Help my Linksys WRT54G router was broken into using the "curl" command

It's way too easy to break into the Linksys WRT54G router!

Instantly bypassing the administrator password, my fifteen-year old
neighbor broke into my Linksys WRT54G router (firmware revision v1.0.0.6)
in ten seconds simply by sending this one "curl" command to it via the
Internet from his home next door!

c:\> curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri

This kid was kind enough to knock on my door today to tell me to fix it.

I invited him in, and from inside my own house, he showed me the Linksys
WRT54G command above which immediately disabled all my wireless security
WITHOUT him having to enter any password!

He showed me how to disable remote administration but he said the
vulnerability still exists until I get a new router. I can't believe
everyone with a Linksys WRT54G router is throwing it in the garbage.

Where/how can I find a firmware update that protects me from this
vulnerability?

Debbie Hurley wrote:
> It's way too easy to break into the Linksys WRT54G router!
>
> Instantly bypassing the administrator password, my fifteen-year old
> neighbor broke into my Linksys WRT54G router (firmware revision v1.0.0.6)
> in ten seconds simply by sending this one "curl" command to it via the
> Internet from his home next door!
>
> c:\> curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri

Unless I am getting old then if he posted this command via the Internet
it would have got him nowhere. The curl -d command would post the data
to 192.168.0.1 which is not a public IP address available on the
Internet and would have have given him a timeout, unless his router
address is 192.168.0.1.
>
> This kid was kind enough to knock on my door today to tell me to fix it.
>
> I invited him in, and from inside my own house, he showed me the Linksys
> WRT54G command above which immediately disabled all my wireless security
> WITHOUT him having to enter any password!

For him to use this command on your computer implies you are using a
Linux distribution and have installed curl and should know what it is
capable of doing.
http://curl.haxx.se/docs/manpage.html#URL
>
> He showed me how to disable remote administration but he said the
> vulnerability still exists until I get a new router. I can't believe
> everyone with a Linksys WRT54G router is throwing it in the garbage.
>
> Where/how can I find a firmware update that protects me from this
> vulnerability?
>
>
>
>
>

kev wrote:
> Debbie Hurley wrote:
>> It's way too easy to break into the Linksys WRT54G router!
>>
>> Instantly bypassing the administrator password, my fifteen-year old
>> neighbor broke into my Linksys WRT54G router (firmware revision v1.0.0.6)
>> in ten seconds simply by sending this one "curl" command to it via the
>> Internet from his home next door!
>>
>> c:\> curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri
>
> Unless I am getting old then if he posted this command via the Internet
> it would have got him nowhere. The curl -d command would post the data
> to 192.168.0.1 which is not a public IP address available on the
> Internet and would have have given him a timeout, unless his router
> address is 192.168.0.1.
>>
>> This kid was kind enough to knock on my door today to tell me to fix it.
>>
>> I invited him in, and from inside my own house, he showed me the Linksys
>> WRT54G command above which immediately disabled all my wireless security
>> WITHOUT him having to enter any password!
>
> For him to use this command on your computer implies you are using a
> Linux distribution and have installed curl and should know what it is
> capable of doing.
> http://curl.haxx.se/docs/manpage.html#URL
>>
>> He showed me how to disable remote administration but he said the
>> vulnerability still exists until I get a new router. I can't believe
>> everyone with a Linksys WRT54G router is throwing it in the garbage.
>>
>> Where/how can I find a firmware update that protects me from this
>> vulnerability?

With the IP Address changed to 192.168.1.1, my WRT54G returned "curl: (52) Empty reply from server"
and encryption was still on. Using 192.168.0.1, it timed out. I don't know what is different with
your system, but it seems not to be a general problem.

Larry

Larry Finger wrote:

>
> With the IP Address changed to 192.168.1.1, my WRT54G returned "curl:
> (52) Empty reply from server" and encryption was still on. Using
> 192.168.0.1, it timed out. I don't know what is different with your
> system, but it seems not to be a general problem.
>
> Larry
The Firmware V 1.0.0.6 suggests they are playing with the Version 5
router which used Vxworks, so I don't know what the commands were for
that and I can't really be bothered to search for them.

In article <o8Iii.3150$rL1.1881@newssvr19.news.prodigy.net> ,
dhurley@ieaccess.net says...
> It's way too easy to break into the Linksys WRT54G router!
>
> Instantly bypassing the administrator password, my fifteen-year old
> neighbor broke into my Linksys WRT54G router (firmware revision v1.0.0.6)
> in ten seconds simply by sending this one "curl" command to it via the
> Internet from his home next door!
>
> c:\> curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri
>
> This kid was kind enough to knock on my door today to tell me to fix it.
>
> I invited him in, and from inside my own house, he showed me the Linksys
> WRT54G command above which immediately disabled all my wireless security
> WITHOUT him having to enter any password!
>
> He showed me how to disable remote administration but he said the
> vulnerability still exists until I get a new router. I can't believe
> everyone with a Linksys WRT54G router is throwing it in the garbage.
>
> Where/how can I find a firmware update that protects me from this
> vulnerability?

While I've not verified it, you should have googled for basic security
methods and you would have found that you need to change the default
subnet to something else, keeping the 192.168.0, which is the default,
is always a bad idea.

