Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Help my Linksys WRT54G router was broken into using the "curl" command

Reply
Thread Tools

Help my Linksys WRT54G router was broken into using the "curl" command

 
 
Debbie Hurley
Guest
Posts: n/a
 
      07-04-2007
On Wed, 04 Jul 2007 13:42:28 +0100, kev wrote:
> The Firmware V 1.0.0.6 suggests they are playing with the Version 5
> router which used Vxworks, so I don't know what the commands were for
> that and I can't really be bothered to search for them.


On the bottom of the Linksys WRT54G router it says it's version 5.

My neighbor has been sending me emails as I told him about this thread.
He says it happens with a lot of versions, his being a Linksys WRT54g home
router, firmware revision 1.00.9 and he says all his friends' routers are
similarly vulnerable which he called the "GENERIC-MAP-NOMATCH"
vulnerability.





 
Reply With Quote
 
 
 
 
Debbie Hurley
Guest
Posts: n/a
 
      07-04-2007
On Wed, 4 Jul 2007 09:35:17 -0400, Leythos wrote:
> While I've not verified it, you should have googled for basic security
> methods and you would have found that you need to change the default
> subnet to something else, keeping the 192.168.0, which is the default,
> is always a bad idea.
>
> 192.168.0 and 192.168.1 are common default subnets for home routers,
> don't use them.


My neighbor says what you said above is totally wrong in that it doesn't
matter what IP address I use because he uses something called winpcap to
snair the router IP address off the air!

He says he gets an "ARP" from a program called ethereal which tells him all
the "who" and "tell" arp commands which tells him every router's IP address
in the neighborhood. So he called it 'smoke and mirrors' to change my IP
address.

That's why he suggested I find a patch to the Linksys WRT54G
GENERIC-MAP-NOMATCH vulnerability.

By the way, he said there are more than one vulnerabilities. I asked him to
show me in writing and he just sent me something which I'll post to you
once I clean it up a bit.
 
Reply With Quote
 
 
 
 
Jeff Liebermann
Guest
Posts: n/a
 
      07-04-2007
Debbie Hurley <(E-Mail Removed)> hath wroth:

>It's way too easy to break into the Linksys WRT54G router!
>
>Instantly bypassing the administrator password, my fifteen-year old
>neighbor broke into my Linksys WRT54G router (firmware revision v1.0.0.6)
>in ten seconds simply by sending this one "curl" command to it via the
>Internet from his home next door!
>
>c:\> curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri


Old bugs never die. They just get reposted:
<http://seclists.org/bugtraq/2006/Aug/0218.html>
<http://securitytracker.com/alerts/2006/Aug/1016638.html>
<http://www.securityfocus.com/bid/19347/exploit>
<http://archive.cert.uni-stuttgart.de/bugtraq/2006/08/msg00129.html>
etc...
Note the dates from about a year ago. This was fixed with a firmware
update to the v5/v6 hardware mutation router with v1.01.0. The
current version is v1.02.0. Please download, install, and retest.

All the routers I have handy are running DD-WRT v23 SP2 and SP3. The
curl trick doesn't work on any of them from either Ubuntu 6.10 or
Cygwin 1.5.xx on W2K.

You must really be concerned as you also posted the comment to the
Linksys Forums at:
<http://forums.linksys.com/linksys/board/message?board.id=Wireless_Routers&thread.id=49502>

>This kid was kind enough to knock on my door today to tell me to fix it.


Nice kid. Be sure to thank him. If you're in the computah biz, hire
him.

>I invited him in, and from inside my own house, he showed me the Linksys
>WRT54G command above which immediately disabled all my wireless security
>WITHOUT him having to enter any password!


If he's doing it from the LAN side, that's cheating a bit. In order
to do the same thing from the WAN side, your router would need to have
remote admin enabled, which is disabled by default. Note the default
settings:
<http://www.linksysdata.com/ui/WRT54G/v5/1.00.6/Manage.htm>
This is v1.00.6.

