Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Help my Linksys WRT54G router was broken into using the "curl" command

Reply
Thread Tools

Help my Linksys WRT54G router was broken into using the "curl" command

 
 
Jeff Liebermann
Guest
Posts: n/a
 
      07-04-2007
Debbie Hurley <(E-Mail Removed)> hath wroth:

>I believ him when he says I need to upgrade my router.


You don't need a new router. You need a firmware update. No big
deal. What I'm concerned about his how remote access got turned on
and who did it (and why). You might want to interrogate the kid.

>You are the
>only one here who believed me.


Yes, but don't presume it's my good intentions or generous attitude.
The problem is that old bugs tend to come back. One version fixes a
problem, the next version brings it back as sloppy coders recycle old
code. In the software biz, it's part of regression testing.

>I thought I was going crazy when the "experts" were telling me what
>I saw I didn't see.


Chuckle. Ever see any magic tricks or sleight of hand? It looks
real, but you just know something is going on in the background. Well,
hacking and breaking in are like that. I derived considerable
entertainment at the expense of a few IT people (who now hate my guts)
breaking into their systems using social engineering, and then making
it look like some kind of vulnerability or systemic problem. Yeah, I
know I have a warped sense of humor, but it keeps me entertained. The
only problem is that the IT people now hate my guts. Oh well.

Anyway, be careful that what you're seeing is actually a breakin or
vulnerability in progress, and not the residue from a previous
breaking. The fact that remote access was apparently enabled makes me
VERY suspicious.

>I felt like I was being persecuted for reporting this.


Well sure. Blame the victim and all that. Nobody wants to be told
their network is full of holes and vulnerable to attack. Why bother
fixing the problem when you can simply discredit the person that found
the problem?

>I didn't realize that the Linksys WRT54G router I bought was so weak.


It's old firmware. Someone goofed and it's been fixed. All vendors
have their security holes and problems.

>Why didn't Linksys TELL me about this in the package?


Actually, that's a good point because I couldn't find it in the
firmware release notes. It's fashionable to disclose vulnerabilities
only after the fixes are available. That's a fair method, but doesn't
work if users like yourself do not perform ritualistic firmware
version checks and updates.

>I have never updated my
>"firmware" before. Can you hand hold my hands a bit to tell me how to do
>it. I don't want to ruin the router.


There are instructions on the Linksys web site (somewhere). It's
basically very easy. Download the firmware image file. Make an extra
effort to be sure you have the correct version and file. You still
haven't bothered to disclose your WRT54G hardware mutation, so I can't
offer specific advice, filenames, and URL's.

Uncompress the download if it's a ZIP file. Go to the firmware update
page:
<http://www.linksysdata.com/ui/WRT54G/v5/1.00.6/Upgrade.htm>
and browse merrily to the .bin (or whatever) file. Hit update and
wait. When you think it's done, wait some more. Figure on about 2
minutes to be safe. With v5/v6, I don't think you have to reset
anything. That's it.

>BTW, my neighbor said to change my IP address and the hostname and media
>address of my router and pc constantly because that's what he used to
>figure out which was mine in the neighborhood. Is there a way to change the
>router & PC hostname and media name automatically every day or do I have to
>do it manually every day to be safe?


Don't bother. Almost all of that manner of improving security
consists of either obscuring your setup or introducing additional
obstacles. Those are good if you enjoy complicating your own life as
well as that of the prospective hacker, but are generally near
worthless. See the FAQ at:
<http://wireless.wikia.com/wiki/Wi-Fi#Wi-Fi_Security>
Your real security is in:
WPA-PSK or WPA2-PSK encryption
Password for router access
Firmware updates
Most of the tweaks are of marginal value.

If you want real security, setup a VPN and a RADIUS server. The
RADIUS server provides a login and password per user, but also
delivers a unique one time WPA encryption key which cannot be leaked.
If I wanted to attack your system, I would not attack the router, but
would try to extract the WPA key from your Windoze registry. See:
<http://www.wirelessdefence.org/Contents/Aircrack-ng_WinWzcook.htm>
A RADIUS server eliminates the use of a shared key, but preventing it
from being leaked. Ummm... Don't tell the 15 year old brat.