192.168.0 and 192.168.1 are common default subnets for home routers,
don't use them.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Learn more about PCBUTTS1 and his antics and ethic and his perversion
with Porn and Filth. Just take a look at some of the FILTH he's created
and put on his website: http://www.webservertalk.com/message1907860.html
3rd link shows what he's exposed to children (the link I've include does
not directly display his filth). You can find the same information by
googling for 'PCBUTTS1' and 'exposed to kids'.

On Wed, 04 Jul 2007 09:40:25 +0100, kev wrote:
>> c:\> curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri
>
> Unless I am getting old then if he posted this command via the Internet
> it would have got him nowhere. The curl -d command would post the data
> to 192.168.0.1 which is not a public IP address available on the
> Internet and would have have given him a timeout, unless his router
> address is 192.168.0.1.

I called him about this just now. He said there were two easy ways to wipe
out the security of any Linksys WRT54G router without having to enter any
log in information by taking advantage of Linksys widespread "access
control error" vulnerabilities.

The first was to access my router by it's IP address and then to do a
remote configuration into the router that way. I had the remote
configuration enabled so he showed me how to disable that in the router so
the average person wouldn't disable my router security from half way around
the world. He says it definately can be done remotely and said he'd mail me
the instructions. He ended with saying that anyone who says it can't be
done doesn't know what they're talking about. I'll wait for his
instructions before I go any further on that.

Debbie Hurley <dhurley@ieaccess.net> writes:
> It's way too easy to break into the Linksys WRT54G router!
>
> Instantly bypassing the administrator password, my fifteen-year old
> neighbor broke into my Linksys WRT54G router (firmware revision v1.0.0.6)
> in ten seconds simply by sending this one "curl" command to it via the
> Internet from his home next door!
>
> c:\> curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri
>

Among the reasons having wireless security disabled and letting
neighbors join your local network for free is a bad idea.

> He showed me how to disable remote administration but he said the
> vulnerability still exists until I get a new router. I can't believe
> everyone with a Linksys WRT54G router is throwing it in the garbage.
>
> Where/how can I find a firmware update that protects me from this
> vulnerability?

http://www.securityfocus.com/archive/1/452020


or... use third party firmware such as

http://www.dd-wrt.com/
http://openwrt.org/

--
Todd H.
http://www.toddh.net/

On Wed, 04 Jul 2007 09:40:25 +0100, kev wrote:
> For him to use this command on your computer implies you are using a
> Linux distribution and have installed curl and should know what it is
> capable of doing.
> http://curl.haxx.se/docs/manpage.html#URL

No. He showed me how to do it on my OWN Windows computer.
All he did was download curl from http://curl.haxx.se/download.html and put
the windows binary into my c:\os\winxp\system32\curl.exe location.

He told me curl works on just about every operating system in the world,
and from the looks of the web page above, it sure looks like it.
http://www.paehl.com/open_source/index.php?CURL_7.16.3

When I type Start cmd and then curl, I get a response of:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\My Stuff\Documents and Settings\debbie>curl
curl: try 'curl --help' or 'curl --manual' for more information

comphelp@toddh.net (Todd H.) writes:

> Debbie Hurley <dhurley@ieaccess.net> writes:
> > It's way too easy to break into the Linksys WRT54G router!
> >
> > Instantly bypassing the administrator password, my fifteen-year old
> > neighbor broke into my Linksys WRT54G router (firmware revision v1.0.0.6)
> > in ten seconds simply by sending this one "curl" command to it via the
> > Internet from his home next door!
> >
> > c:\> curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri
> >
>
> Among the reasons having wireless security disabled and letting
> neighbors join your local network for free is a bad idea.

I meant to paste this vulnerability of v5 wrt54g's here:

Linksys WRT54GS POST Request Configuration Change Authentication
Bypass Vulnerability
http://www.securityfocus.com/bid/19347/references

It's a known issue. The fix is to upgrade firmware per the link
below.

> > He showed me how to disable remote administration but he said the
> > vulnerability still exists until I get a new router. I can't believe
> > everyone with a Linksys WRT54G router is throwing it in the garbage.
> >
> > Where/how can I find a firmware update that protects me from this
> > vulnerability?
>
> http://www.securityfocus.com/archive/1/452020
>
>
> or... use third party firmware such as
>
> http://www.dd-wrt.com/
> http://openwrt.org/

And I'd have a chat with the parents of the kid, thanking him for
bringing the issue to your attention, but alwso warning him that his
"gray hat" actitivities can get him sent to jail, despite being well
meaning.

You don't "test" stuff you don't own or are engaged to test with
written legal permission of the owner.


Some news stories to drive the point home:

http://news.com.com/2009-1001-958129.html
http://news.zdnet.com/2100-1009_22-958920.html


Best Regards,
--
Todd H.
http://www.toddh.net/

On Wed, 04 Jul 2007 11:38:05 GMT, Larry Finger wrote:

> With the IP Address changed to 192.168.1.1, my WRT54G returned "curl: (52) Empty reply from server"
> and encryption was still on. Using 192.168.0.1, it timed out. I don't know what is different with
> your system, but it seems not to be a general problem.

I just grabbed my horrified notes from yesterday.

Try this which is the simplified test my neighbor wrote down for me when he
showed it to me yesterday - and let us know if it disables your Linksys
WRT54G router security without asking for a password.