>He showed me how to disable remote administration but he said the
>vulnerability still exists until I get a new router.


If remote admin was enabled, someone has been tinkering with the
default setup.

Incidentally, all the router manufacturers, except 2Wire ship their
routers not very secure by default. If you simply plugged the router
in straight out of the box, you have a wide open system, with well
know passwords, and an invitation for problems. I've been trying to
get various manufacturers to change their evil ways and start shipping
routers that require the user to setup:
1. A suitable router password
2. A unique SSID
3. A reasonable WPA-PSK encryption key
The wireless would be disabled until this is done. None of them want
to do this for fear that it would diminish your "out of box
experience".

>I can't believe
>everyone with a Linksys WRT54G router is throwing it in the garbage.


I've been tempted quite often as there are plenty of other things I
detest about the WRT54G/GS v5 and v6 mutations. The general lack of
RAM and NVRAM are my biggest gripe, which make loading alternative
firmware a PITA. v5 and v6 routers also tend to lockup and hang for
no obvious reason. The inability to simultaneously connect more than
a few clients:
http://www.smallnetbuilder.com/compo...189/chart,124/
(see bottom of chart) in v5 and v6 also sucks. Yeah, it's a terrible
router. If you're planning on recycling yours, please mail it to the
address in my .signature.

>Where/how can I find a firmware update that protects me from this
>vulnerability?


The kid didn't tell you this? First he breaks in. He leaves remote
admin turned on so he can break in again. Then he shows you how it
works, but doesn't tell you how to fix it? Is he selling wireless
routers door to door? Smart kid.

Perhaps you should try the Linksys support web pile:
<http://www.linksys.com/servlet/Satellite?c=L_CASupport_C2&childpagename=US%2FLayo ut&cid=1166859837401&packedargs=sku%3DWRT54G&pagen ame=Linksys%2FCommon%2FVisitorWrapper&lid=37401374 01B01&displaypage=download>
Your WRT54G hardware mutation number is on the serial number tag on
the bottom of the router.


--
Jeff Liebermann http://www.velocityreviews.com/forums/(E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
 
Reply With Quote
 
Debbie Hurley
Guest
Posts: n/a
 
      07-04-2007
On 04 Jul 2007 09:32:11 -0500, Todd H. wrote:
>> c:\> curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri

> Among the reasons having wireless security disabled and letting
> neighbors join your local network for free is a bad idea.


But, he showed me it works while WIRED to my vulnerable Linksys WRT54G
router! He said the GENERIC-MAP-NOMATCH vulnerability has nothing to do
with wireless. It's inherent in the Linksys WRT54G router unfortunately!

Here is his email talking about TWO vulnerabilities in the Linksys WRT54G
router!

"You have two problems. The first is the password validation for
configuration settings is not needed for your Linksys WRT54G router and the
second is that with java turned on any web site anywhere can force a
request to the linksys router, and the router will accept the request."

He also sent me a 2600 web address explaining the whole thing but I didn't
understand it at all.
 
Reply With Quote
 
Debbie Hurley
Guest
Posts: n/a
 
      07-04-2007
On 04 Jul 2007 09:36:41 -0500, Todd H. wrote:
> I meant to paste this vulnerability of v5 wrt54g's here:
> Linksys WRT54GS POST Request Configuration Change Authentication
> Bypass Vulnerability
> http://www.securityfocus.com/bid/19347/references
> It's a known issue. The fix is to upgrade firmware per the link
> below.


Here is a forwarded email which explains the severe Linksys WRT54G
vulnerability I'm afraid. It looks like this vulnerability which allows any
web site to disable your browser security has been around for a long time
based on the time stamps of the email!

Debbie

Date: Fri, 04 Aug 2006 14:00:01 +0000
From: "Ginsu Rabbit" <(E-Mail Removed)>
Subject: [Full-disclosure] linksys WRT54g authentication bypass

I'm having some trouble believing this hasn't been reported before. If you
have a linksys router handy, please check to see whether it is vulnerable
to this attack. It's possible that all of the linksys router web UIs have
the same bug. Hopefully the problem is isolated to one particular model or
firmware revision.