As for your other questions....

>One thing I'd like to do is change the login name!
>I asked on the linksys forums and will check to see if there is a way to
>change the login name from just a dumb blank stare to something interesting
>so others can't get in so easily through the front door of the router.


You can't do that with the stock Linksys firmware. There's only one
user and that's admin. Other routers allow additional users and even
user levels, such as read-only users. If you really want this
feature, the alternative firmware (DD-WRT, OpenWRT) all have
additional users. However, again, this is nothing but security by
obscurity and doesn't provide any real security. Anyway, user names
are suppose to be publicly accessible and not hidden like a password.

Incidentally, one of my accomplices decided that I should test his
system security. He did all the right things, but I still managed to
break in. I tricked him into using his laptop to "test" the security
by claiming my laptop was dead. He stupidly saves all his passwords
in his Firefox browser. It was a simple matter to connect,
automatically login with the saved password, and collect my free
lunch. This is again why I don't like shared keys, stored passwords,
and other convenience features.

>What I don't get is why the Linksys WRT54G router has a password but not a
>login name. Wouldn't it be MORE SECURE if I could change the login name?


Lack of sufficient RAM and NVRAM in the router limits the features
that can be crammed inside. Again, the login name is suppose to be
publicly known and accessible and should not be treated as yet another
password. It also doesn't add much security as the same mechanisms
I've previously listed to bypass passwords will work with login names.

>Am I doing something wrong?


1. You didn't specify WRT54G hardware mutation after being asked by
multiple people for this information.
2. You didn't search with Google to see if it was a known problem.
3. Declared the WRT54G to be worthless BEFORE asking if there was a
fix.
4. Trusted my advice. Don't trust ANYONE about security without
first understanding what you're doing, why it's necessary, and
verifying that it's considered a reasonable thing to do.
5. Posted far too many replies. I'm lazy and don't like hopping from
message to message.

>Likewise with the host name. Why does it have a host name that isn't used
>and why can't I just set the hostname to a blank.


That's been asked before, but with no definitive conclusion. The
current guess is that a hostname is required for syslog to work. It
can be anything, but not blank.

--
Jeff Liebermann http://www.velocityreviews.com/forums/(E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
 
Reply With Quote
 
 
 
 
Debbie Hurley
Guest
Posts: n/a
 
      07-04-2007
On Wed, 4 Jul 2007 00:37:07 -0700, Debbie Hurley wrote:

> It's way too easy to break into the Linksys WRT54G router!


So far, here's what people have emailed to my yahoo address or posted here
or in the linksys forum about this horrid WRT54G vulnerability which allows
anyone to eliminate all my security settings in a single curl command
without ever logging into my router.

http://securitytracker.com/alerts/2006/Aug/1016638.html
http://archive.cert.uni-stuttgart.de.../msg00129.html
http://www.securityfocus.com/archive.../30/0/threaded
http://www.securityfocus.com/bid/19347/exploit
http://www.securityfocus.com/bid/19347/references
http://www.securityfocus.com/archive/1/452020
http://www.securityfocus.com/bid/19347/references
http://seclists.org/bugtraq/2006/Aug/0218.html

And the solution is here apparently although I haven't found any
confirmation that it actually works (I need to read more before I get the
confidence to "flash" my router having never flashed anything before).

http://www.linksys.com/servlet/Satel...ypage=download

Debbie

 
Reply With Quote
 
 
 
 
Debbie Hurley
Guest
Posts: n/a
 
      07-04-2007
On Wed, 04 Jul 2007 09:59:06 -0700, Jeff Liebermann wrote:

> You don't need a new router. You need a firmware update. No big
> deal.


This recommended reference says the Linksys WRT54G firmware update only
fixes half the problems in that something called "authentication bypass
vulnerability" was fixed but not something called "the CSRF vulnerability"
(http://www.securityfocus.com/archive/1/452020).

> The fact that remote access was apparently enabled makes me
> VERY suspicious.


Yes. It was enabled. I don't know how as I never touched that before. Web
access, whatever that is, was also enabled, as was pnp and a zillion other
things.

