targeting you specifically, they'd probably be able to pwn you.

For example:
1) I'm sure there are many zero-day browser/plugin exploits left (just look at how fast the pwn2own winners pwn stuff - they just sacrifice one of the zero-day exploits they have).
2) I doubt most ISPs have locked their BGP stuff down, so the attackers could use "BGP eavesdropping/prefix attacks" to hijack your connections.

With 1) and 2) you'd be merrily browsing your usual sites and pwned without noticing a thing- the hacker would just pass most of the traffic on, and just alter one or two connections to exploit the relevant browser bug.

Re:Security through obscurity works.

[un1xl0ser]

It is trivial to write a script (on Windows or Unix) to simply attack the default gateway. Hopefully, that is what they do as opposed to using the default configuration, but maybe they aren't so cl3v4r.

Re:Security through obscurity works.

[element-o.p.]

As an additional layer in your security regimen, you bet. As security by itself, no way...which seems to be pretty much what you are saying, only you just didn't say it directly. As you said...:

For example: in this case if you had already changed your router's IP address, it would be harder for the attackers to figure it out. For example if you use the 10.35.79.184, the same url that can exploit thousands of other dd-wrt routers (e.g. http://192.168.1.1/etcetc ), won't work on your router...So you have more time to update your router or even have time to wait to see if the updates don't break other stuff first.

However,...:

Same goes for putting running sshd servers on a different port...but so far running it on a different port works well enough for me.

Of course, all it would take for someone to discover that you were running sshd on an alternate port for them to run "nmap -sV -p1-65535" on your IP address. However, that is time consuming, and most hackers are after the low hanging fruit, so instead, they "nmap -sV -p22 1.2.3.0/24" (for example). However, as you said, if someone was targeting you specifically, all bets are off.

Re:Security through obscurity works.

[TheLink]

But if the attacker already controls a computer on the internal network, there's already so much more the attacker can do, in addition to pwning your router.

Whereas if the attacker is outside and only trusted machines are on the internal network, the attacker needs to guess or determine the IP address of your router, in order to get your browser to attack your router (or get your computer to do that by some other means). This is only trivial if the routers are using addresses like 192.168.1.1 and 10.1.1.1 etc.

Otherwise I am not aware of a trivial way to do that. If you know, do let me know.

I do know you can determine stuff like the browser's IP address if you have access to the relevant activex stuff. But it does not seem easy with just javascript alone. Examples from google search are either stuff that's plain wrong or a javascript+java example that gives 127.0.0.1 on my browser (I suspect if you can loosen up the java restrictions it'll return a more useful ip address - that's what the relevant docs say anyway, but by default it's 127.0.0.1).

The javascript portscanning scripts I'm aware of all require the attacker to specify a network range.

e.g. http://michaeldaw.org/projects/jsscanner

So if you can work out a good way to do it on popular browsers that just requires "default browser config", you might have your 15 minutes of fame :).

The nasty "loses all settings" DDWRT bug

I know its not a security setting, but this one bug that the DDWRT team won't admit to keeps me from using it. Here's the discussion:
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=8895&postdays=0&postorder=asc&start=255

I got bit by that a few times, and reflashed to Tomato and haven't had ANY problems. Now, I now the DDWRT team claims its not a bug with their software, but rather an oddity with the hardware. Sooooo, if it ONLY happens on their build, and NEVER has happened to me on Tomato...sure sounds like it could be fixed in software....

This is not true

[IsaacD]

there is no such thing as a "flaw" in Linux.

Re:This is not true

[0123456]

there is no such thing as a "flaw" in Linux.

And this isn't a flaw in Linux: it's a poorly-configured web-server that does stupid things as root. That's no more a flaw in Linux than logging into the console as root and getting the system infected by malware when someone sends you the latest 'naked hot chick' screensaver.

Sheesh, go RTFA

[John+Whitley]

People, you're getting your kickers in a twist over a fault that only occurs, per TFA, when:

The exploit can only be used directly from outside your network over the internet if you have enabled remote Web GUI management in the Administration tab.

That is, you not only have to have installed custom firmware on your router, but you have to be sufficiently non-paranoid to have exposed its admin interface to the open Internet. Yes, people should patch it, but really... YAWN.

Re:Sheesh, go RTFA

[Tacvek]

It can only be remotely exploited in that case. However, it can be exploited locally if you load any page that that has a tag of the form <img src="http://192.168.1.1/cgi-bin/;reboot"> replacing 192.168.1.1 with your router's actual IP, and the reboot command with whatever command is desired. So you visit any webpage in any browser and you don't have the browser set to not load images from another domain, and you can be exploited.

