I think your only allowed to say that if you've got the know how to analize timing patterns to figure out pinouts and then reverse engineer the rest of it. I doubt that's a walk in the park.
I think moderately critical is a good description of this problem. On a per-computer basis this problem is important but minor as not all routers are vulnerable and can be fixed relatively easily.
On a large scale though, this could be a very big problem. The percentage of routers that are vulnerable, the percentage that are directly connected to the internet, (say controlling the PPPoE of a DSL modem), and the percentage that still have the default password all factor in. It may not be enough to matter, but it may be so many that it becomes a signifigant attack vector to both home users and as a jumping point for internet attacks.
Also, it begs the question of whether other linksys routers and/or broadband modems might be vulnerable.
(I appologize if this is already posted and I just did not see it)
-----Original Message-----
From: Alan W. Rateliff, II [mailto:alan2 rateliff net]
Sent: Wednesday, June 02, 2004 11:05 AM
To: bugtraq securityfocus com
Subject: Additional information on WRT54G administration page
I have made the effort to grab three additional units, all v2 hardware,
off-the-shelf, and here is what I have found: Two of three units came with
the firewall enabled, while one of the three came with it disabled. The
packaging leaves no evidence as to whether any of these items were
previously opened and returned.
Interestingly, all three units from local resalers came with v2.02.2
firmware, while the second unit from CDW I tested in March came with
v2.02.7. BOTH of the units which came off-the-shelf with v2.02.7 behaved as
previously described in my original notice; I do not have records of the
firewall setting of the units from March, although they both did behave as
predicted after a factory reset.
I would like to assume that the one-of-three v2.02.2 firmware units which
came with the firewall disabled was an anomoly, and possibly a customer
return. Nicely, flashing these units to v2.02.7 retains all settings,
including the firewall status.
Now the catch. In v2.02.7 with the firewall disabled and remote admin
turned off, the admin page becomes available on ports 80 and 443 on the WAN.
This works whether the unit is in DHCP or PPPoE mode.
Port State Service
80/tcp open http
443/tcp open https
Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
So part of the original notice is valid, with the exceptions noted. I don't
have any more v2.02.2 units to test as they have all now been flashed with
v2.02.7, I have no more unmolested v2.02.7, and I am out of petty funds to
purchase more:)
So, I will eat some crow on the original notice. To sum up, the admin page
is most definitely available to the WAN if the firewall is disabled,
regardless of the remote admin setting. And at best the potential for
getting a unit off-the-shelf with this behavior is somewhat like an Easter
egg hunt. I have received an even mix of responses positive and negative to
the original notice, so others are reproducing this OTS.
Some thoughts...
It could be resonable that units which come v2.02.2 OTS then flash to
v2.02.7 may not experience this behavior due to stored factory settings from
original v2.02.2 system carried over to v2.02.7. That would explain the
exception of the OTS behavior of the v2.02.7 units received in March.
Now I am also aware that other LinkSys items I have received have come with
firmwares not yet available on the website -- most recent example, a
WPS54GU2 which came with firmware 6032 while only 6031 was available on the
website. It may be more reasonable that since the firmware v2.02.7 is dated
March 17, my order for the WRT54G was placed on March 23, maybe a
pre-release of the firmware? I cannot imagine that there would be such a
diverse distribution of this product direct from LinkSys?
Alan W. Rateliff, II : RATELIFF.NET
Independent Technology Consultant : alan2 rateliff net
(Office) 850/350-0260 : (Mobile) 850/559-0100
[System Administration][IT Consulting][Computer Sales/Repair]
Don't get melodramatic. It is well known that the contracts given to musicians are highly unfavorable and that they are, in many ways, tricked into agreeing to things they should not.
I like the path taken by KDE and Gnome. They copy the general concepts of the windows desktop. And you can even configure them, (well, KDE at least. I don't use gnome), to look and work like windows. But, in the default install, they are their own creatures, they are functional and easy to use w/o being microsoft. And a normal user will look at it and go, "oh this is like windows" even though it doesn't look exactly the same.
In fact the fact that it isn't exactly the same is a benefit. If things are exactly the same, people expect them to work exactly the same and become disallusioned if they are not. Take 3D games/movies for example. People don't like a movie like Final Fantesy: the spirits within, because it doesn't look real. But they love Finding Nemo or Worlds of Warcraft because they are stylized and they are expected to not look photo-realistic. It's enough that the user feels comfortable with the general idea, (ie have a srart menu and an application bar as oposed to clicking for all menus), to get usage. Exact replication is not needed.
