A security researcher has discovered a flaw in a popular Linksys router that could allow attackers to remotely hijack the device using its web management console. The Linksys WAG54G2 fails to properly inspect addresses typed in to browsers accessing the management console, allowing attackers to inject powerful shell commands …
This on the same day that Cisco is announced as the latest addition to the Dow Jones Industrial Average Index.
Tell me again why I should move my webservers to Linux?
If this attack only works with the default passwords in place, then it should be rolled out to everyone using a WAG54G2. Let's cull the herd of users and admins who forget one of the basics of good security - use good passwords.
Mines the one with the cattle prod in the inside pocket.
(L)users not changing default router passwords.
It never ceases to amaze me.
ID10T (l)users who do not take the time to RTFM.
Most router manuals suggest that you immediately change the default password.
When I first heard of these types of attacks, I advised several people I knew that had linksys routers to change the passwords.
One of the bleating sheep whined that he might "forget" the password. My reply was: "Use the f---ing serial number of the router, damn it!!!. The f---ing number is RIGHT on the bottom of the f---ing router!!!!" Anyone who does not change the default password, DESERVES to be pwned!!!!!
Another thing, if you router has an option to allow anyone from the internet to make changes; make sure that OPTION IS OFF!!!!!!! If you do not know how, then RTFM!!!!
 Brute force attacks to determine make and model of a router; then an attempt to gain access by sending the factory defaults in an attempt to break in.
it's very said that CISCO uses default password. I was always puzzled why they don't create unique password for each router and put a sticker on the bottom of each router as some other home routers do (this applies to both admin password as well as WAP password)
when I was using linksys routers (before I moved to Check Point AV Firewall) I was using TOMATO firmware http://www.polarcloud.com/tomato_125
A bit harsh on home users Fatman. They're not idiots, they've bought a consumer item and by default it's insecure. They don't have to change the password on their TV or kettle, why should they have to on their router? Hell, maybe I am supposed to change the password on my kettle, I've never read the manual so how would I know?
There are two solutions to this. 1) Expect a home user to read the manual, understand it and take the steps described. 2) Manufacture it to be secure by default.
Which one do you think is more likely to work?
Please don't move your webservers to linux! You are obviously too stupid to manage them any way, and will just end up giving linux a bad name, when you get pwned. Actually, come to think about it - please pull the plug NOW!!! They have probably already been turned into supernodes in some spam bot network!
That Linksys has failed at securing their own program says nothing about the OS underneath!
So what we're saying is that anyone who has the admin password can run malicious scripts or fundamentally alter the router? Well, yes, that sounds about right. If I used a different router (Thompson, Netgear spring to mind), they actually have telnet access under the same user/pass combo - essentially the same backdoor but without the "exploit" label.
Lynksys is a pile of....
S***. I sent mine back to Aria after it packed up and got a Netgear instead, Much Much better and now read this am doubly happy.
A couple of points to clear here
1. Stop badmouthing Cisco. They're only the owner of Linksys, they are definitely not in charge of QA for Linksys products.
2. Problem with default passwords is a delicate one for any mass manufactured product. Any router with preloaded firmware and configuration comes with a default password, sometimes even a blank one (shudder!). It is not possible to put in and then keep track of any kind of individual password on hundreds of thousands of devices, this is largely against the concept of mass production. Actually Cisco knows ho to solve this: their products do not accept any kind of remote connection to the device until you configure a password through a physically direct connection to the device (using the console port).
3. I wouldn't necessary call those users idiots for not changing the default password but to me they are clearly irresponsible. If you purchase any device involving safety features (think fire arms to get this quickly) then you must understand how it works and follow the safety instructions always prominently displayed at the beginning of the user's guide. Heck with every appliance I'm buying I have to read on how to plug it in safely.
What's wrong with that?
It's like buying an electronic safe, with a keypad password interface.
To change the password, you need to press a button on the inside.
To get inside the first time, use the factory default password of 1234.
The users/admins, get inside, load it up with goodies and then promptly close it again.
The perp in question first tries the default factory passord, it works and gets away with the goodies.
CLEARLY this is the manufacturer's fault.
Ho, right, It's serious then. I bet it's swine flu.
It's not like I could, hem, connect to the router and type the default password and then have access to whatever I want, is it? Cause this very, erm, sophisticated attack is much, much easier than anything you could ever demonstrate WHICH FUCKING NEEDS TEH FUCKING DEFAULT LOGIN TO FUCKING BE IN PLACE (sorry). Why would I need a sophisticated attack then? As much as I hate their crappy gear, I must side with Cisco here: this "attack" is a joke and they shouldn't bother to fix it. Last week I was fixing a friend's WiFi and I, erm, inadvertently stumbled on her neighbour's router config page. I'm sorry to tell you that I didn't need any sophisticated attack technique. And if changing the default login creds thwarts the "sophisticated attack" described here as well as as my "type 192.168.1.1"* approach, well the obvious conclusion is that the so-called "sophisticated attack" is just useless mind-wanking by people with too much time in their hands (and no brain). I'm not sure that reporting such a *erm* vuln is a plus for a rag that is, after all supposed to be somewhat IT-aware. Hey, breaking news: burglars dicovered a new very sophisticated technique to break in your house, no-one is safe anymore! If you leave your keys on your front door, some new sophisticated technique might allow thieves in: it involves highly technical moves, such as turning the key and pushing the door! Unbelievable!
When did El Reg turn into Daily Fail, again?