Re:Sheesh, go RTFA

[John+Whitley]

Right, all excellent points. Also, I neglected the even more straightforward scenario of internal attackers. Sigh. Note to self: don't reason about computer security before being truly awake. ;-)

Internal or External IP

[haplo21112]

I went over the details one thing I am confused about is in this situation is the internal or External IP of the router that is Key here?

Re:Internal or External IP

Either. See other peoples' comments talking about using things like on a publicly accessible web page.

You can keep going over the details, but what you should be doing is installing a different firmware (Tomato comes to mind). Most of DD-WRT's code is complete and utter garbage (this is not me talking out of my ass -- go look at it), so there are more than likely other bugs of this sort as well.

DD-WRT owners should also be made aware of Sebastian Gottschall's official statement on the bug, which was: "consider that this exploit was released without any report to us". Wow, that really inspires confidence in his ability to take responsibility for such a major mistake. A more appropriate response would have been: "Our code is crap, we know it, and we need more security-conscious people to help us clean it up. We're sorry for the mistake. Please help us make this open-source project better".

Re:Internal or External IP

It can be either. I have been looking at this all morning because I have these devices everywhere. Since firmware updating all of these would take forever, I decided to temporarily disable the web server and remote management until I can update them. I was able to run commands without authentication from outside AND inside.

If you telnet/ssh into the router, you can perform the following commands to disable the web server and remote management:

nvram set http_enable=0
nvram set https_enable=0
nvram set remote_management=0
nvram set rmt_management_https=0
nvram commit
nvram reboot

If you need to make changes, you can reenable it (https) by:

nvram set https_enable=1
nvram set remote_management=1
nvram set rmt_management_https=1
nvram commit
nvram reboot

Re:Internal or External IP

Oh yeah, just be sure you leave ssh or telnet enabled somewhere or you wont be able to get back into it.. :)

Re:Internal or External IP

[InvisiBill]

I went over the details one thing I am confused about is in this situation is the internal or External IP of the router that is Key here?

If you have remote (Internet) management enabled, an attacker can simply run the command remotely against your router. If you do not have remote management enabled (the default), then the attacker needs to get you to run the command from your LAN by embedding the command into a webpage which you would browse to. That would be the <A HREF="http://192.168.0.1/webmanagementinterface/ownyourfrakkingrouter.pl">Hey, since you're inside your network and able to access the web interface directly, why don't you click on this for me?</a> example from above.

Changing your router's IP just breaks that one link. However, there are a number of ways to find your router's IP, or simply brute force it and include a bunch of links to common IPs. Changing your IP from 192.168.0.1 will give you a little more security, as it's one less "default" setting, but you're still 100% vulnerable to the actual issue. Using something other than 192.168.0.x or 192.168.1.x for your network is one step. The next step would be not using x.x.x.1 for your router. 192.168.42.69 is less likely to be exploited than 192.168.42.1, which is in turn less likely to be exploited than 192.168.0.1. The downside is that changing IPs does also make it a bit less intuitive to manage your own LAN.

Re:Internal or External IP

We are working on a solution for mass management of OpenWRT/DD-WRT devices. The solution is agent based and performs management by proxy.

Likely not just images...

[ruiner13]

I'm guessing you could add it to an href in a stylesheet reference, a script src, or even as a link target. I don't see why this would be limited to just images.

Re:Linksys suck

[FudRucker]

does not matter what firmware brand or version is on it, if i fucking can not check for an update then i assume it is old & obsolete and should be tossed in to the trash, or should i be happy just running a mystery box router not knowing if it needs updating or replacing or not?

DD-WRT is not opensource!

DD-WRT had opensource roots, but now has been co-opted and turned into a proprietary product with a non-GPL license.

There are multiple GPL violations going on, and the funny thing is something like less than 5% of the entire codebase being offered as "DD-WRT" was written by its current owners.

Theft, pure and simple.

Re:DD-WRT is not opensource!

[mieses]

I switched to OpenWRT as soon as I realized what DD-WRT is about.
http://en.wikipedia.org/wiki/DD-WRT#Controversy

The OpenWRT community is a bit more technical and far more competent.

Re:DD-WRT is not opensource!

[douglips]

I loved DD-WRT, and was saddened to see this exploit and the controversy. The exploit is definitely worth jumping ship for, and it took me 40 minutes to install tomato and get my configuration right. And that's only because I'm drunk.

Critical?

So a phishing scheme with CSRF will compromise the system!!! Critical?

DD-WRT is a GPL Violation!

And they did it by violating the GPL and stealing the work of thousands of others.

Mod Parent Down

[Sleepy]

>Yes, there's a fix for this, but what is the likelihood of every person who owns a Wifi router fixing this flaw?