> It's old firmware. Someone goofed and it's been fixed. All vendors
> have their security holes and problems.


I understand but I would have thought this would warrant a recall like they
do with cars where you bring it in and they bring it back up to safety
specifications. There's no way they should have sold that router to me with
such an unsafe vulnerability. Why do we recall cars but not routers that
have safety problems?

>>I have never updated my
>>"firmware" before. Can you hand hold my hands a bit to tell me how to do
>>it. I don't want to ruin the router.


> Your real security is in:
> WPA-PSK or WPA2-PSK encryption


Hmmm... that's not one of my options. I have WPA2 Personal on the Linksys
WRT54G router (which I looked up to be the same thing as WPA2 PSK) but I
don't have WPA2-Personal or WPA2-PSK options on my Windows XP fully
updated. Something must be wrong with my windows setup so I will keep
looking to see what I need to fix. At least Microsoft constantly updates my
operating system automatically so I don't have to worry about "flashing"
the computer!

>
>>Am I doing something wrong?

> 1. You didn't specify WRT54G hardware mutation after being asked by
> multiple people for this information.

I thought I did. It's version 5, and firmware version v1.00.6.
Is there ANOTHER version I need to be aware of?

> 2. You didn't search with Google to see if it was a known problem.

I did search for "curl" but I didn't know what to look for. I did find the
linksys forums and searched there and posted there the exact same question.
They said to upgrade the firmware and tell them if it worked or not to stop
the next curl attempt.

> 3. Declared the WRT54G to be worthless BEFORE asking if there was a
> fix.

The fix seems good but (see prior) it only fixes "authentication bypass
vulnerability" but not "the CSRF vulnerability" according to the references
cited above.

> 4. Trusted my advice. Don't trust ANYONE about security without
> first understanding what you're doing, why it's necessary, and
> verifying that it's considered a reasonable thing to do.


Huh. I trust you. Aren't you trying to help me?

> 5. Posted far too many replies. I'm lazy and don't like hopping from
> message to message.


Oh. I was trying to be responsive and courteous to my friends who were
trying to help me. I'll stop replying so as to prevent the confusion and
allow you to get me to the point I need to be.

Thank you!
Debbie

BTW, which is the "right" newsgroup forum for this kind of Linksys WRT54G
security vulnerability solution type of question?
 
Reply With Quote
 
Jeff Liebermann
Guest
Posts: n/a
 
      07-04-2007
Debbie Hurley <(E-Mail Removed)> hath wroth:

>This recommended reference says the Linksys WRT54G firmware update only
>fixes half the problems in that something called "authentication bypass
>vulnerability" was fixed but not something called "the CSRF vulnerability"
>(http://www.securityfocus.com/archive/1/452020).


I'll look at it later. It's a holiday and I'm lazy.

>I understand but I would have thought this would warrant a recall like they
>do with cars where you bring it in and they bring it back up to safety
>specifications. There's no way they should have sold that router to me with
>such an unsafe vulnerability. Why do we recall cars but not routers that
>have safety problems?


Easy. Because no router manufacturer has been successfully sued for
damages resulting from security holes, while automobile manufacturers
tend to get sued for anything and everything.

Please note that there are literally huge number of vulnerabilities in
various computer products. Given time and limited resources, it's
impossible to just TEST for these vulnerabilities, much less find the
time to fix them.

Open Source Vulnerability Database
<http://osvdb.org>

Security and Vulnerability announcements
<http://secunia.com>
Here's the statistics for MS XP Home:
<http://secunia.com/product/16/?task=statistics>
Note that 15% of the 155 vulnerabilities announced since 2003 has NOT
been patched.

>> Your real security is in:
>> WPA-PSK or WPA2-PSK encryption

>
>Hmmm... that's not one of my options.


WPA-PSK is exactly the same as WPA-Personal
WPS-RADIUS is exactly the same as WPA-Enterprise
I traced back where the name change came from. The Wi-Fi Alliance is
more consumer oriented and went for the Personal and Enterprise. The
IEEE is addicted to acronyms and elected to use PSK and RADIUS.