You really have to be both stupid, and an ass, to dig up technically complex sensors that you know are operational and operated by the military. And then, if that isn't enough, open them all up. You don't cut holes in the chain link fence on a military base just because you think chain link is cool. I mean, honestly, he's sitting there trying to ruin government security and creating a lot of work, (software upgrades, probably moving, reburieing --as I"m sure the DoD isn't taking his word for it that he reburied all of them properly-- the sensors, etc) Hell, he even published photos and information about them. What an ass.
Would a solution to this be to create wine to be able to patch a non-running version windows? That way a live-cd such as knoppix could be popped in, click on a program, enter the location of windows, and have the appropriate live-update windows pop up and patch?
It seems like it would be an excellent way to patch windows and to get some people who wouldn't run linux to experience it. (I know people who have just seen the knoppix desktop and been impressed.)
As far as I've been able to tell, (as a KDE user), gnome has always been about limiting it's user's options, (or at least any ease to get to them). While I won't comment on whether gnome made the right choises about the defaults, it always eeemed that gnome was there for stupid people who didn't want the option of screwing things up while KDE always had the options a few clicks away should someone desire to change it.
I have crossover office, and it has always tended to mess up my menus in KDE. I think it also has effected other KDE look and feel settings though I don't know how.
Humm, if comcast throws these at their users, maybe they'll still be updatable on the firmware side. I wouldn't mind getting one, then bastardizing it with my own firmware.
The idea of programmable chips is nothing new. Xlinx etc have been doing it for ever. The idea of putting both a standard core w/ a generic instruction set AND a programmable core ont he same chip is very interesting. It will, however, be a niche product. You aren't going to use it in your home computer because your home computer does a broad range of things.
This will be useful in places that they mentioned. Places where you do a lot of processing that takes many generic instructions but can be translated into a single string of descrete instuctions.
The more I think about it, this is the direction processors are going. We keep moving processors towards RISC based cores. We keep adding specialized paths for things such as multimedia. Eventually we WILL have half the processor being a purely RISC core and half being programmable hardware for specialized computational intensive instructions. I retract my initial view.
I do wonder though, what the life is on the hardware side. How many times can you reprogram the hardware before it starts to die. What is the error rate in reprogramming it? What happens when a few programmable transistors die?
Thats a great idea until the number gets out and you have some kid in kentucky SMS'ing "go fcsk yourself" to the chandelier some 4 star general is standing under in Belgium.
If you have wineX from transgaming there really isn't any work involved. They support a signifigant number of games, (including warcraft3), and have an easy manager (point2play) along with winex3 which is very capable of handling many games.
So what your saying is that because that plane looks wierd and stays up a lot, we can call it an air born laser and it will be? Be realistic. A solid state laser isn't going to destroy anything in their current form. Plus, I hate to tell you, but none of the hardware in that thing applies to an air born laser. You can't shoot down a missile with a radar track any more than you can win a FPS using only the little radar up in the corner of the screen.
Did they impliment this using the BB84 or B92 protocal? The BB84 is very simple but the B92 is much more secure. As with all things, "perfectly secure" in theory does not necesarily mean "perfectly secure" in the real world and BB84 is more seceptible than B92.
the difference between waiting tables and going to college is that when you go to college, your pay goes up. I started w/ the government at 38k in DC. In a year it'll be closer to 50 likely, and I'll cap out around 115-150 if I stay through my career.
Raven's comments on pre-packaged attacks
on
Hackers: Under The Hood
·
· Score: 3, Interesting
Raven commented on "attack programs". I don't know if she ment pre-written code to exploit known vulnerabilities or not but that is what I am interested in.
Last month I had the privelage of watching a small hacking competition as part of a larger defense contractors conference. (Southeastern Software Engineering Conference). The had a small network set up to simulate a corporate network and teams attempting to attack it. The team that did the best was a red team from Northropp Grumman (which someone said won the Defcon capture-the-flag competition though I never looked it up).
The thing is, their strategy seemed to be to map the network, then run pre-packaged attacks appropriate for the specific device, then install a backdoor and repeat launching off of the machine they'd taken. Security experts in all their interviews repeatedly state that it is undesirable to do this, (ie, use previously written code for the bulk of their pen testing/attacks). Is there a disconnect between what security experts say and what they actually do?