I would use your question to defeat your argument... I can't think of another user community who would be MORE security conscious regarding firmware updates. If you thought about this before posting, you would also have come up empty.

Even the dd-wrt "newbs" know to check for updates, if for nothing else than shiny new features.

>We talk about the dangers of homogeny, but this is exactly the type of thing that homogeny causes. All the routers with DD-WRT implemented to save costs, but in the end everyone is screwed.

This does not follow.

The dd-wrt flaw is caused by a STUPID programming error, and would not be mitigated by "homogeny". You might as well claim that "Windows would be more secure if there were more versions of Windows".

Firmware bugs are always nasty face-palm slaps of stupidity. It doesn't matter if you are open source or closed.

dd-wrt will have a lower ratio of developers:users compared to say Ubuntu. With fewer developers, a bug is less likely to be caught in code review, testing, or if someone walks into the error that they recognize it for what it is.

>Just because we love Linux doesn't mean that we should sacrifice the entire ecosystem to that love. We need to nurture other implementations to prevent this type of virus from wiping out our entire networking infrastructure.

Why do you think this is a "Linux" problem?
If you could take the dd-wrt code and run it on top of Windows (which you probably could..), it would STILL have the same vulnerability. Please learn what "CGI" is before conflating it with something else.

Look, the dev team obviously made some stupid design errors (httpd as root...). But also know now that dd-wrt has a huge community... folks will start looking REAL closely at the code for other security gaffes. Paid developers are starting to look at the dd-wrt code now, as some shrinkwrapped routers come with open source firmwares pre-installed.

Besides all that, you can't get any more fragmented (dd-wrt or not) than the router market.

Using this example as for why "Linux [would] sacrifice the entire ecosystem" is just rubbish, sorry to say.

Also blocked by NoScript

[jlmcgraw]

It appears that recent versions of NoScript block this by default with ABE (http://noscript.net/abe/index.html)

Let's hear it for NoScript!

Re:Linksys suck

[brusk]

For you, I would recommend tossing it all in the trash.

Re:It's "homogeneity" / spelling

[Merdalors]

OK, that's funny. Well deserving of +5.
Indulge me here in a rant about spelling.
I'm sure we all agree that English spelling is hard and irrational. G.B. Shaw joked that "ghoti" is pronounced "fish": 'gh' as in "cough", 'o' as in "women", and 'ti' as in "nation". Story goes that English spelling was set in stone by the first printer who typeset an English manuscript: a dutchman who didn't speak the language.
Spanish did away with all that nonsense years ago. Words are spelled exactly as they are pronounced: "fotografia", etc.
Correct spelling is important for the following reason: it's a measure of your skill at observation. If you have been looking at the correct spelling of a word all your life, every time you read, how come you can't get it right?
When you get hired for a job, you will be expected to learn lots of things by observation; also you will be expected to pay attention to detail. Whether you can spell or not is a measure of your ability. It's a test of whether you understand the code, have had the proper upbringing.
Bad spelling means you are not able to pay attention to detail, and you're a slow learner. Does that sound like someone an employer would want to hire? Unless it's flipping burgers.
Poor spelling is like showing up at a hip venue, dressed in a 70's leisure suit: you just don't get it.
Caveat: English is not my native language (neither is Spanish), sorry for any typos.

Backup, backup, backup...

[SomeGuyFromCA]

God, I love flashing out from under active systems. tldr: Hooray for updates that break wireless and then the whole router. Also, how moronic is it to have the default wireless config be "ddwrt" SSID with no security and no password?

I heard about this on Wednesday, but made sure I had remote admin off [why, God, why would you ever have that on unless you're doing weird voodoo with a wireless point NATting inside your internal network?] and sailed on, planning to takedown and flash sometime Saturday.

This news pushed it to the top of my cut list. People, I know this is old hat to many of you, but backup, backup, backup. I had in hand before I started:

* Settings backed up.
* A copy of the old firmware
* A copy of the new firmware

First flash seemed to go just fine, router said it was rebooting... and then didn't. Uptime still read 20 days. Issued web GUI reboot command... nothing.

Went to the closet, unplugged, replugged. Correct version confirmed, traffic flowing... wireless vanished. What the hell. Went in, redid all the wireless settings. Nope. But I do have a Linksys_SES_blahblah network in view. Nah. Couldn't be.

Unplugged the router again... nope, the SES net is still on the air. Good. Plugged the router back in... "ddwrt" net appears. Aw crap. Plugged the laptop in and changed the password and took the (unpassworded, unencrypted) net off the air. Fuck, that's a moronic default config.