>I have WPA2 Personal on the Linksys
>WRT54G router (which I looked up to be the same thing as WPA2 PSK) but I
>don't have WPA2-Personal or WPA2-PSK options on my Windows XP fully
>updated. Something must be wrong with my windows setup so I will keep
>looking to see what I need to fix.


<http://support.microsoft.com/kb/893357/>
<http://support.microsoft.com/kb/917021/>

>At least Microsoft constantly updates my
>operating system automatically so I don't have to worry about "flashing"
>the computer!


Wrong. Microsloth only automagically updates *CRITICAL* updates or
those that compromise security. Optional updates must be downloaded
manually.
Start -> Run -> wupdmgr
It should start IE6 or IE7 and run Windoze update. If it suggests you
upgrade to "Microsoft Update", do it. Then, hit the "Custom" button.
It will grind the hard disk for perhaps 10 minutes deciding what needs
to be updated and present you with a list. Check EVERYTHING, download
and install. Shutdown when it demands and reboot.

You're not done yet. MS Office might need some updates. Start IE6 or
IE6 and go unto:
<http://office.microsoft.com>
In the upper right hand corner, is a tiny obscure well buried button
for Office Update. Pick your version of MS Office and do the updates.

There are also plenty of applications on your machine that could use
an update and may have vulnerabilities. Quicktime, Itunes, Winamp,
etc as well as your favorite virus and spyware scanners all need to be
updated.

If you think this is a drag, you're right. There should be a unified
update and notification mechanism. Not this week. Meanwhile, this is
a good thing for your 15 year old prospective hacker to do after
butchering your lawn.

>> 1. You didn't specify WRT54G hardware mutation after being asked by
>> multiple people for this information.

>I thought I did. It's version 5, and firmware version v1.00.6.
>Is there ANOTHER version I need to be aware of?


Sorry. You did in another message that didn't arrive until after I
posted my reply. This is why I don't like a large number of messages.
I get easily lost.

>> 2. You didn't search with Google to see if it was a known problem.

>I did search for "curl" but I didn't know what to look for. I did find the
>linksys forums and searched there and posted there the exact same question.
>They said to upgrade the firmware and tell them if it worked or not to stop
>the next curl attempt.


Ok, you're partially forgiven. If you had typed in the curl command
(wrapped in double quotes), you would have found all the security
advisories.

>> 3. Declared the WRT54G to be worthless BEFORE asking if there was a
>> fix.

>The fix seems good but (see prior) it only fixes "authentication bypass
>vulnerability" but not "the CSRF vulnerability" according to the references
>cited above.


I think we have different criteria for acceptability. The
authentication problem (curl example) is serious and if unpatched, I
too would consider the WRT54G to be dangerously insecure. However, I
know of other vulnerabilities and oddities that also might be used to
compromise security that do not warrant such a drastic action like
recycling the router.
Is the WRT54G useful and fairly safe (after patching)? Methinks so.
Can Linksys do better? Probably.
Would a different router do better? No way to tell.

>> 4. Trusted my advice. Don't trust ANYONE about security without
>> first understanding what you're doing, why it's necessary, and
>> verifying that it's considered a reasonable thing to do.

>
>Huh. I trust you. Aren't you trying to help me?


Nope. I'm just a wolf in sheeps clothing. In may spare time (usually
under the cover of darkness), I join the forces of evil in a never
ending effort to uncover security holes and screwups in computing. As
a side effect, security does gradually tend to improve. However, it's
the challenge that gets my attention, not the side effects. I tend to
do best with social engineering and physical security, but when those
fail, hacking will suffice. Try not to let it bother you as many of
those that really know what they're doing, didn't learn security from
a book, and also tend to have a checkered past.

>BTW, which is the "right" newsgroup forum for this kind of Linksys WRT54G
>security vulnerability solution type of question?


I don't know. I only infest alt.internet.wireless. One technical
newsgroup is all I handle in my ever shrinking spare time.