1. Assume the vulnerable WRT54G Linksys router (mine is v5 v1.0.0.6).
2. Connect a yellow wire from the router to the computer
3. Install curl on Windows XP from http://curl.haxx.se/download.html
4. Add curl to your path (or put it in system32)
5. Start Run cmd telnet 192.168.0.1 80
6. Enter the web command to disable wireless security
POST /Security.tri
SecurityMode=0&layout=en
7. Look at your router to see you now have NO SECURITY!

He said the only reason we used the wire was to make it easier to show me.
He even did it wirelessly while out on my driveway outside my house. He
said ANYONE could do it from the Internet if they knew my IP address.
Luckily, he said nobody knows my IP address. Whew!

I didn't realize using a Linksys WRT54G router was so dangerous!

On Wed, 04 Jul 2007 13:42:28 +0100, kev wrote:
> The Firmware V 1.0.0.6 suggests they are playing with the Version 5
> router which used Vxworks, so I don't know what the commands were for
> that and I can't really be bothered to search for them.

On the bottom of the Linksys WRT54G router it says it's version 5.

My neighbor has been sending me emails as I told him about this thread.
He says it happens with a lot of versions, his being a Linksys WRT54g home
router, firmware revision 1.00.9 and he says all his friends' routers are
similarly vulnerable which he called the "GENERIC-MAP-NOMATCH"
vulnerability.

On Wed, 4 Jul 2007 09:35:17 -0400, Leythos wrote:
> While I've not verified it, you should have googled for basic security
> methods and you would have found that you need to change the default
> subnet to something else, keeping the 192.168.0, which is the default,
> is always a bad idea.
>
> 192.168.0 and 192.168.1 are common default subnets for home routers,
> don't use them.

My neighbor says what you said above is totally wrong in that it doesn't
matter what IP address I use because he uses something called winpcap to
snair the router IP address off the air!

He says he gets an "ARP" from a program called ethereal which tells him all
the "who" and "tell" arp commands which tells him every router's IP address
in the neighborhood. So he called it 'smoke and mirrors' to change my IP
address.

That's why he suggested I find a patch to the Linksys WRT54G
GENERIC-MAP-NOMATCH vulnerability.

By the way, he said there are more than one vulnerabilities. I asked him to
show me in writing and he just sent me something which I'll post to you
once I clean it up a bit.

Debbie Hurley <dhurley@ieaccess.net> hath wroth:

>It's way too easy to break into the Linksys WRT54G router!
>
>Instantly bypassing the administrator password, my fifteen-year old
>neighbor broke into my Linksys WRT54G router (firmware revision v1.0.0.6)
>in ten seconds simply by sending this one "curl" command to it via the
>Internet from his home next door!
>
>c:\> curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri

Old bugs never die. They just get reposted:
<http://seclists.org/bugtraq/2006/Aug/0218.html>
<http://securitytracker.com/alerts/2006/Aug/1016638.html>
<http://www.securityfocus.com/bid/19347/exploit>
<http://archive.cert.uni-stuttgart.de/bugtraq/2006/08/msg00129.html>
etc...
Note the dates from about a year ago. This was fixed with a firmware
update to the v5/v6 hardware mutation router with v1.01.0. The
current version is v1.02.0. Please download, install, and retest.

All the routers I have handy are running DD-WRT v23 SP2 and SP3. The
curl trick doesn't work on any of them from either Ubuntu 6.10 or
Cygwin 1.5.xx on W2K.

You must really be concerned as you also posted the comment to the
Linksys Forums at:
<http://forums.linksys.com/linksys/board/message?board.id=Wireless_Routers&thread.id=49502>

>This kid was kind enough to knock on my door today to tell me to fix it.

Nice kid. Be sure to thank him. If you're in the computah biz, hire
him.

>I invited him in, and from inside my own house, he showed me the Linksys
>WRT54G command above which immediately disabled all my wireless security
>WITHOUT him having to enter any password!

If he's doing it from the LAN side, that's cheating a bit. In order
to do the same thing from the WAN side, your router would need to have
remote admin enabled, which is disabled by default. Note the default
settings:
<http://www.linksysdata.com/ui/WRT54G/v5/1.00.6/Manage.htm>
This is v1.00.6.

>He showed me how to disable remote administration but he said the
>vulnerability still exists until I get a new router.

If remote admin was enabled, someone has been tinkering with the
default setup.

Incidentally, all the router manufacturers, except 2Wire ship their
routers not very secure by default. If you simply plugged the router
in straight out of the box, you have a wide open system, with well
know passwords, and an invitation for problems. I've been trying to
get various manufacturers to change their evil ways and start shipping
routers that require the user to setup:
1. A suitable router password
2. A unique SSID
3. A reasonable WPA-PSK encryption key
The wireless would be disabled until this is done. None of them want
to do this for fear that it would diminish your "out of box
experience".

>I can't believe
>everyone with a Linksys WRT54G router is throwing it in the garbage.

I've been tempted quite often as there are plenty of other things I
detest about the WRT54G/GS v5 and v6 mutations. The general lack of
RAM and NVRAM are my biggest gripe, which make loading alternative
firmware a PITA. v5 and v6 routers also tend to lockup and hang for
no obvious reason. The inability to simultaneously connect more than
a few clients:
http://www.smallnetbuilder.com/compo...189/chart,124/
(see bottom of chart) in v5 and v6 also sucks. Yeah, it's a terrible
router. If you're planning on recycling yours, please mail it to the
address in my .signature.

