Slashdot Mirror

← Back to Stories (view on slashdot.org)

Remote Linksys 0-Day Root Exploit Uncovered

Posted by samzenpus on from the protect-ya-neck dept.

Orome1 writes "DefenseCode researchers have uncovered a remote root access vulnerability in the default installation of Linksys routers. They contacted Cisco and shared a detailed vulnerability description along with the PoC exploit for the vulnerability. Cisco claimed that the vulnerability was already fixed in the latest firmware release, which turned out to be incorrect. The latest Linksys firmware (4.30.14) and all previous versions are still vulnerable."

25 of 133 comments (clear)

  1. WRT54GL by markdavis · · Score: 5, Informative

    Yes, you would think the summary would at LEAST say *WHICH* router it affects, since Linksys has lots of different models. It is the WRT54GL.

    I *love* that router and have probably 30 of them. Low power draw, real antenna, wall mountable, etc. My recommendation- install Toastman Tomato on it. They never crash, freeze, freak out, not work with certain devices, etc. Rock solid stuff.

    Strangely, the WRT54GL is STILL BEING SOLD!

    1. Re:WRT54GL by Synerg1y · · Score: 4, Informative

      People still run their 54gl's stock???

      Repeat after me: d-d--w-r-t

      Turns your router into something more like one of those fancy enterprise cisco routers. The 54gl is dd-wrt's 1st platform I believe (too lazy to look it up), so compatibility is bound to be around 100%.

    2. Re:WRT54GL by YodasEvilTwin · · Score: 5, Funny

      Wait, are we pronouncing the hyphens or not?

    3. Re:WRT54GL by VValdo · · Score: 5, Informative

      I agree it's bad form not to put the router models in the summary. But from the press release...

      Exploit shown in this video has been tested on Cisco Linksys WRT54GL, but other Linksys versions/models are probably also affected.

      (emphasis mine)

      Incidentally, re: the GL model of the Linksys-- the "L" I'm pretty sure stands for Linux, and was the model that was in response to everyone reinstalling dd-wrt and other firmware...

      --
      -------------------
      This is my SIG. There are many like it, but this one is mine.
    4. Re:WRT54GL by Synerg1y · · Score: 3, Interesting

      Sure, every network anything has had security issues and will. Imho, remote web management is only useful to a very few select users, to get back home, ssh is the way to go... which you'd set up in web management :)

      There was also a vulnerability late last year that revolved around a specific service. The scope is different though, you can turn off a router service inconveniencing yourself till a patch is released... the article didn't provide enough detail on what's affected on the linksys firmware leading me to suspect stock firmware, stock settings... aka the most vulnerable of the vulnerable users group.

    5. Re:WRT54GL by NatasRevol · · Score: 4, Insightful

      Anyone running stock on a WRT54GL deserves to be hacked.

      That's one of the dumber arguments I've ever seen on Slashdot.

      --
      There are two types of people in the world: Those who crave closure
    6. Re:WRT54GL by formfeed · · Score: 3, Informative

      Incidentally, re: the GL model of the Linksys-- the "L" I'm pretty sure stands for Linux, and was the model that was in response to everyone reinstalling dd-wrt and other firmware...

      The WRT54GL was in response to the people being unable to run Linux on the newer revisions of the WRT54G, after Linksys "updated" the WRT54G by reducing the memory in the newer models. They basically restored the specs. of the original router and sold it for a premium.

    7. Re:WRT54GL by Barryke · · Score: 4, Insightful

      The market for WRT54GL is there because of people buying it to put their own firmware on.

      --
      Hivemind harvest in progress..
    8. Re:WRT54GL by Anonymous Coward · · Score: 3, Insightful

      You say DDWRT, I say Tomato.

    9. Re:WRT54GL by clarkn0va · · Score: 5, Interesting

      The WRT54GL is the minority of all routers.

      For those who don't know, the L in WRT54GL stands for Linux. This routers was differentiated from the contemporary revision WRT54G only in that it ran the Linux-based firmware. While subsequent revisions of the WRT54G featured less and less capable hardware, the WRT54GL maintained its original configuration of flash and RAM, allowing it to run third party firmwares such as dd-wrt, openwrt, and Tomato.

      To the average consumer, the WRT54GL looked exactly like the significantly less expensive WRT54G and its prolific variants, but to the power user and professional, it held much greater potential and warranted the higher price tag. These pros and power users generally have no use for stock firmwares, and are only interested in the open nature of the hardware platform, and are therefore willing to pay the premium (although personally I preferred the more capable and less expensive ASUS WL-520gu. I guess legend status has its privileges).

      So yes, it is shocking to those who are familiar with the platform to learn that any significant portion of WRT54GL is running stock firmware in the wild.

      --
      I am literally 3000 tokens away from the chaotic crossbow --Stephen
    10. Re:WRT54GL by dutchwhizzman · · Score: 4, Insightful

      You are forgetting that a lot of people bought it because "the guy that knows computers" said it was "the best model", never understanding why and how to take advantage of the added value of the GL over the budget model. The amount of home computer equipment that gets bought on recommendation of either the sales guy, the neighbour kid or the relative that works in IT is staggeringly high. Those people will most likely still be running stock firmware, probably a relic version at that.