--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
 
Reply With Quote
 
Leythos
Guest
Posts: n/a
 
      07-04-2007
In article <B9Oii.45170$(E-Mail Removed)> ,
(E-Mail Removed) says...
> The first was to access my router by it's IP address and then to do a
> remote configuration into the router that way. I had the remote
> configuration enabled so he showed me how to disable that in the router so
> the average person wouldn't disable my router security from half way around
> the world.


Your rourter default settings, other than 192.168.0.1/24 and the
password and WPA-PSK were fine. Your choice of allowing the default
subnet and the remote access was a large mistake that let him in.

--
Leythos - (E-Mail Removed) (remove 999 to email me)

Learn more about PCBUTTS1 and his antics and ethic and his perversion
with Porn and Filth. Just take a look at some of the FILTH he's created
and put on his website: http://www.webservertalk.com/message1907860.html
3rd link shows what he's exposed to children (the link I've include does
not directly display his filth). You can find the same information by
googling for 'PCBUTTS1' and 'exposed to kids'.
 
Reply With Quote
 
Leythos
Guest
Posts: n/a
 
      07-04-2007
In article <JuOii.45176$(E-Mail Removed)> ,
(E-Mail Removed) says...
> On Wed, 4 Jul 2007 09:35:17 -0400, Leythos wrote:
> > While I've not verified it, you should have googled for basic security
> > methods and you would have found that you need to change the default
> > subnet to something else, keeping the 192.168.0, which is the default,
> > is always a bad idea.
> >
> > 192.168.0 and 192.168.1 are common default subnets for home routers,
> > don't use them.

>
> My neighbor says what you said above is totally wrong in that it doesn't
> matter what IP address I use because he uses something called winpcap to
> snair the router IP address off the air!
>
> He says he gets an "ARP" from a program called ethereal which tells him all
> the "who" and "tell" arp commands which tells him every router's IP address
> in the neighborhood. So he called it 'smoke and mirrors' to change my IP
> address.
>
> That's why he suggested I find a patch to the Linksys WRT54G
> GENERIC-MAP-NOMATCH vulnerability.
>
> By the way, he said there are more than one vulnerabilities. I asked him to
> show me in writing and he just sent me something which I'll post to you
> once I clean it up a bit.


And there is more than just not using the default IP, and it does make a
difference, as there are web sites that will hack your router without
using the wireless connection, and they don't "cap it off the air". So,
again, change your subnet, that's first.

Next, you ENABLED REMOTE MANAGEMENT (which is not the fault), so you
screwed yourself there also - disable remote management and setup a
strong password.

Yes, there are exploits, for most any device, but, you can limit your
exposure.

--
Leythos - (E-Mail Removed) (remove 999 to email me)

Learn more about PCBUTTS1 and his antics and ethic and his perversion
with Porn and Filth. Just take a look at some of the FILTH he's created
and put on his website: http://www.webservertalk.com/message1907860.html
3rd link shows what he's exposed to children (the link I've include does
not directly display his filth). You can find the same information by
googling for 'PCBUTTS1' and 'exposed to kids'.
 
Reply With Quote
 
Greg Hennessy
Guest
Posts: n/a
 
      07-04-2007
On Wed, 04 Jul 2007 14:42:52 GMT, Debbie Hurley <(E-Mail Removed)>
wrote:


>
>He said the only reason we used the wire was to make it easier to show me.
>He even did it wirelessly while out on my driveway outside my house.


Oh really. If you're daft enough to put an open access point in the big bad
world, you deserve everything coming.

> He said ANYONE could do it from the Internet if they knew my IP address.
>Luckily, he said nobody knows my IP address. Whew!


Oh really.

>I didn't realize using a Linksys WRT54G router was so dangerous!


Very dangerous, especially where there is a self identifying problem
between the chair and keyboard.



greg


--
?ˇaah, los gringos otra vez!?
 
Reply With Quote
 
Greg Hennessy
Guest
Posts: n/a
 
      07-04-2007
On Wed, 04 Jul 2007 14:29:53 GMT, Debbie Hurley <(E-Mail Removed)>
wrote:

> I had the remote
>configuration enabled


So, you're clever enough to change the default configuration, but you
cannot figure out how to configure WPA-PSK.