>Where/how can I find a firmware update that protects me from this
>vulnerability?

The kid didn't tell you this? First he breaks in. He leaves remote
admin turned on so he can break in again. Then he shows you how it
works, but doesn't tell you how to fix it? Is he selling wireless
routers door to door? Smart kid.

Perhaps you should try the Linksys support web pile:
<http://www.linksys.com/servlet/Satellite?c=L_CASupport_C2&childpagename=US%2FLayo ut&cid=1166859837401&packedargs=sku%3DWRT54G&pagen ame=Linksys%2FCommon%2FVisitorWrapper&lid=37401374 01B01&displaypage=download>
Your WRT54G hardware mutation number is on the serial number tag on
the bottom of the router.


--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

On 04 Jul 2007 09:32:11 -0500, Todd H. wrote:
>> c:\> curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri
> Among the reasons having wireless security disabled and letting
> neighbors join your local network for free is a bad idea.

But, he showed me it works while WIRED to my vulnerable Linksys WRT54G
router! He said the GENERIC-MAP-NOMATCH vulnerability has nothing to do
with wireless. It's inherent in the Linksys WRT54G router unfortunately!

Here is his email talking about TWO vulnerabilities in the Linksys WRT54G
router!

"You have two problems. The first is the password validation for
configuration settings is not needed for your Linksys WRT54G router and the
second is that with java turned on any web site anywhere can force a
request to the linksys router, and the router will accept the request."

He also sent me a 2600 web address explaining the whole thing but I didn't
understand it at all.

On 04 Jul 2007 09:36:41 -0500, Todd H. wrote:
> I meant to paste this vulnerability of v5 wrt54g's here:
> Linksys WRT54GS POST Request Configuration Change Authentication
> Bypass Vulnerability
> http://www.securityfocus.com/bid/19347/references
> It's a known issue. The fix is to upgrade firmware per the link
> below.

Here is a forwarded email which explains the severe Linksys WRT54G
vulnerability I'm afraid. It looks like this vulnerability which allows any
web site to disable your browser security has been around for a long time
based on the time stamps of the email!

Debbie

Date: Fri, 04 Aug 2006 14:00:01 +0000
From: "Ginsu Rabbit" <ginsurabbit@hotmail.com>
Subject: [Full-disclosure] linksys WRT54g authentication bypass

I'm having some trouble believing this hasn't been reported before. If you
have a linksys router handy, please check to see whether it is vulnerable
to this attack. It's possible that all of the linksys router web UIs have
the same bug. Hopefully the problem is isolated to one particular model or
firmware revision.

I. DESCRIPTION

Tested product: Linksys WRT54g home router, firmware revision 1.00.9.

Problem #1: No password validation for configuration settings.

The WRT54g does not attempt to verify a username and password when
configuration settings are being changed. If you wish to read
configuration settings, you must provide the administrator ID and password
via HTTP basic authentication. No similar check is done for configuration
changes.

This request results in a user-id and password prompt:
GET /wireless.htm

This request disables wireless security on the router, with no password
prompt:
POST /Security.tri
Content-Length: 24

SecurityMode=0&layout=en

Problem #2: Cross-site request forgery

The web administration console does not verify that the request to change
the router configuration is being made with the consent of the
administrator. Any web site can force a browser to send a request to the
linksys router, and the router will accept the request.


II. Exploitation

The combination of these two bugs means that any internet web site can
change the configuration of your router. Recently published techniques for
port-scanning and web server finger printing via java and javascript make
this even easier. The attack scenario is as follows:

- intranet user visits a malicious web site
- malicious web site returns specially crafted HTML page
- intranet user's browser automatically sends a request to the router that
enables the remote administration interface
- the owner of the malicious web site now has complete access to your
router

I'm not going to share the "specially crafted HTML page" at this time, but
it isn't all that special.


III. DETECTION

If your router is vulnerable, the following curl command will disable
wireless security on your router. Tests for other router models and
firmware revisions may be different:

curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri


IV. MITIGATION

1) Make sure you've disabled the remote administration feature of your
router. If you have this "feature" enabled, anybody on the internet can
take control of the router.

2) Change the IP address of the router to a random value, preferably in the
range assigned to private networks. For example, change the IP address to
10.x.y.z, where x, y, and z are numbers between 0 and 255 inclusive. This
makes it more difficult for an attacker to forge the request necessary to
change the router configuration. This mitigation technique might not help
much if you have a java-enabled browser, because of recently published
techniques for determining gateway addresses via java applets.

3) Disable HTTP access to the administration interface of the router,
allowing only HTTPS access. Under most circumstances, this will cause the
browser to show a certificate warning before the configuration is changed.

V. VENDOR NOTIFICATION

Linksys customer support was notified on June 24, 2006.
Full disclosure on August 4, 2006

In article <MlOii.45173$5j1.24438@newssvr21.news.prodigy.net> ,
Debbie Hurley <dhurley@ieaccess.net> wrote:

> 2. Connect a yellow wire from the router to the computer

Okay.
--
W. Oates

On Wed, 04 Jul 2007 08:03:13 -0700, Jeff Liebermann wrote:
> <http://seclists.org/bugtraq/2006/Aug/0218.html>
> <http://securitytracker.com/alerts/2006/Aug/1016638.html>
> <http://www.securityfocus.com/bid/19347/exploit>
> <http://archive.cert.uni-stuttgart.de/bugtraq/2006/08/msg00129.html>
> You must really be concerned as you also posted the comment to the
> Linksys Forums.

