back to article DefenseCode turns up Linksys zero-day

With more than 70 million home networking devices in service, a zero-day for Linksys has a very wide reach. According to DefenseCode, an information security consultancy that’s just what turned up in a recent product evaluation for a client. The company has not released full details of the root access vulnerability yet, but …

COMMENTS

This topic is closed for new posts.
  1. Destroy All Monsters Silver badge
    Angel

    If 2013 continues in this way, we gonna get reamed

    Good job.

    What kind of Linksys gear does this affect? Clearly it must be running a Linux. I have those WLAN routers with Linux on them...

    1. Notas Badoff
      WTF?

      Re: If 2013 continues in this way, we gonna get reamed

      "The vulnerability affects all versions of Linksys firmware up to and including the current version, 4.30.14." And linked article mentions WRT54GL.

      Only... I have a WRT54G that says it is "Firmware Version: v8.0.0".

      Why is there so much 'information' out there that is simply 'misdirection'?

  2. This post has been deleted by its author

  3. Grogan Silver badge

    It probably only works on the local side

    I'd be more worried if the exploit worked on the WAN IP side. That's firewalled though (with SPI enabled by default), so it's unlikely.

    So, someone who keeps untrustworthy people off their network (or at least untrustworthy people who would do something like this) doesn't really have as much to worry about. People who allow public access (a lot of Linksys routers, in fact WRT54GL, are in use in coffee shops etc.) should be walking on their arse cheeks reading this, though.

    I always use DD-WRT when I provide a router. While I wouldn't be surprised if there were exploits for that too, it probably won't be this one.

    1. Anonymous Coward
      Anonymous Coward

      Re: It probably only works on the local side

      Yes, but it'll probably get patched sooner in DD-WRT and friends before Cisco/Linksys come out with an official patch for all their firmware releases.

    2. Ole Juul

      Re: It probably only works on the local side

      Agreed. I bet it doesn't work on the WAN side. All my Linksys routers have Tomato now, but I'm pretty sure that the stock firmware has remote management (under admin) disabled by default. I suspect this vulnerability is insignificant in the real world.

      1. Another User

        Re: It probably only works on the local side

        Leon Juranicvor, CEO DefenseCode confirms that this vulnerabilty does not work from the internet.

        Asked whether Tomato, Robin, dd-wrt, Free-wrt are vulnerable he only points to busybox. As all of these share a common heritage I take this as a hint that all are vulnerable. In two weeks we will know more...

        Quotes on Youtube:

        ...We're still investigating some tricks to exploit this vulnerability from the internet, but for now, yes - it seems safe from the outside of the network. Of course, unless services are available from the internet. ...

        ... Pause video on 1:51 my friend. It's busybox, right?. :)

  4. This post has been deleted by its author

  5. Fuzz

    I guess

    I guess you could craft a drive by exploit that used a users PC to take control of the router and then you could install some sort of smtp gateway on the router and use that to send spam but it's a bit of a long shot. You'd need to find the combination of a computer vulnerable to your drive by that's also connected to a linksys router. Do people still use linksys routers? Aside from those that have them running tomato or dd-wrt etc.

    In the UK most people have a router provided by their ISP and I don't remember seeing any linksys gear obtained this way.

    1. Grogan Silver badge

      Re: I guess

      Yes, it's a bit of a stretch. If you have that kind of access, getting the user to run a malicious program, you might as well just use the PC for your payload. It would be a more effective trojan and more likely to succeed.

      This would be more useful as an attack tool wielded by someone who already has network access to mess with someone's router.

    2. Grogan Silver badge

      Re: I guess

      I meant to mention... if this attack DOES succeed (either implemented as a trojan, or a manned attack tool) the biggest advantage of owning the router would be to change the DNS servers to your own, that are maliciously configured to direct everyone to nice web sites of your choosing. This way everyone on the network can share the joy.

      So sending this out as a trojan (email, drive-by etc.) wouldn't often succeed, but if it did.... mmmboy.

      By the way, I live in Southern Ontario, Canada and the local ISP here hands out good old fashioned Linksys WRT54GL routers. (I use them too... well designed devices that are reliable for a long time) What's worse is, they lock everyone out of them and put a "Property Of..." sticker over the reset button forbidding its use. (Of course you could do it anyway, but...) I highly doubt they are going to phone everyone and tell them to bring their routers in for a firmware upgrade. (Not this particular ISP).

    3. Anonymous Coward
      Anonymous Coward

      Re: I guess

      Fuzz suggests, "I guess you could craft a drive by exploit that used a users PC to take control of the router and then you could install some sort of smtp gateway on the router and use that to send spam but it's a bit of a long shot."

      I remember reading about hybrid malware, not too long ago, that infected Windows PC and some vendor's Linux based router... it has been done and this type of exploit is currently "in the wild".

      Fuzz asks, "Do people still use linksys routers? Aside from those that have them running tomato or dd-wrt etc."

      Since Tomato or DD-WRT could both brick devices, re-flashing firmware is not something that common people would do. Common people are the primary market audience for new devices like these.

      The answer is yes, people still use wireless Linksys routers, because ISP's are not universally shipping DSL modems with 5GHz wireless bands or gigabit ethernet. I suspect ISP's will not be shipping WiGig devices with GigE when they come out, either.

      if anyone says they are using a native linksys router & software on-line, I guess they would be a target for this exploit, so it would probably be best for no one to answer yes to Fuzz's inquiry... lol!

  6. unitron
    FAIL

    Great video! Not!

    Too small to read anything, and if there was any kind of vocal narration it got drowned out by the completely unneccessary music.

    Also, no video of the actual router or the PC hooked up to it, or how it was hooked up.

This topic is closed for new posts.

Other stories you might like