Help my Linksys WRT54G router was broken into using the "curl" command

Discussion in 'Computer Security' started by Debbie Hurley, Jul 4, 2007.

  1. You don't need a new router. You need a firmware update. No big
    deal. What I'm concerned about his how remote access got turned on
    and who did it (and why). You might want to interrogate the kid.
    Yes, but don't presume it's my good intentions or generous attitude.
    The problem is that old bugs tend to come back. One version fixes a
    problem, the next version brings it back as sloppy coders recycle old
    code. In the software biz, it's part of regression testing.
    Chuckle. Ever see any magic tricks or sleight of hand? It looks
    real, but you just know something is going on in the background. Well,
    hacking and breaking in are like that. I derived considerable
    entertainment at the expense of a few IT people (who now hate my guts)
    breaking into their systems using social engineering, and then making
    it look like some kind of vulnerability or systemic problem. Yeah, I
    know I have a warped sense of humor, but it keeps me entertained. The
    only problem is that the IT people now hate my guts. Oh well.

    Anyway, be careful that what you're seeing is actually a breakin or
    vulnerability in progress, and not the residue from a previous
    breaking. The fact that remote access was apparently enabled makes me
    VERY suspicious.
    Well sure. Blame the victim and all that. Nobody wants to be told
    their network is full of holes and vulnerable to attack. Why bother
    fixing the problem when you can simply discredit the person that found
    the problem?
    It's old firmware. Someone goofed and it's been fixed. All vendors
    have their security holes and problems.
    Actually, that's a good point because I couldn't find it in the
    firmware release notes. It's fashionable to disclose vulnerabilities
    only after the fixes are available. That's a fair method, but doesn't
    work if users like yourself do not perform ritualistic firmware
    version checks and updates.
    There are instructions on the Linksys web site (somewhere). It's
    basically very easy. Download the firmware image file. Make an extra
    effort to be sure you have the correct version and file. You still
    haven't bothered to disclose your WRT54G hardware mutation, so I can't
    offer specific advice, filenames, and URL's.

    Uncompress the download if it's a ZIP file. Go to the firmware update
    and browse merrily to the .bin (or whatever) file. Hit update and
    wait. When you think it's done, wait some more. Figure on about 2
    minutes to be safe. With v5/v6, I don't think you have to reset
    anything. That's it.
    Don't bother. Almost all of that manner of improving security
    consists of either obscuring your setup or introducing additional
    obstacles. Those are good if you enjoy complicating your own life as
    well as that of the prospective hacker, but are generally near
    worthless. See the FAQ at:
    Your real security is in:
    WPA-PSK or WPA2-PSK encryption
    Password for router access
    Firmware updates
    Most of the tweaks are of marginal value.

    If you want real security, setup a VPN and a RADIUS server. The
    RADIUS server provides a login and password per user, but also
    delivers a unique one time WPA encryption key which cannot be leaked.
    If I wanted to attack your system, I would not attack the router, but
    would try to extract the WPA key from your Windoze registry. See:
    A RADIUS server eliminates the use of a shared key, but preventing it
    from being leaked. Ummm... Don't tell the 15 year old brat.

    As for your other questions....
    You can't do that with the stock Linksys firmware. There's only one
    user and that's admin. Other routers allow additional users and even
    user levels, such as read-only users. If you really want this
    feature, the alternative firmware (DD-WRT, OpenWRT) all have
    additional users. However, again, this is nothing but security by
    obscurity and doesn't provide any real security. Anyway, user names
    are suppose to be publicly accessible and not hidden like a password.