> Note the dates from about a year ago. This was fixed with a firmware
> update to the v5/v6 hardware mutation router with v1.01.0. The
> current version is v1.02.0. Please download, install, and retest.

Hi Jeff!
Yes. I am really concerned. And scared that it takes all of ten seconds to
break into my router by a fifteen year old cute kid who mows my lawn every
month. I believ him when he says I need to upgrade my router. You are the
only one here who believed me. Thank you. Thank you. Thank you. For a
moment, I thought I was going crazy when the "experts" were telling me what
I saw I didn't see. I felt like I was being persecuted for reporting this.
I didn't realize that the Linksys WRT54G router I bought was so weak. Why
didn't Linksys TELL me about this in the package? I have never updated my
"firmware" before. Can you hand hold my hands a bit to tell me how to do
it. I don't want to ruin the router.

I'll first read everything I can find on updating the router and then post
back if I ruin it doing so. I can read well but I don't know how to debug
once I hit a problem. But I keep trying and that's why I'm here taling to
you!

Thank you - I love your post the best because I was beginning to wonder why
nobody else knew about this which seemed pretty bad that it took all of ten
seconds to wipe out all my hardware security.

BTW, my neighbor said to change my IP address and the hostname and media
address of my router and pc constantly because that's what he used to
figure out which was mine in the neighborhood. Is there a way to change the
router & PC hostname and media name automatically every day or do I have to
do it manually every day to be safe?

On Wed, 04 Jul 2007 08:03:13 -0700, Jeff Liebermann wrote:
>>I can't believe
>>everyone with a Linksys WRT54G router is throwing it in the garbage.
>
> I've been tempted quite often as there are plenty of other things I
> detest about the WRT54G/GS v5 and v6 mutations.

One thing I'd like to do is change the login name!
I asked on the linksys forums and will check to see if there is a way to
change the login name from just a dumb blank stare to something interesting
so others can't get in so easily through the front door of the router.

I will also read up on how to upgrade the firmware of my router using your
links. Thanks. I love you!

On Wed, 04 Jul 2007 08:03:13 -0700, Jeff Liebermann wrote:
> I've been trying to get various manufacturers to change their
> evil ways and start shipping routers that require the user to setup
> 1. A suitable router password

What I don't get is why the Linksys WRT54G router has a password but not a
login name. Wouldn't it be MORE SECURE if I could change the login name?

I can type anything I want into the login name field but it doesn't take.

Am I doing something wrong?

Why does the Linksys v5 WRT54G router have a login name if it isn't used?
Likewise with the host name. Why does it have a host name that isn't used
and why can't I just set the hostname to a blank.

It seems topsy turvy to me. Am I wrong?

Debbie Hurley <dhurley@ieaccess.net> writes:

> On 04 Jul 2007 09:32:11 -0500, Todd H. wrote:
> >> c:\> curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri
> > Among the reasons having wireless security disabled and letting
> > neighbors join your local network for free is a bad idea.
>
> But, he showed me it works while WIRED to my vulnerable Linksys WRT54G
> router!

This is among the reasons you only let trusted parties on your LAN if
at all possible.

IIRC, it requires LAN access to exploit unless you are running a
non-default configuration whereby remote admin is enabled.

It pertains to wireless insofar as if you don't have wireless security
enabled, then any old neighbor can join to your LAN and then exercise
the vulnerability.

--
Todd H.
http://www.toddh.net/

Debbie Hurley <dhurley@ieaccess.net> hath wroth:

>I believ him when he says I need to upgrade my router.

You don't need a new router. You need a firmware update. No big
deal. What I'm concerned about his how remote access got turned on
and who did it (and why). You might want to interrogate the kid.

>You are the
>only one here who believed me.

Yes, but don't presume it's my good intentions or generous attitude.
The problem is that old bugs tend to come back. One version fixes a
problem, the next version brings it back as sloppy coders recycle old
code. In the software biz, it's part of regression testing.

>I thought I was going crazy when the "experts" were telling me what
>I saw I didn't see.

Chuckle. Ever see any magic tricks or sleight of hand? It looks
real, but you just know something is going on in the background. Well,
hacking and breaking in are like that. I derived considerable
entertainment at the expense of a few IT people (who now hate my guts)
breaking into their systems using social engineering, and then making
it look like some kind of vulnerability or systemic problem. Yeah, I
know I have a warped sense of humor, but it keeps me entertained. The
only problem is that the IT people now hate my guts. Oh well.

Anyway, be careful that what you're seeing is actually a breakin or
vulnerability in progress, and not the residue from a previous
breaking. The fact that remote access was apparently enabled makes me
VERY suspicious.

>I felt like I was being persecuted for reporting this.

Well sure. Blame the victim and all that. Nobody wants to be told
their network is full of holes and vulnerable to attack. Why bother
fixing the problem when you can simply discredit the person that found
the problem?

>I didn't realize that the Linksys WRT54G router I bought was so weak.