I. DESCRIPTION

Tested product: Linksys WRT54g home router, firmware revision 1.00.9.

Problem #1: No password validation for configuration settings.

The WRT54g does not attempt to verify a username and password when
configuration settings are being changed. If you wish to read
configuration settings, you must provide the administrator ID and password
via HTTP basic authentication. No similar check is done for configuration
changes.

This request results in a user-id and password prompt:
GET /wireless.htm

This request disables wireless security on the router, with no password
prompt:
POST /Security.tri
Content-Length: 24

SecurityMode=0&layout=en

Problem #2: Cross-site request forgery

The web administration console does not verify that the request to change
the router configuration is being made with the consent of the
administrator. Any web site can force a browser to send a request to the
linksys router, and the router will accept the request.


II. Exploitation

The combination of these two bugs means that any internet web site can
change the configuration of your router. Recently published techniques for
port-scanning and web server finger printing via java and javascript make
this even easier. The attack scenario is as follows:

- intranet user visits a malicious web site
- malicious web site returns specially crafted HTML page
- intranet user's browser automatically sends a request to the router that
enables the remote administration interface
- the owner of the malicious web site now has complete access to your
router

I'm not going to share the "specially crafted HTML page" at this time, but
it isn't all that special.


III. DETECTION

If your router is vulnerable, the following curl command will disable
wireless security on your router. Tests for other router models and
firmware revisions may be different:

curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri


IV. MITIGATION

1) Make sure you've disabled the remote administration feature of your
router. If you have this "feature" enabled, anybody on the internet can
take control of the router.

2) Change the IP address of the router to a random value, preferably in the
range assigned to private networks. For example, change the IP address to
10.x.y.z, where x, y, and z are numbers between 0 and 255 inclusive. This
makes it more difficult for an attacker to forge the request necessary to
change the router configuration. This mitigation technique might not help
much if you have a java-enabled browser, because of recently published
techniques for determining gateway addresses via java applets.

3) Disable HTTP access to the administration interface of the router,
allowing only HTTPS access. Under most circumstances, this will cause the
browser to show a certificate warning before the configuration is changed.

V. VENDOR NOTIFICATION

Linksys customer support was notified on June 24, 2006.
Full disclosure on August 4, 2006
 
Reply With Quote
 
Warren Oates
Guest
Posts: n/a
 
      07-04-2007
In article <MlOii.45173$(E-Mail Removed)> ,
Debbie Hurley <(E-Mail Removed)> wrote:

> 2. Connect a yellow wire from the router to the computer


Okay.
--
W. Oates
 
Reply With Quote
 
Debbie Hurley
Guest
Posts: n/a
 
      07-04-2007
On Wed, 04 Jul 2007 08:03:13 -0700, Jeff Liebermann wrote:
> <http://seclists.org/bugtraq/2006/Aug/0218.html>
> <http://securitytracker.com/alerts/2006/Aug/1016638.html>
> <http://www.securityfocus.com/bid/19347/exploit>
> <http://archive.cert.uni-stuttgart.de/bugtraq/2006/08/msg00129.html>
> You must really be concerned as you also posted the comment to the
> Linksys Forums.


> Note the dates from about a year ago. This was fixed with a firmware
> update to the v5/v6 hardware mutation router with v1.01.0. The
> current version is v1.02.0. Please download, install, and retest.


Hi Jeff!
Yes. I am really concerned. And scared that it takes all of ten seconds to
break into my router by a fifteen year old cute kid who mows my lawn every
month. I believ him when he says I need to upgrade my router. You are the
only one here who believed me. Thank you. Thank you. Thank you. For a
moment, I thought I was going crazy when the "experts" were telling me what
I saw I didn't see. I felt like I was being persecuted for reporting this.
I didn't realize that the Linksys WRT54G router I bought was so weak. Why
didn't Linksys TELL me about this in the package? I have never updated my
"firmware" before. Can you hand hold my hands a bit to tell me how to do
it. I don't want to ruin the router.