    Incidentally, one of my accomplices decided that I should test his
    system security. He did all the right things, but I still managed to
    break in. I tricked him into using his laptop to "test" the security
    by claiming my laptop was dead. He stupidly saves all his passwords
    in his Firefox browser. It was a simple matter to connect,
    automatically login with the saved password, and collect my free
    lunch. This is again why I don't like shared keys, stored passwords,
    and other convenience features.
    Lack of sufficient RAM and NVRAM in the router limits the features
    that can be crammed inside. Again, the login name is suppose to be
    publicly known and accessible and should not be treated as yet another
    password. It also doesn't add much security as the same mechanisms
    I've previously listed to bypass passwords will work with login names.
    1. You didn't specify WRT54G hardware mutation after being asked by
    multiple people for this information.
    2. You didn't search with Google to see if it was a known problem.
    3. Declared the WRT54G to be worthless BEFORE asking if there was a
    4. Trusted my advice. Don't trust ANYONE about security without
    first understanding what you're doing, why it's necessary, and
    verifying that it's considered a reasonable thing to do.
    5. Posted far too many replies. I'm lazy and don't like hopping from
    message to message.
    That's been asked before, but with no definitive conclusion. The
    current guess is that a hostname is required for syslog to work. It
    can be anything, but not blank.
    Jeff Liebermann, Jul 4, 2007
    1. Advertisements

  2. So far, here's what people have emailed to my yahoo address or posted here
    or in the linksys forum about this horrid WRT54G vulnerability which allows
    anyone to eliminate all my security settings in a single curl command
    without ever logging into my router.

    And the solution is here apparently although I haven't found any
    confirmation that it actually works (I need to read more before I get the
    confidence to "flash" my router having never flashed anything before).

    Debbie Hurley, Jul 4, 2007
    1. Advertisements

  3. This recommended reference says the Linksys WRT54G firmware update only
    fixes half the problems in that something called "authentication bypass
    vulnerability" was fixed but not something called "the CSRF vulnerability"
    Yes. It was enabled. I don't know how as I never touched that before. Web
    access, whatever that is, was also enabled, as was pnp and a zillion other
    I understand but I would have thought this would warrant a recall like they
    do with cars where you bring it in and they bring it back up to safety
    specifications. There's no way they should have sold that router to me with
    such an unsafe vulnerability. Why do we recall cars but not routers that
    have safety problems?
    Hmmm... that's not one of my options. I have WPA2 Personal on the Linksys
    WRT54G router (which I looked up to be the same thing as WPA2 PSK) but I
    don't have WPA2-Personal or WPA2-PSK options on my Windows XP fully
    updated. Something must be wrong with my windows setup so I will keep
    looking to see what I need to fix. At least Microsoft constantly updates my
    operating system automatically so I don't have to worry about "flashing"
    the computer! :)
    I thought I did. It's version 5, and firmware version v1.00.6.
    Is there ANOTHER version I need to be aware of?
    I did search for "curl" but I didn't know what to look for. I did find the
    linksys forums and searched there and posted there the exact same question.
    They said to upgrade the firmware and tell them if it worked or not to stop
    the next curl attempt.
    The fix seems good but (see prior) it only fixes "authentication bypass
    vulnerability" but not "the CSRF vulnerability" according to the references
    cited above.
    Huh. I trust you. Aren't you trying to help me?
    Oh. I was trying to be responsive and courteous to my friends who were
    trying to help me. I'll stop replying so as to prevent the confusion and
    allow you to get me to the point I need to be.

    Thank you!

    BTW, which is the "right" newsgroup forum for this kind of Linksys WRT54G
    security vulnerability solution type of question?
    Debbie Hurley, Jul 4, 2007
  4. I'll look at it later. It's a holiday and I'm lazy.
    Easy. Because no router manufacturer has been successfully sued for
    damages resulting from security holes, while automobile manufacturers
    tend to get sued for anything and everything.

    Please note that there are literally huge number of vulnerabilities in
    various computer products. Given time and limited resources, it's
    impossible to just TEST for these vulnerabilities, much less find the
    time to fix them.