It's old firmware. Someone goofed and it's been fixed. All vendors
have their security holes and problems.

>Why didn't Linksys TELL me about this in the package?

Actually, that's a good point because I couldn't find it in the
firmware release notes. It's fashionable to disclose vulnerabilities
only after the fixes are available. That's a fair method, but doesn't
work if users like yourself do not perform ritualistic firmware
version checks and updates.

>I have never updated my
>"firmware" before. Can you hand hold my hands a bit to tell me how to do
>it. I don't want to ruin the router.

There are instructions on the Linksys web site (somewhere). It's
basically very easy. Download the firmware image file. Make an extra
effort to be sure you have the correct version and file. You still
haven't bothered to disclose your WRT54G hardware mutation, so I can't
offer specific advice, filenames, and URL's.

Uncompress the download if it's a ZIP file. Go to the firmware update
page:
<http://www.linksysdata.com/ui/WRT54G/v5/1.00.6/Upgrade.htm>
and browse merrily to the .bin (or whatever) file. Hit update and
wait. When you think it's done, wait some more. Figure on about 2
minutes to be safe. With v5/v6, I don't think you have to reset
anything. That's it.

>BTW, my neighbor said to change my IP address and the hostname and media
>address of my router and pc constantly because that's what he used to
>figure out which was mine in the neighborhood. Is there a way to change the
>router & PC hostname and media name automatically every day or do I have to
>do it manually every day to be safe?

Don't bother. Almost all of that manner of improving security
consists of either obscuring your setup or introducing additional
obstacles. Those are good if you enjoy complicating your own life as
well as that of the prospective hacker, but are generally near
worthless. See the FAQ at:
<http://wireless.wikia.com/wiki/Wi-Fi#Wi-Fi_Security>
Your real security is in:
WPA-PSK or WPA2-PSK encryption
Password for router access
Firmware updates
Most of the tweaks are of marginal value.

If you want real security, setup a VPN and a RADIUS server. The
RADIUS server provides a login and password per user, but also
delivers a unique one time WPA encryption key which cannot be leaked.
If I wanted to attack your system, I would not attack the router, but
would try to extract the WPA key from your Windoze registry. See:
<http://www.wirelessdefence.org/Contents/Aircrack-ng_WinWzcook.htm>
A RADIUS server eliminates the use of a shared key, but preventing it
from being leaked. Ummm... Don't tell the 15 year old brat.

As for your other questions....

>One thing I'd like to do is change the login name!
>I asked on the linksys forums and will check to see if there is a way to
>change the login name from just a dumb blank stare to something interesting
>so others can't get in so easily through the front door of the router.

You can't do that with the stock Linksys firmware. There's only one
user and that's admin. Other routers allow additional users and even
user levels, such as read-only users. If you really want this
feature, the alternative firmware (DD-WRT, OpenWRT) all have
additional users. However, again, this is nothing but security by
obscurity and doesn't provide any real security. Anyway, user names
are suppose to be publicly accessible and not hidden like a password.

Incidentally, one of my accomplices decided that I should test his
system security. He did all the right things, but I still managed to
break in. I tricked him into using his laptop to "test" the security
by claiming my laptop was dead. He stupidly saves all his passwords
in his Firefox browser. It was a simple matter to connect,
automatically login with the saved password, and collect my free
lunch. This is again why I don't like shared keys, stored passwords,
and other convenience features.

>What I don't get is why the Linksys WRT54G router has a password but not a
>login name. Wouldn't it be MORE SECURE if I could change the login name?

Lack of sufficient RAM and NVRAM in the router limits the features
that can be crammed inside. Again, the login name is suppose to be
publicly known and accessible and should not be treated as yet another
password. It also doesn't add much security as the same mechanisms
I've previously listed to bypass passwords will work with login names.

>Am I doing something wrong?

1. You didn't specify WRT54G hardware mutation after being asked by
multiple people for this information.
2. You didn't search with Google to see if it was a known problem.
3. Declared the WRT54G to be worthless BEFORE asking if there was a
fix.
4. Trusted my advice. Don't trust ANYONE about security without
first understanding what you're doing, why it's necessary, and
verifying that it's considered a reasonable thing to do.
5. Posted far too many replies. I'm lazy and don't like hopping from
message to message.

>Likewise with the host name. Why does it have a host name that isn't used
>and why can't I just set the hostname to a blank.

That's been asked before, but with no definitive conclusion. The
current guess is that a hostname is required for syslog to work. It
can be anything, but not blank.

--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

On Wed, 4 Jul 2007 00:37:07 -0700, Debbie Hurley wrote:

> It's way too easy to break into the Linksys WRT54G router!

So far, here's what people have emailed to my yahoo address or posted here
or in the linksys forum about this horrid WRT54G vulnerability which allows
anyone to eliminate all my security settings in a single curl command
without ever logging into my router.

http://securitytracker.com/alerts/2006/Aug/1016638.html
http://archive.cert.uni-stuttgart.de.../msg00129.html
http://www.securityfocus.com/archive.../30/0/threaded
http://www.securityfocus.com/bid/19347/exploit
http://www.securityfocus.com/bid/19347/references
http://www.securityfocus.com/archive/1/452020
http://www.securityfocus.com/bid/19347/references
http://seclists.org/bugtraq/2006/Aug/0218.html

And the solution is here apparently although I haven't found any
confirmation that it actually works (I need to read more before I get the
confidence to "flash" my router having never flashed anything before).

http://www.linksys.com/servlet/Satel...ypage=download

Debbie

On Wed, 04 Jul 2007 09:59:06 -0700, Jeff Liebermann wrote:

> You don't need a new router. You need a firmware update. No big
> deal.