      --
      I was promised a flying car. Where is my flying car?
    11. Re:WRT54GL by Lothsahn · · Score: 4, Informative

      I love Tomato too--in fact, I use it at my house. However, Tomato was originally based off Stock Linksys, and might also be affected. Until full disclosure occurs, we'll not know for sure.

      --
      -=Lothsahn=-
  2. I'm fine. by drunkennewfiemidget · · Score: 5, Funny

    I'm pretty sure my Linksys router doesn't have that vulnerabil -- HA JUST KIDDING, WHO WANTS MY CREDIT CARD NUMBER?

  3. WRT54GL? by Anonymous Coward · · Score: 3, Informative

    Just gotta ask: have they tried it on any OTHER models? Because that's an OLD OLD router that shouldn't even be running cisco/linksys firmware anymore. Tomato, ddwrt, and openwrt all support it, all have support for it and much improved kernel and userspace versions.

    Additionally though the number of different arm processors and SoC arches they're running in their hardware makes me question the odds of a common exploit across all of them, especially since this isn't even a router support the new 'Cisco Cloud' configuration garbage.

    Anyway, what do the rest of you think, some wanna-be 'security' company trying to make a name for themselves scaremongering?

    1. Re:WRT54GL? by Baloroth · · Score: 4, Informative

      Just gotta ask: have they tried it on any OTHER models? Because that's an OLD OLD router that shouldn't even be running cisco/linksys firmware anymore.

      If by "OLD OLD" you mean "is still produced, sold, and obviously supported, and can be purchased on Newegg right this second with stock firmware" then sure. It's an extremely common router, even among the non-techie crowd, so I wouldn't be surprised if the majority of them are still on stock firmware.

      --
      "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
  4. Zero day? by arth1 · · Score: 5, Insightful

    What's zero-day about this exploit?
    It was found during testing, and there are no exploits in the wild.

    As such it fails BOTH tests for being a zero day exploit:
    - The company must not know the details of the exploit
    - It must be in the wild

    Stop using the phrase "zero day" about just any exploitable bug. Call them security vulnerabilities, which is what they are.

    1. Re:Zero day? by Anonymous Coward · · Score: 3, Funny

      What's zero-day about this exploit?
      It was found during testing, and there are no exploits in the wild.

      As such it fails BOTH tests for being a zero day exploit:
      - The company must not know the details of the exploit
      - It must be in the wild

      Stop using the phrase "zero day" about just any exploitable bug. Call them security vulnerabilities, which is what they are.

      zero day sounds cool man, it's like black ice and cyberspace all over again man...far out... ...peace.... //tech journalist -68

    2. Re:Zero day? by AmiMoJo · · Score: 4, Interesting

      The term "remote" is also a bit misleading, in that it looks like you need to be on the local network already to use this vulnerability. In the video their IP address is 192.168.1.1. Far less serious than being able to get root from the internet or without having to authenticate a wifi connection first. In fact I bet 95% of affected routers have the default web interface password anyway.

      The main people who should be worried are people with open access wifi or LAN ports, such as cafes and hotels.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  5. Re:Remote? by Amouth · · Score: 4, Informative

    that is far more difficult to do than if the exploit works on the WAN side.

    --
    '...if only "Jumping to a Conclusion" was an event in the Olympics.'
  6. DHS Needs to Make Announcement by loxfinger · · Score: 5, Funny

    The Department of Homeland Security needs to tell everyone to uninstall their Linksys routers until this is fixed, a la Java.

  7. Is this actually a big deal? by jht · · Score: 3, Informative

    So it's a vulnerability in the WRT54GL (and maybe the related routers) running mainly older firmware - it's a pretty old router model as are its cousins. And from watching the exploit video, it's a local vulnerability - not one you can exercise against the WAN port. So it looks like not such a big deal. After all, 98% of those just have the default password anyways.

    If the more advanced gear (like the RV routers and such) have this issue then I might be concerned. But I don't have enough info yet to worry or not.

    --
    -- Josh Turiel
    "2. Do not eat iPod Shuffle."
  8. Public Service Announcement by Raystonn · · Score: 5, Informative

    Unless you have remote administration enabled, this exploit is only achievable from a system within the local network. This attack is not an internet threat.

  9. Another announcement by vencs · · Score: 4, Funny

    says that, Huawei also reported its routers face a similar vulnerability.

    ---
    Protest online. Save the Planet.

  10. Re:WRT54GL watch out for openwrt by shoor · · Score: 4, Informative

    Recent openwrt distros have a problem with the classic wrt54gl in that it doesn't have enough memory. I know because it happened to me. It installs, but when you try to change configuration, it bricks and you need to ground pin 15 to get it to reflash something. From the openwrt site:

    "In a test with OpenWrt 10.03.1-rc6, the OS will install but LuCI will be unable to update settings because there isn't enough flash left free."

    Old enough versions should work, but I'm happy with my tomato install.

    --
    In theory, theory and practice are the same; in practice they're different. (Yogi Berra & A. Einstein)
  11. Fritz boz by 1s44c · · Score: 3, Interesting

    I highly recommend getting a fritz box. The amount of stuff they can do is really cool.
    The model I have is a NAS server, Media server for my blu-ray player, a PBX for cheap SIP calls, an answering machine for SIP or land line calls, a DECT phone base station, A print server for my USB printer, a VDSL modem, and a 4 port gigabit switch. All that in a small low power box.

    Also you can update the firmware fairly easily although it does trash all your settings.

    No I don't work for them.