    Open Source Vulnerability Database

    Security and Vulnerability announcements
    Here's the statistics for MS XP Home:
    Note that 15% of the 155 vulnerabilities announced since 2003 has NOT
    been patched.
    WPA-PSK is exactly the same as WPA-Personal
    WPS-RADIUS is exactly the same as WPA-Enterprise
    I traced back where the name change came from. The Wi-Fi Alliance is
    more consumer oriented and went for the Personal and Enterprise. The
    IEEE is addicted to acronyms and elected to use PSK and RADIUS.
    Wrong. Microsloth only automagically updates *CRITICAL* updates or
    those that compromise security. Optional updates must be downloaded
    Start -> Run -> wupdmgr
    It should start IE6 or IE7 and run Windoze update. If it suggests you
    upgrade to "Microsoft Update", do it. Then, hit the "Custom" button.
    It will grind the hard disk for perhaps 10 minutes deciding what needs
    to be updated and present you with a list. Check EVERYTHING, download
    and install. Shutdown when it demands and reboot.

    You're not done yet. MS Office might need some updates. Start IE6 or
    IE6 and go unto:
    In the upper right hand corner, is a tiny obscure well buried button
    for Office Update. Pick your version of MS Office and do the updates.

    There are also plenty of applications on your machine that could use
    an update and may have vulnerabilities. Quicktime, Itunes, Winamp,
    etc as well as your favorite virus and spyware scanners all need to be

    If you think this is a drag, you're right. There should be a unified
    update and notification mechanism. Not this week. Meanwhile, this is
    a good thing for your 15 year old prospective hacker to do after
    butchering your lawn.
    Sorry. You did in another message that didn't arrive until after I
    posted my reply. This is why I don't like a large number of messages.
    I get easily lost.
    Ok, you're partially forgiven. If you had typed in the curl command
    (wrapped in double quotes), you would have found all the security
    I think we have different criteria for acceptability. The
    authentication problem (curl example) is serious and if unpatched, I
    too would consider the WRT54G to be dangerously insecure. However, I
    know of other vulnerabilities and oddities that also might be used to
    compromise security that do not warrant such a drastic action like
    recycling the router.
    Is the WRT54G useful and fairly safe (after patching)? Methinks so.
    Can Linksys do better? Probably.
    Would a different router do better? No way to tell.
    Nope. I'm just a wolf in sheeps clothing. In may spare time (usually
    under the cover of darkness), I join the forces of evil in a never
    ending effort to uncover security holes and screwups in computing. As
    a side effect, security does gradually tend to improve. However, it's
    the challenge that gets my attention, not the side effects. I tend to
    do best with social engineering and physical security, but when those
    fail, hacking will suffice. Try not to let it bother you as many of
    those that really know what they're doing, didn't learn security from
    a book, and also tend to have a checkered past.
    I don't know. I only infest alt.internet.wireless. One technical
    newsgroup is all I handle in my ever shrinking spare time.
    Jeff Liebermann, Jul 4, 2007
  5. Debbie Hurley

    Leythos Guest

    Your rourter default settings, other than and the
    password and WPA-PSK were fine. Your choice of allowing the default
    subnet and the remote access was a large mistake that let him in.

    Leythos - (remove 999 to email me)

    Learn more about PCBUTTS1 and his antics and ethic and his perversion
    with Porn and Filth. Just take a look at some of the FILTH he's created
    and put on his website:
    3rd link shows what he's exposed to children (the link I've include does
    not directly display his filth). You can find the same information by
    googling for 'PCBUTTS1' and 'exposed to kids'.
    Leythos, Jul 4, 2007
  6. Debbie Hurley

    Leythos Guest

    And there is more than just not using the default IP, and it does make a
    difference, as there are web sites that will hack your router without
    using the wireless connection, and they don't "cap it off the air". So,
    again, change your subnet, that's first.

    Next, you ENABLED REMOTE MANAGEMENT (which is not the fault), so you
    screwed yourself there also - disable remote management and setup a
    strong password.

    Yes, there are exploits, for most any device, but, you can limit your

    Leythos - (remove 999 to email me)

    Learn more about PCBUTTS1 and his antics and ethic and his perversion
    with Porn and Filth. Just take a look at some of the FILTH he's created
    and put on his website:
    3rd link shows what he's exposed to children (the link I've include does
    not directly display his filth). You can find the same information by
    googling for 'PCBUTTS1' and 'exposed to kids'.
    Leythos, Jul 4, 2007
  7. Oh really. If you're daft enough to put an open access point in the big bad
    world, you deserve everything coming.
    Oh really.
    Very dangerous, especially where there is a self identifying problem
    between the chair and keyboard.