This recommended reference says the Linksys WRT54G firmware update only
fixes half the problems in that something called "authentication bypass
vulnerability" was fixed but not something called "the CSRF vulnerability"
(http://www.securityfocus.com/archive/1/452020).

> The fact that remote access was apparently enabled makes me
> VERY suspicious.

Yes. It was enabled. I don't know how as I never touched that before. Web
access, whatever that is, was also enabled, as was pnp and a zillion other
things.

> It's old firmware. Someone goofed and it's been fixed. All vendors
> have their security holes and problems.

I understand but I would have thought this would warrant a recall like they
do with cars where you bring it in and they bring it back up to safety
specifications. There's no way they should have sold that router to me with
such an unsafe vulnerability. Why do we recall cars but not routers that
have safety problems?

>>I have never updated my
>>"firmware" before. Can you hand hold my hands a bit to tell me how to do
>>it. I don't want to ruin the router.

> Your real security is in:
> WPA-PSK or WPA2-PSK encryption

Hmmm... that's not one of my options. I have WPA2 Personal on the Linksys
WRT54G router (which I looked up to be the same thing as WPA2 PSK) but I
don't have WPA2-Personal or WPA2-PSK options on my Windows XP fully
updated. Something must be wrong with my windows setup so I will keep
looking to see what I need to fix. At least Microsoft constantly updates my
operating system automatically so I don't have to worry about "flashing"
the computer! :)

>
>>Am I doing something wrong?
> 1. You didn't specify WRT54G hardware mutation after being asked by
> multiple people for this information.
I thought I did. It's version 5, and firmware version v1.00.6.
Is there ANOTHER version I need to be aware of?

> 2. You didn't search with Google to see if it was a known problem.
I did search for "curl" but I didn't know what to look for. I did find the
linksys forums and searched there and posted there the exact same question.
They said to upgrade the firmware and tell them if it worked or not to stop
the next curl attempt.

> 3. Declared the WRT54G to be worthless BEFORE asking if there was a
> fix.
The fix seems good but (see prior) it only fixes "authentication bypass
vulnerability" but not "the CSRF vulnerability" according to the references
cited above.

> 4. Trusted my advice. Don't trust ANYONE about security without
> first understanding what you're doing, why it's necessary, and
> verifying that it's considered a reasonable thing to do.

Huh. I trust you. Aren't you trying to help me?

> 5. Posted far too many replies. I'm lazy and don't like hopping from
> message to message.

Oh. I was trying to be responsive and courteous to my friends who were
trying to help me. I'll stop replying so as to prevent the confusion and
allow you to get me to the point I need to be.

Thank you!
Debbie

BTW, which is the "right" newsgroup forum for this kind of Linksys WRT54G
security vulnerability solution type of question?

Debbie Hurley <debbie.hurley@yahoo.com> hath wroth:

>This recommended reference says the Linksys WRT54G firmware update only
>fixes half the problems in that something called "authentication bypass
>vulnerability" was fixed but not something called "the CSRF vulnerability"
>(http://www.securityfocus.com/archive/1/452020).

I'll look at it later. It's a holiday and I'm lazy.

>I understand but I would have thought this would warrant a recall like they
>do with cars where you bring it in and they bring it back up to safety
>specifications. There's no way they should have sold that router to me with
>such an unsafe vulnerability. Why do we recall cars but not routers that
>have safety problems?

Easy. Because no router manufacturer has been successfully sued for
damages resulting from security holes, while automobile manufacturers
tend to get sued for anything and everything.

Please note that there are literally huge number of vulnerabilities in
various computer products. Given time and limited resources, it's
impossible to just TEST for these vulnerabilities, much less find the
time to fix them.

Open Source Vulnerability Database
<http://osvdb.org>

Security and Vulnerability announcements
<http://secunia.com>
Here's the statistics for MS XP Home:
<http://secunia.com/product/16/?task=statistics>
Note that 15% of the 155 vulnerabilities announced since 2003 has NOT
been patched.

>> Your real security is in:
>> WPA-PSK or WPA2-PSK encryption
>
>Hmmm... that's not one of my options.

WPA-PSK is exactly the same as WPA-Personal
WPS-RADIUS is exactly the same as WPA-Enterprise
I traced back where the name change came from. The Wi-Fi Alliance is
more consumer oriented and went for the Personal and Enterprise. The
IEEE is addicted to acronyms and elected to use PSK and RADIUS.

>I have WPA2 Personal on the Linksys
>WRT54G router (which I looked up to be the same thing as WPA2 PSK) but I
>don't have WPA2-Personal or WPA2-PSK options on my Windows XP fully
>updated. Something must be wrong with my windows setup so I will keep
>looking to see what I need to fix.