*adapt to your needs, you shouldn't have to try more than 4 different IPs. If the luser didn't change the default password, what are the odds they changed the default local IP? then the router tells you everything you need to know to find its default password, and you're in. No need for a sophisticated attack: a browser, a wireless card and a couple brain cells are more than enough. Maybe the "security researchers" cited here lack one of the ingredients? I wonder which one.
it is not magic security, you can take a standard distro and make it the most open in the world, well beyond Windows if you want to. But conversely you can also tighten it a lot better than windows.
So, here LinkSys or Cisco is to blame.
Linux is a kernel, and there are many Linux distros. The CISCO ARM embedded distro for this router is pantz, well there is a surprise really the people should be named and shamed whoever built it.
But it is interesting in as much that it does go to prove what a lot have been saying, it is about the user base (the build team included) and knowledge with Unix, and let's face it that is true for any operating system running on any computer system.
Now you have to watch how fast they can push a fix out. Companies are going to learn that you have to hire experts if you want to use your own kernels based on free software, and you have to test as well, you cannot assume anything, and that is true of commercial as well. Unix is a choice of the expert, but in the hands of the numpty it is quite dangerous.
People will buy that bit of kit because it runs Linux, and swap out the distro for their own, so it might not be that widespread, but some unsuspecting buyers has just been caught out. It was the same with the netbooks; Asus screwed up, and those who really liked 'Linux on by default' had the Asus Distro off in minutes.
Unix was mismanaged by charging too much for it, and hampering open development, now we see it being hampered by idiots not giving it enough respect and selling on the cheapness, There is a happy medium, and that is understanding you have control but with that control comes great responsibility and that responsibility costs to get the right people in.
AC and telnet access
Yes, they actually have telnet access, which can be promptly firewalled off or acl'd and controlled because nobody sensible allows telnet in fron the internet. Im talking large corporate scenario run by people with half a clue not johnny in his bedroom.
Theres also usually a option somewhere to create a lower priviledged user, who you would give access to the web console hopefully in the knowledge they could only read the config not tinker with it.
The sql injection probably does not require any priviledge on the user, but runs the injected shellcode with the webserver daemons perms, that linksys have left as root.
So you could have someone with a clue, configure a web user with low perms and still get p0wned by this.
This is a common scenario with web based element managers of all levels of kit cost, Ive even seen "security" appliances fall to our poking...
Linksys should at least fix it and put a firmware update out , assuming they havent offshored all their jobs to india and the original team isnt now serving burgers at mac d's...
Ive got a couple of these on my lan, one of which hasnt been reflashed yet I might have a tinker with it later. I certainly dont use them as routers though :D
Re : Fatman
From the tone of your reply I would suggest that the fat in your name resides mainly between your ears.
I would also suggest that, far from being the alround guru and great guy you probably think you are, you are as ignorant in other fields as those whom you castigate are in yours.
I wonder if there is a plumbers version of El reg out there somewhere listing stories of stupid overpaid IT wizards who had to pay £300 - £500 quid for a simple washer change. Or maybe a garage mechanics version where they laugh out loud at people who don't know that a certain high pitched whine is indicative of thrust bearing wear. I mean how stupid can people be and still drive a car.
So rather than laughing at what you percieve to be the inate stupidity of others, how about going and helping them out. But then you would have to practice your social skills wouldn't you. Scarey eh?
Crisis ? What crisis ?
I'm sorry, I don't see the problem here. The report shows that if you have access to the router admin pages, you can use an injection attack.
But if you have access to the admin pages, who cares about owning the router ? You can disable the firewall and go straight for the user's machines.
The bug here is the default password, and the users that leave it like that.
RE: Lynksys is a pile of....
I had the opposite, sent back my netgear because it was crap and am happy with my Linksys (password changed of course).
"The flaw is trivial to exploit when users fail to change the administrative password that's used by default."
As best as I can try, I fail to sympathize with people that don't change the default passwd. If it's default, it's known, and it's no longer a password, shouldn't be hard to understand !
If they can't, they should really stay on the ISP's box and all the proprietary stuff and price.
On the other hand, that kind of attack is probably the proof all vendors will have to move to unique passwds, as this is the only way against Joe Average User ...
RE: A couple of points to clear here
Errr, that's three points ;)
To close (hopefully)
1) Linksys routers have remote management switched OFF by default
2) The injection technique works by having access to the LAN, not through the WAN
3) It only works when you have the admin password
SO... you can't do it from the Internet and the prerequisites say you need everything that would give you access to the management console. What's the big deal? All I'm hearing is there's a back door, but it's identical the the front door and uses the same lock. Neither is more vulnerable to the other. There is no vulnerability that wouldn't otherwise be there.
Please, we have enough scare mongering from expenses, financial "melt down" and swine-flu. No more please.
Stock firmware = fail
The right answer for routers is to buy one compatible with OSS firmwares and flash in Tomato or DD-WRT or one of the others. THOSE communities actively fix issues. Commercial firmwares may never get fixed.
Also I've found OSS firmwares to be ALWAYS FAR more stable than the stock firmwares.
WRT-54GL or Asus WL-500G are both good choices for this. Also I think there is one manufacturer that ships the router with an OSS firmware already installed.
RE default passwords - how hard would it be for router manufacturers to make the first HTTP connection from the LAN side come up with a page requiring them to set a decent password? And a reset button of course WHEN they forget it, which again required them to set a decent password. This would be absolutely trivial.
If you leave the keys in your car it might get stolen. Cars should forcibly eject you and your keys from the car and then lock themselves up to resolve this bug.