(I do want to add that the team that won was very impressive, taking about a box an hour through the 6ish hours the contest was run. There was a very small time frame which might have necessitated the canned attacks. But the network was representative with at least 1 dedicated firewall, IDS, and honeypot and computers running windows, linux, and solaris. All with reasonable patching.)
Slashdot Mirror
You can get half a bridge from dlink for like 60-90 bucks.
I think your only allowed to say that if you've got the know how to analize timing patterns to figure out pinouts and then reverse engineer the rest of it. I doubt that's a walk in the park.
On a large scale though, this could be a very big problem. The percentage of routers that are vulnerable, the percentage that are directly connected to the internet, (say controlling the PPPoE of a DSL modem), and the percentage that still have the default password all factor in. It may not be enough to matter, but it may be so many that it becomes a signifigant attack vector to both home users and as a jumping point for internet attacks.
Also, it begs the question of whether other linksys routers and/or broadband modems might be vulnerable.
-----Original Message-----
From: Alan W. Rateliff, II [mailto:alan2 rateliff net]
Sent: Wednesday, June 02, 2004 11:05 AM
To: bugtraq securityfocus com
Subject: Additional information on WRT54G administration page
I have made the effort to grab three additional units, all v2 hardware, off-the-shelf, and here is what I have found: Two of three units came with the firewall enabled, while one of the three came with it disabled. The packaging leaves no evidence as to whether any of these items were previously opened and returned.
Interestingly, all three units from local resalers came with v2.02.2 firmware, while the second unit from CDW I tested in March came with v2.02.7. BOTH of the units which came off-the-shelf with v2.02.7 behaved as previously described in my original notice; I do not have records of the firewall setting of the units from March, although they both did behave as predicted after a factory reset.
I would like to assume that the one-of-three v2.02.2 firmware units which came with the firewall disabled was an anomoly, and possibly a customer return. Nicely, flashing these units to v2.02.7 retains all settings, including the firewall status.
Now the catch. In v2.02.7 with the firewall disabled and remote admin turned off, the admin page becomes available on ports 80 and 443 on the WAN. This works whether the unit is in DHCP or PPPoE mode.
Port State Service
80/tcp open http
443/tcp open https
Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
So part of the original notice is valid, with the exceptions noted. I don't have any more v2.02.2 units to test as they have all now been flashed with v2.02.7, I have no more unmolested v2.02.7, and I am out of petty funds to purchase more :)
So, I will eat some crow on the original notice. To sum up, the admin page is most definitely available to the WAN if the firewall is disabled, regardless of the remote admin setting. And at best the potential for getting a unit off-the-shelf with this behavior is somewhat like an Easter egg hunt. I have received an even mix of responses positive and negative to the original notice, so others are reproducing this OTS.
Some thoughts...
It could be resonable that units which come v2.02.2 OTS then flash to v2.02.7 may not experience this behavior due to stored factory settings from original v2.02.2 system carried over to v2.02.7. That would explain the exception of the OTS behavior of the v2.02.7 units received in March.
Now I am also aware that other LinkSys items I have received have come with firmwares not yet available on the website -- most recent example, a WPS54GU2 which came with firmware 6032 while only 6031 was available on the website. It may be more reasonable that since the firmware v2.02.7 is dated March 17, my order for the WRT54G was placed on March 23, maybe a pre-release of the firmware? I cannot imagine that there would be such a diverse distribution of this product direct from LinkSys?
Alan W. Rateliff, II : RATELIFF.NET
Independent Technology Consultant : alan2 rateliff net
(Office) 850/350-0260 : (Mobile) 850/559-0100
[System Administration][IT Consulting][Computer Sales/Repair]
Don't get melodramatic. It is well known that the contracts given to musicians are highly unfavorable and that they are, in many ways, tricked into agreeing to things they should not.
In fact the fact that it isn't exactly the same is a benefit. If things are exactly the same, people expect them to work exactly the same and become disallusioned if they are not. Take 3D games/movies for example. People don't like a movie like Final Fantesy: the spirits within, because it doesn't look real. But they love Finding Nemo or Worlds of Warcraft because they are stylized and they are expected to not look photo-realistic. It's enough that the user feels comfortable with the general idea, (ie have a srart menu and an application bar as oposed to clicking for all menus), to get usage. Exact replication is not needed.