<http://support.microsoft.com/kb/893357/>
<http://support.microsoft.com/kb/917021/>

>At least Microsoft constantly updates my
>operating system automatically so I don't have to worry about "flashing"
>the computer! :)

Wrong. Microsloth only automagically updates *CRITICAL* updates or
those that compromise security. Optional updates must be downloaded
manually.
Start -> Run -> wupdmgr
It should start IE6 or IE7 and run Windoze update. If it suggests you
upgrade to "Microsoft Update", do it. Then, hit the "Custom" button.
It will grind the hard disk for perhaps 10 minutes deciding what needs
to be updated and present you with a list. Check EVERYTHING, download
and install. Shutdown when it demands and reboot.

You're not done yet. MS Office might need some updates. Start IE6 or
IE6 and go unto:
<http://office.microsoft.com>
In the upper right hand corner, is a tiny obscure well buried button
for Office Update. Pick your version of MS Office and do the updates.

There are also plenty of applications on your machine that could use
an update and may have vulnerabilities. Quicktime, Itunes, Winamp,
etc as well as your favorite virus and spyware scanners all need to be
updated.

If you think this is a drag, you're right. There should be a unified
update and notification mechanism. Not this week. Meanwhile, this is
a good thing for your 15 year old prospective hacker to do after
butchering your lawn.

>> 1. You didn't specify WRT54G hardware mutation after being asked by
>> multiple people for this information.
>I thought I did. It's version 5, and firmware version v1.00.6.
>Is there ANOTHER version I need to be aware of?

Sorry. You did in another message that didn't arrive until after I
posted my reply. This is why I don't like a large number of messages.
I get easily lost.

>> 2. You didn't search with Google to see if it was a known problem.
>I did search for "curl" but I didn't know what to look for. I did find the
>linksys forums and searched there and posted there the exact same question.
>They said to upgrade the firmware and tell them if it worked or not to stop
>the next curl attempt.

Ok, you're partially forgiven. If you had typed in the curl command
(wrapped in double quotes), you would have found all the security
advisories.

>> 3. Declared the WRT54G to be worthless BEFORE asking if there was a
>> fix.
>The fix seems good but (see prior) it only fixes "authentication bypass
>vulnerability" but not "the CSRF vulnerability" according to the references
>cited above.

I think we have different criteria for acceptability. The
authentication problem (curl example) is serious and if unpatched, I
too would consider the WRT54G to be dangerously insecure. However, I
know of other vulnerabilities and oddities that also might be used to
compromise security that do not warrant such a drastic action like
recycling the router.
Is the WRT54G useful and fairly safe (after patching)? Methinks so.
Can Linksys do better? Probably.
Would a different router do better? No way to tell.

>> 4. Trusted my advice. Don't trust ANYONE about security without
>> first understanding what you're doing, why it's necessary, and
>> verifying that it's considered a reasonable thing to do.
>
>Huh. I trust you. Aren't you trying to help me?

Nope. I'm just a wolf in sheeps clothing. In may spare time (usually
under the cover of darkness), I join the forces of evil in a never
ending effort to uncover security holes and screwups in computing. As
a side effect, security does gradually tend to improve. However, it's
the challenge that gets my attention, not the side effects. I tend to
do best with social engineering and physical security, but when those
fail, hacking will suffice. Try not to let it bother you as many of
those that really know what they're doing, didn't learn security from
a book, and also tend to have a checkered past.

>BTW, which is the "right" newsgroup forum for this kind of Linksys WRT54G
>security vulnerability solution type of question?

I don't know. I only infest alt.internet.wireless. One technical
newsgroup is all I handle in my ever shrinking spare time.

--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

In article <B9Oii.45170$5j1.10873@newssvr21.news.prodigy.net> ,
dhurley@ieaccess.net says...
> The first was to access my router by it's IP address and then to do a
> remote configuration into the router that way. I had the remote
> configuration enabled so he showed me how to disable that in the router so
> the average person wouldn't disable my router security from half way around
> the world.

Your rourter default settings, other than 192.168.0.1/24 and the
password and WPA-PSK were fine. Your choice of allowing the default
subnet and the remote access was a large mistake that let him in.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Learn more about PCBUTTS1 and his antics and ethic and his perversion
with Porn and Filth. Just take a look at some of the FILTH he's created
and put on his website: http://www.webservertalk.com/message1907860.html
3rd link shows what he's exposed to children (the link I've include does
not directly display his filth). You can find the same information by
googling for 'PCBUTTS1' and 'exposed to kids'.

In article <JuOii.45176$5j1.11480@newssvr21.news.prodigy.net> ,
dhurley@ieaccess.net says...
> On Wed, 4 Jul 2007 09:35:17 -0400, Leythos wrote:
> > While I've not verified it, you should have googled for basic security
> > methods and you would have found that you need to change the default
> > subnet to something else, keeping the 192.168.0, which is the default,
> > is always a bad idea.
> >
> > 192.168.0 and 192.168.1 are common default subnets for home routers,
> > don't use them.
>
> My neighbor says what you said above is totally wrong in that it doesn't
> matter what IP address I use because he uses something called winpcap to
> snair the router IP address off the air!
>
> He says he gets an "ARP" from a program called ethereal which tells him all
> the "who" and "tell" arp commands which tells him every router's IP address
> in the neighborhood. So he called it 'smoke and mirrors' to change my IP
> address.
>
> That's why he suggested I find a patch to the Linksys WRT54G
> GENERIC-MAP-NOMATCH vulnerability.
>
> By the wa