    Greg Hennessy, Jul 4, 2007
  8. So, you're clever enough to change the default configuration, but you
    cannot figure out how to configure WPA-PSK.

    Greg Hennessy, Jul 4, 2007
  9. Quite, I get the distinct stench of troll......
    Greg Hennessy, Jul 4, 2007
  10. Baloney. All 802.11 wireless is done on by bridging on Layer 2 with
    MAC addresses. There is nothing in the 802.11 protocol or specs that
    even mentions IP addresses. Not all wireless packets are encrypted.
    However, all packets that contain an IP address in the header,
    including ARP broadcasts and responses, are encrypted. He could sniff
    all he wants and without the encryption key, he's not going to see an
    IP address go by.

    I wasn't 100.0% sure of this so I ran some old capture log files
    through Ethereal looking for telltale ARP broadcasts
    (frame.pkt_len==68 and wlan.da==ff:ff:ff:ff:ff:ff)
    and their corresponding responses. No IP's visible. I'll run some
    more tests later as I'm still not 100.0% sure that all IP's are
    suitably encapsulated in encrypted packets.
    He can do network discovery successfully from the wired ethernet part
    of the network, because the packets are not encrypted. That would
    require he plug his laptop into your router and run whatever
    application he finds useful. However, if he were to attempt that via
    wireless, on an encrypted WLAN to which he does NOT have the key, it
    won't work. He would see the MAC addresses of most of the devices,
    but not the IP addresses.
    Sigh. GENERIC-MAP-NOMATCH means that the vulnerability does not match
    anything in the Common Vulnerabilities and Exposures database. In
    other words, it's either something new, weird, or ridiculous. It's
    not a specific vulnerability or problem.
    Yeah, they do reproduce themselves. Kinda like recycled year old
    vulnerabilities rise from the near dead.
    Ask him to post somewhere, a capture log and WireShark decode of an
    wirleess encrypted session that shows exposed IP addresses. I'm too
    lazy to do the work on a holiday.
    Jeff Liebermann, Jul 4, 2007
  11. Right. Blame the victim. Nicely done.

    Look carefully at the paper box the consumer routers are packaged.
    They're mostly advertising material and are full of acronyms attesting
    to the high levels of security the user gets if they buy the product.
    "Buy me and you'll be safe" from evil hackers like me is the mantra.
    Well, there's just one problem. All the security is disabled by
    default. Plug, play, and you're wide open.

    Now, I know a little about business/commercial law. I'll spare
    everyone the hair splitting and leave out the legal rubbish.
    Basically, the consumer has a perceived notion that this router will
    protect them for evil. If it fails to do that, who's fault would you
    guess it is? To an average person, of average abilities, the level of
    education necessary to properly administer a wireless router is
    substantial and well above what a court of law would consider
    necessary. Therefore, the responsibility for adequate security falls
    on the manufacturer, and not the consumer. The not so minor detail
    that all consumer grade wireless router manufacturers, except 2Wire,
    are shipping their routers insecure by default, should open up
    suitable opportunities for litigation. I've been contacted by a few
    ambulance chasers planning to do exactly that, but have declined their

    A suitable analogy would be if you purchased a consumer device that
    allegedly protected you from some evil, but required that you upgrade
    your esoteric knowledge level considerably. During this several year
    long education process, you discover that the device has been
    essentially disabled and wasn't doing anything useful. Whom would you
    Blame the victim again. At least you didn't resort to name calling
    and labeling.

    I have a loaded question for you: Are you so in love with the
    technology that you forget that real humans are expected to operate
    the devices? I'm curious because this problem seems to be epidemic
    among technical types. I'm sometimes guilty of it myself.
    Jeff Liebermann, Jul 4, 2007
  12. Debbie Hurley

    Leythos Guest

    Did you miss the part where the OP enabled wireless access and also
    enabled remote management?