Hmmmm.
--
?ˇaah, los gringos otra vez!?
 
Reply With Quote
 
Greg Hennessy
Guest
Posts: n/a
 
      07-04-2007
On Wed, 04 Jul 2007 08:03:13 -0700, Jeff Liebermann <(E-Mail Removed)>
wrote:


>
>If remote admin was enabled, someone has been tinkering with the
>default setup.
>


Quite, I get the distinct stench of troll......
--
?ˇaah, los gringos otra vez!?
 
Reply With Quote
 
Jeff Liebermann
Guest
Posts: n/a
 
      07-04-2007
Debbie Hurley <(E-Mail Removed)> hath wroth:

>On Wed, 4 Jul 2007 09:35:17 -0400, Leythos wrote:
>> While I've not verified it, you should have googled for basic security
>> methods and you would have found that you need to change the default
>> subnet to something else, keeping the 192.168.0, which is the default,
>> is always a bad idea.
>>
>> 192.168.0 and 192.168.1 are common default subnets for home routers,
>> don't use them.


>My neighbor says what you said above is totally wrong in that it doesn't
>matter what IP address I use because he uses something called winpcap to
>snair the router IP address off the air!


Baloney. All 802.11 wireless is done on by bridging on Layer 2 with
MAC addresses. There is nothing in the 802.11 protocol or specs that
even mentions IP addresses. Not all wireless packets are encrypted.
However, all packets that contain an IP address in the header,
including ARP broadcasts and responses, are encrypted. He could sniff
all he wants and without the encryption key, he's not going to see an
IP address go by.

I wasn't 100.0% sure of this so I ran some old capture log files
through Ethereal looking for telltale ARP broadcasts
(frame.pkt_len==68 and wlan.da==ff:ff:ff:ff:ff:ff)
and their corresponding responses. No IP's visible. I'll run some
more tests later as I'm still not 100.0% sure that all IP's are
suitably encapsulated in encrypted packets.

>He says he gets an "ARP" from a program called ethereal which tells him all
>the "who" and "tell" arp commands which tells him every router's IP address
>in the neighborhood. So he called it 'smoke and mirrors' to change my IP
>address.


He can do network discovery successfully from the wired ethernet part
of the network, because the packets are not encrypted. That would
require he plug his laptop into your router and run whatever
application he finds useful. However, if he were to attempt that via
wireless, on an encrypted WLAN to which he does NOT have the key, it
won't work. He would see the MAC addresses of most of the devices,
but not the IP addresses.

>That's why he suggested I find a patch to the Linksys WRT54G
>GENERIC-MAP-NOMATCH vulnerability.


Sigh. GENERIC-MAP-NOMATCH means that the vulnerability does not match
anything in the Common Vulnerabilities and Exposures database. In
other words, it's either something new, weird, or ridiculous. It's
not a specific vulnerability or problem.
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=generic-map-nomatch>

>By the way, he said there are more than one vulnerabilities.


Yeah, they do reproduce themselves. Kinda like recycled year old
vulnerabilities rise from the near dead.

>I asked him to
>show me in writing and he just sent me something which I'll post to you
>once I clean it up a bit.


Ask him to post somewhere, a capture log and WireShark decode of an
wirleess encrypted session that shows exposed IP addresses. I'm too
lazy to do the work on a holiday.


--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Just Installed Linksys wireless router WRT54G v5 =?Utf-8?B?TW9yZGlkbw==?= Wireless Networking 2 12-04-2005 11:46 AM
Linksys WRT54G Wireless Broadband Router - the XP and Mac Drama! Patrick at PHD Wireless Networking 0 06-14-2005 03:47 PM
Using Linksys WRT54G as router with DHCP server brewman_63@yahoo.com Cisco 1 04-25-2005 06:09 PM
Linksys Router Signal Loss WRT54G =?Utf-8?B?RnJhbms=?= Wireless Networking 1 04-11-2005 12:50 PM
Can a Linksys WRT54G Router be used as access point with no internet availablilty? reply@this.newsgroup.com Wireless Networking 7 02-20-2005 11:45 PM



Advertisments