I'll first read everything I can find on updating the router and then post
back if I ruin it doing so. I can read well but I don't know how to debug
once I hit a problem. But I keep trying and that's why I'm here taling to
you!

Thank you - I love your post the best because I was beginning to wonder why
nobody else knew about this which seemed pretty bad that it took all of ten
seconds to wipe out all my hardware security.

BTW, my neighbor said to change my IP address and the hostname and media
address of my router and pc constantly because that's what he used to
figure out which was mine in the neighborhood. Is there a way to change the
router & PC hostname and media name automatically every day or do I have to
do it manually every day to be safe?
 
Reply With Quote
 
Debbie Hurley
Guest
Posts: n/a
 
      07-04-2007
On Wed, 04 Jul 2007 08:03:13 -0700, Jeff Liebermann wrote:
>>I can't believe
>>everyone with a Linksys WRT54G router is throwing it in the garbage.

>
> I've been tempted quite often as there are plenty of other things I
> detest about the WRT54G/GS v5 and v6 mutations.


One thing I'd like to do is change the login name!
I asked on the linksys forums and will check to see if there is a way to
change the login name from just a dumb blank stare to something interesting
so others can't get in so easily through the front door of the router.

I will also read up on how to upgrade the firmware of my router using your
links. Thanks. I love you!
 
Reply With Quote
 
Debbie Hurley
Guest
Posts: n/a
 
      07-04-2007
On Wed, 04 Jul 2007 08:03:13 -0700, Jeff Liebermann wrote:
> I've been trying to get various manufacturers to change their
> evil ways and start shipping routers that require the user to setup
> 1. A suitable router password


What I don't get is why the Linksys WRT54G router has a password but not a
login name. Wouldn't it be MORE SECURE if I could change the login name?

I can type anything I want into the login name field but it doesn't take.

Am I doing something wrong?

Why does the Linksys v5 WRT54G router have a login name if it isn't used?
Likewise with the host name. Why does it have a host name that isn't used
and why can't I just set the hostname to a blank.

It seems topsy turvy to me. Am I wrong?
 
Reply With Quote
 
Todd H.
Guest
Posts: n/a
 
      07-04-2007
Debbie Hurley <(E-Mail Removed)> writes:

> On 04 Jul 2007 09:32:11 -0500, Todd H. wrote:
> >> c:\> curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri

> > Among the reasons having wireless security disabled and letting
> > neighbors join your local network for free is a bad idea.

>
> But, he showed me it works while WIRED to my vulnerable Linksys WRT54G
> router!


This is among the reasons you only let trusted parties on your LAN if
at all possible.

IIRC, it requires LAN access to exploit unless you are running a
non-default configuration whereby remote admin is enabled.

It pertains to wireless insofar as if you don't have wireless security
enabled, then any old neighbor can join to your LAN and then exercise
the vulnerability.

--
Todd H.
http://www.toddh.net/
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Just Installed Linksys wireless router WRT54G v5 =?Utf-8?B?TW9yZGlkbw==?= Wireless Networking 2 12-04-2005 11:46 AM
Linksys WRT54G Wireless Broadband Router - the XP and Mac Drama! Patrick at PHD Wireless Networking 0 06-14-2005 03:47 PM
Using Linksys WRT54G as router with DHCP server brewman_63@yahoo.com Cisco 1 04-25-2005 06:09 PM
Linksys Router Signal Loss WRT54G =?Utf-8?B?RnJhbms=?= Wireless Networking 1 04-11-2005 12:50 PM
Can a Linksys WRT54G Router be used as access point with no internet availablilty? reply@this.newsgroup.com Wireless Networking 7 02-20-2005 11:45 PM



Advertisments