    It's entirely the OP's fault.

    Leythos - (remove 999 to email me)

    Learn more about PCBUTTS1 and his antics and ethic and his perversion
    with Porn and Filth. Just take a look at some of the FILTH he's created
    and put on his website:
    3rd link shows what he's exposed to children (the link I've include does
    not directly display his filth). You can find the same information by
    googling for 'PCBUTTS1' and 'exposed to kids'.
    Leythos, Jul 4, 2007
  13. On the contrary, speaking as someone who is the one eyed man in the land of
    blind for half a dozen folks who have no PC knowledge.

    I am intimately aware of the frustration caused by technology and go out of
    my way to avoid causing the 1000 yard stare inflicted by an overdose of
    geekese which is so easy to slip into.
    Someone changed the router from it's default settings. The question is who.
    If you're capable of posting to a newsgroup, securing one of the best
    selling wireless routers out should not be that much of a challenge.

    Greg Hennessy, Jul 4, 2007
  14. Debbie Hurley

    Mike Guest

    In message <X6Rii.25070$>
    I remember your post in uk.telecom.broadband about a month ago where
    you'd forgotten the admin password for your router, and wondered how it
    could be reset (I remember your name cos it's the same as someone I know
    from work). Did you let your neighbour friend configure your router for
    you then?
    Mike, Jul 4, 2007
  15. Well, it's fairly easy to get lost in the flurry of postings and
    followups, so I'll summarize. There is no security risk to enabling
    remote management as longs as one uses SSH or SSL (if available) to
    access the router config and the router has a reasonably secure
    password setup. For the stock WRT54G firmware, there is no secure
    method of doing remote access, as it lacks SSH or SSL and the password
    is probably sent unencrypted, so remote management is disabled by
    default. See settings as show at:

    The problem I had with the original start of this thread question was
    that she indicated that:
    "He showed me how to disable remote administration but he
    said the vulnerability still exists until I get a new router."
    The implication was that someone had previously turned on remote
    admin. We can only speculate as to whom at this time. Until a
    suitable culprit is established, we really shouldn't be assigning the
    blame. The first step to solving a problem is NOT to assign he blame.

    There is also an open issue as to who is responsible for updating the
    firmware. Linksys formerly had a "check for firmware updates" button,
    but that never worked even in the original incantation. It was long
    ago quietly dropped. Is Linksys responsible for informing customers
    that their firewall is porous? Probably, but I don't see an easy way
    to implement updates, especially since the prime directive at Linksys
    seems to be to reduce costs by reducing RAM, NVRAM, and features. At
    the present time, the customer is responsible for updates. This is
    more by the abdication of responsibility than by intenet, as few
    customers are qualified and even fewer understand the necessity of

    There's also a skool of thought that suggest that if things are
    working, don't touch them. I've probably seen more systems destroyed
    by updates than by hacking, viruses, and worms. After a few
    disasters, customers tend to be paranoid. I hear "leave it alone" all
    too often. I fight it, but not very well. With some vendors, I
    intentionlly delay updates as they have a track record of breaking
    more things than they fix. Who's responsible for these updates? I
    guess it's me.
    Really? Then why are there so many FAQ's, guides, blogs, and
    re-hashed instructions on how to setup a "simple" wireless router?
    Could it be that it's really not that simple? Just read through the
    questions on the Linksys wireless forums for a clue.
    For today, there are already 51 questions, a mess of followups, and
    the day isn't half over. There seem to be an awful lot of people
    having problems with Linksys wireless. Perhaps it's because wireless
    is NOT so simple?

    Switching over to, it's somewhat better:

    I'll spare you my list horror stories that illustrate that there are
    still plenty of problems to be solved with consumer wireless hardware,
    drivers, and config. Try roaming between consumer wireless AP's for a
    great exercise in frustration.

