If 2013 continues in this way, we gonna get reamed
What kind of Linksys gear does this affect? Clearly it must be running a Linux. I have those WLAN routers with Linux on them...
With more than 70 million home networking devices in service, a zero-day for Linksys has a very wide reach. According to DefenseCode, an information security consultancy that’s just what turned up in a recent product evaluation for a client. The company has not released full details of the root access vulnerability yet, but …
"The vulnerability affects all versions of Linksys firmware up to and including the current version, 4.30.14." And linked article mentions WRT54GL.
Only... I have a WRT54G that says it is "Firmware Version: v8.0.0".
Why is there so much 'information' out there that is simply 'misdirection'?
This post has been deleted by its author
I'd be more worried if the exploit worked on the WAN IP side. That's firewalled though (with SPI enabled by default), so it's unlikely.
So, someone who keeps untrustworthy people off their network (or at least untrustworthy people who would do something like this) doesn't really have as much to worry about. People who allow public access (a lot of Linksys routers, in fact WRT54GL, are in use in coffee shops etc.) should be walking on their arse cheeks reading this, though.
I always use DD-WRT when I provide a router. While I wouldn't be surprised if there were exploits for that too, it probably won't be this one.
Agreed. I bet it doesn't work on the WAN side. All my Linksys routers have Tomato now, but I'm pretty sure that the stock firmware has remote management (under admin) disabled by default. I suspect this vulnerability is insignificant in the real world.
Leon Juranicvor, CEO DefenseCode confirms that this vulnerabilty does not work from the internet.
Asked whether Tomato, Robin, dd-wrt, Free-wrt are vulnerable he only points to busybox. As all of these share a common heritage I take this as a hint that all are vulnerable. In two weeks we will know more...
Quotes on Youtube:
...We're still investigating some tricks to exploit this vulnerability from the internet, but for now, yes - it seems safe from the outside of the network. Of course, unless services are available from the internet. ...
... Pause video on 1:51 my friend. It's busybox, right?. :)
This post has been deleted by its author
I guess you could craft a drive by exploit that used a users PC to take control of the router and then you could install some sort of smtp gateway on the router and use that to send spam but it's a bit of a long shot. You'd need to find the combination of a computer vulnerable to your drive by that's also connected to a linksys router. Do people still use linksys routers? Aside from those that have them running tomato or dd-wrt etc.
In the UK most people have a router provided by their ISP and I don't remember seeing any linksys gear obtained this way.
Yes, it's a bit of a stretch. If you have that kind of access, getting the user to run a malicious program, you might as well just use the PC for your payload. It would be a more effective trojan and more likely to succeed.
This would be more useful as an attack tool wielded by someone who already has network access to mess with someone's router.
I meant to mention... if this attack DOES succeed (either implemented as a trojan, or a manned attack tool) the biggest advantage of owning the router would be to change the DNS servers to your own, that are maliciously configured to direct everyone to nice web sites of your choosing. This way everyone on the network can share the joy.
So sending this out as a trojan (email, drive-by etc.) wouldn't often succeed, but if it did.... mmmboy.
By the way, I live in Southern Ontario, Canada and the local ISP here hands out good old fashioned Linksys WRT54GL routers. (I use them too... well designed devices that are reliable for a long time) What's worse is, they lock everyone out of them and put a "Property Of..." sticker over the reset button forbidding its use. (Of course you could do it anyway, but...) I highly doubt they are going to phone everyone and tell them to bring their routers in for a firmware upgrade. (Not this particular ISP).
Fuzz suggests, "I guess you could craft a drive by exploit that used a users PC to take control of the router and then you could install some sort of smtp gateway on the router and use that to send spam but it's a bit of a long shot."
I remember reading about hybrid malware, not too long ago, that infected Windows PC and some vendor's Linux based router... it has been done and this type of exploit is currently "in the wild".
Fuzz asks, "Do people still use linksys routers? Aside from those that have them running tomato or dd-wrt etc."
Since Tomato or DD-WRT could both brick devices, re-flashing firmware is not something that common people would do. Common people are the primary market audience for new devices like these.
The answer is yes, people still use wireless Linksys routers, because ISP's are not universally shipping DSL modems with 5GHz wireless bands or gigabit ethernet. I suspect ISP's will not be shipping WiGig devices with GigE when they come out, either.
if anyone says they are using a native linksys router & software on-line, I guess they would be a target for this exploit, so it would probably be best for no one to answer yes to Fuzz's inquiry... lol!
Biting the hand that feeds IT © 1998–2020