(though it would be inherently scary if your garage door opener required software)
Can we get a "-1, disagrees with slashdot's general opinion" to more accurately reflect what I'm being moderated down for?
You really have to be both stupid, and an ass, to dig up technically complex sensors that you know are operational and operated by the military. And then, if that isn't enough, open them all up. You don't cut holes in the chain link fence on a military base just because you think chain link is cool. I mean, honestly, he's sitting there trying to ruin government security and creating a lot of work, (software upgrades, probably moving, reburieing --as I"m sure the DoD isn't taking his word for it that he reburied all of them properly-- the sensors, etc) Hell, he even published photos and information about them. What an ass.
It seems like it would be an excellent way to patch windows and to get some people who wouldn't run linux to experience it. (I know people who have just seen the knoppix desktop and been impressed.)
As far as I've been able to tell, (as a KDE user), gnome has always been about limiting it's user's options, (or at least any ease to get to them). While I won't comment on whether gnome made the right choises about the defaults, it always eeemed that gnome was there for stupid people who didn't want the option of screwing things up while KDE always had the options a few clicks away should someone desire to change it.
I have crossover office, and it has always tended to mess up my menus in KDE. I think it also has effected other KDE look and feel settings though I don't know how.
Humm, if comcast throws these at their users, maybe they'll still be updatable on the firmware side. I wouldn't mind getting one, then bastardizing it with my own firmware.
This will be useful in places that they mentioned. Places where you do a lot of processing that takes many generic instructions but can be translated into a single string of descrete instuctions.
The more I think about it, this is the direction processors are going. We keep moving processors towards RISC based cores. We keep adding specialized paths for things such as multimedia. Eventually we WILL have half the processor being a purely RISC core and half being programmable hardware for specialized computational intensive instructions. I retract my initial view.
I do wonder though, what the life is on the hardware side. How many times can you reprogram the hardware before it starts to die. What is the error rate in reprogramming it? What happens when a few programmable transistors die?
How do you detect a virus that has control of the underlying hardware though...
Thats a great idea until the number gets out and you have some kid in kentucky SMS'ing "go fcsk yourself" to the chandelier some 4 star general is standing under in Belgium.
If you have wineX from transgaming there really isn't any work involved. They support a signifigant number of games, (including warcraft3), and have an easy manager (point2play) along with winex3 which is very capable of handling many games.
Reference This picture. There ain't room for anything else. And probably won't be any time soon.
So what your saying is that because that plane looks wierd and stays up a lot, we can call it an air born laser and it will be? Be realistic. A solid state laser isn't going to destroy anything in their current form. Plus, I hate to tell you, but none of the hardware in that thing applies to an air born laser. You can't shoot down a missile with a radar track any more than you can win a FPS using only the little radar up in the corner of the screen.
Did they impliment this using the BB84 or B92 protocal? The BB84 is very simple but the B92 is much more secure. As with all things, "perfectly secure" in theory does not necesarily mean "perfectly secure" in the real world and BB84 is more seceptible than B92.
the difference between waiting tables and going to college is that when you go to college, your pay goes up. I started w/ the government at 38k in DC. In a year it'll be closer to 50 likely, and I'll cap out around 115-150 if I stay through my career.
Last month I had the privelage of watching a small hacking competition as part of a larger defense contractors conference. (Southeastern Software Engineering Conference). The had a small network set up to simulate a corporate network and teams attempting to attack it. The team that did the best was a red team from Northropp Grumman (which someone said won the Defcon capture-the-flag competition though I never looked it up).
The thing is, their strategy seemed to be to map the network, then run pre-packaged attacks appropriate for the specific device, then install a backdoor and repeat launching off of the machine they'd taken. Security experts in all their interviews repeatedly state that it is undesirable to do this, (ie, use previously written code for the bulk of their pen testing/attacks). Is there a disconnect between what security experts say and what they actually do?
(I do want to add that the team that won was very impressive, taking about a box an hour through the 6ish hours the contest was run. There was a very small time frame which might have necessitated the canned attacks. But the network was representative with at least 1 dedicated firewall, IDS, and honeypot and computers running windows, linux, and solaris. All with reasonable patching.)
We don't get that kinda lee-way at work. We can't even change our background image.
What's it mean when there is an advertisment for the box being reviewed right beside the review?...
My favorite 3-song combination: Lady Marmalade - Con Te Partido (sp) - You Spin Me Round (by dope). Pop-opera-rock.