    Another clue is the cancerous growth of wireless acronyms, buzzwords,
    protocols, and specs. I'm directly involved in all this and even I
    can't keep them straight. Every time I open a magazine, new terms
    appear out of nowhere. Then, there are the vendor proprietary
    hang-on's (Cisco Compatible Extensions). I can't even pronounce some
    of the wireless company names. I can barely keep up to date and you
    claim that setting up one of these isn't much of a challenge?

    As for a persons posting abilities being indicative of their ability
    to setup a wireless network, I don't think there's much of a
    connection. An amazing (and alarming) number of help requests in
    alt.internet.wireless are missing the absolute minimum information
    necessary to craft a sane reply. Briefly:
    1. What problem are you trying to solve? One sentence is fine.
    2. What do you have to work with? (Hardware, software, versions).
    3. What did you do and what happened? (Exact error messages).
    The same people would never dream of asking the clerk at the auto
    parts store for advice on their vehicle without specifying the
    necessary info, yet they expect answers on usenet without doing the

    Finally, permit me the liberty of some semantic hair splitting and
    guesswork. You suggest that "... securing one of the best selling
    wireless router..." I have a very tiny problem with this statement.
    You don't secure the router, you secure the system (or network). In
    home wireless, it takes at least two to tango. Each link has at least
    two ends. Securing one end is insufficient as I can breach security
    just as easily at the client end. I posted a few examples in a
    previous message in this thread.
    Jeff Liebermann, Jul 4, 2007
  16. Go unto the Google Advanced Search:
    Inscribe uk.telecom.broadband into the Group field.
    Then try various versions of her name and email address in the Author
    box. Nothing found.

    Try a Google Profile for Debbie Hurley at:
    This could be more than one person, but it does list all the groups to
    which Debbie Hurley has posted. 57 groups in the pull down box and
    uk.telecom.broadband is NOT among them.

    Interestingly, her email address changed from to
    along with a change in IP address in the last
    message. Both appear to be valid. That should add some additional
    fuel to any conspiracy theories.

    Punch her IP addresses of or into:
    Located near San Jose on SBCglobal/at&t, not in the UK.

    Is this really a security newsgroup?
    Jeff Liebermann, Jul 5, 2007
  17. Debbie Hurley

    Jim Watt Guest

    So the security measure he bypassed was your front door

    Theres a big difference between someone inside your house
    and network and the evil hackers in China (or Gibraltar)
    Jim Watt, Jul 5, 2007
  18. Debbie Hurley

    Todd H. Guest

    In her defense--and despite the spastic posting Debbie has done on
    this--this vunerability is one that actually is remotely exploitable
    under common conditions via a cross site scripting attack.

    Viewing a web site that convinces the browser to submit a post
    request to the default IP of a linksys router's webpage is all that's
    required to disable the security mode and bypass the admin password.
    It appears that at most, a second POST that enables remote management
    is all that'd be needed.

    curl is nothing magical, by the way-- just a command line utility to
    replicate GET and POST transactions that a web browser does behind the
    scenes. It makes for an easy demonstration, but it it not required in
    this attack.

    WRT54G hardware version 5 owners who've never upgraded their firmware
    should be very concerned about this unless they are extremely cautious
    in their websurfing. Such extreme caution breaks about half of all
    web sites these days, so very few folks surf with that level of

    Please read:

    Linksys WRT54g authentication bypass

    includes: "The combination of these two bugs means that any
    internet web site can change the configuration of your
    router. Recently published techniques for port-scanning and
    web server finger printing via java and javascript make this
    even easier."

    Mention of patched firmware quietly released by Linksys

    Best Regards,
    Todd H., Jul 5, 2007
  19. You expect otherwise in Usenet/geeksville?

    This would be a better place if people checked their egos at the door.
    But that just doesn't happen ... there's no door, and no sheriff.
    Alfred Einstein, Jul 7, 2007
  20. Debbie Hurley

    John Gray Guest

    Maybe that's why trolls also post here.<G>
    John Gray, Jul 8, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.