To make a long story less long: flashed back to v24-sp1, reapplied my saved config, flashed the new config, it broke AGAIN. Thought for a minute, applied saved state, crossed fingers... and everything worked. Phew.

Now I have to go around unconfusing all the laptops. Desktops should be fine, since they (hopefully) didn't re-DHCP while the router was at 192.168.1.1 ...

Anonymous Coward

Cmon folks, where's the milw0rm link?

http://www.milw0rm.com/exploits/9209

Training users to install certificates

[tepples]

all you need to do is install the certificate when you connect the first time and it is no longer a problem.

If you train end users to install certificates so easily, you also train end users to install a certificate that a phishing site recommends.

Self-signed certificates are only defeated when you have no way to verify that they are who they say there are, not that the encryption is less secure.

I'm starting with the man in the middle. I'm asking him to change his ways. No message could have been any clearer: You could be communicating with a proxy.

Re:Training users to install certificates

[wastedlife]

DD-WRT is an open-source (though there is talk that they are violating GPL) firmware replacement for some routers. It is pretty unlikely that you will see this on a router not managed by someone with a reasonably high degree of technical knowledge. In this case, a self-signed certificate is far more secure than an open network.

We need browsers to make a clear warning that you are dealing with an unverified connection for self-signed certificates. However, there is little to no warning when you submit credentials over a completely insecure network. In fact, it seems that it would be trivial for a man in the middle attack to create a secure session with the bank site they are spoofing, and a standard http session with the end user that gives practically no warning. Unless the user specifically goes to "https://mybank.com" they might never notice a problem.

Only for WAN facing routers?

[RomulusNR]

It would be nice to know if this affects DD-WRT boxes that are not WAN-facing and are not in router mode.

I have three DD-WRT's in client bridge mode so as to provide wired connections throughout the house. They hop over WiFi to the WAN-facing router which still runs stock VxWorks. So I'd be inclined to think that my boxes are safe.

As for DD-WRT releasing a patch, gee thanks. I have two different (and old) versions of DD-WRT among the three devices and haven't touched them since installing, because upgrading requires lots of personal time with each device to reinstall and reconfigure and god knows what else and I simply don't have the time -- the whole point of setting up client bridges was to make life easier, not some sort of time-consuming exercise in obscure geek cred.

Re:Only for WAN facing routers?

[amohat]

Maybe you should request a refund, that might make you feel better?

Enhanced Firewall

[Terrorwrist]

In my router, theres a option i just enabled called "Use Chuck Norris to round-house kick incoming hackers". Chuck Norris is in my router and monitoring 24/7. No one can hack my router, or even my pc. Chuck Norris is always watching.

Fix it with your PC firewall

[Alain+Williams]

The exploit involves getting a browser inside your network to connect to the broadband modem at a URL that is broken. Modems are usually set to reject any connection for admin purposes from the outside (Internet facing) but accept connections from inside for sysadmin purposes.

In my setup I have my modem connected to my main machine, this runs a firewall and other machines are connected to it (from a second ethernet card). A few firewall rules fix it:

• 
  BBModem=192.168.0.1
  
  # Direct comms with modem forbidden:
  iptables -A FORWARD -d $BBModem -j DROP
  
  # Forbid access to the modem except for pings (nagios needs this) and the modem manager user:
  iptables -t nat -A OUTPUT -d $BBModem -p icmp --icmp-type echo-request -j ACCEPT
  iptables -t nat -A OUTPUT -d $BBModem --match owner ! --uid-owner modemu -j DROP
  

The connections to the modem are forbidden except from the main machine (this is what the FORWARD rule does). Connections to the modem are only permitted from the user modemu, a user that I only ever use for the rare occasions when I need to tweak the modem.

I knew that something like this would happen and took care to avoid it.

Attention Mods

[jamesswift]

You're doing it wrong.

zarthrag didn't ask for the points for his/her post.

Re:proving once again

[LingNoi]

This isn't on the desktop, it's on the router. What an idiot...

What you've noticed is that there are two kinds of

[aussersterne]

"attacks."

Those which target "you" and those which target "everybody."

Security through obscurity is great at insulating you from those attacks that target "everybody" (worms, etc.) because the attack is happy to exploit the common case and not bother with specificities, since that will still net it a bunch of bots/slaves/zombies/etc.

For those which target "you" specifically, security through obscurity will solve absolutely nothing.

Most pointedly (and many people on Slashdot miss this) the largest threat to the common Internet user is precisely of the former kind (the odd worm, being a part of a "net public") and not necessarily attacks that specifically want to compromise ONE machine or network somewhere that is the TARGET of the attack.

Security through obscurity is therefore a useful basic defense if you are not particularly interesting as a node.