Help my Linksys WRT54G router was broken into using the "curl" command

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
It's way too easy to break into the Linksys WRT54G router!

Instantly bypassing the administrator password, my fifteen-year old
neighbor broke into my Linksys WRT54G router (firmware revision v1.0.0.6)
in ten seconds simply by sending this one "curl" command to it via the
Internet from his home next door!

c:\\> curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri

This kid was kind enough to knock on my door today to tell me to fix it.

I invited him in, and from inside my own house, he showed me the Linksys
WRT54G command above which immediately disabled all my wireless security
WITHOUT him having to enter any password!

He showed me how to disable remote administration but he said the
vulnerability still exists until I get a new router. I can't believe
everyone with a Linksys WRT54G router is throwing it in the garbage.

Where/how can I find a firmware update that protects me from this
vulnerability?

 
 
 
 

Re: Help my Linksys WRT54G router was broken into using the "curl" command
Debbie Hurley wrote:
Quoted text here. Click to load it

Unless I am getting old then if he posted this command via the Internet
it would have got him nowhere. The curl -d command would post the data
to 192.168.0.1 which is not a public IP address available on the
Internet and would have have given him a timeout, unless his router
address is 192.168.0.1.
Quoted text here. Click to load it

For him to use this command on your computer implies you are using a
Linux distribution and have installed curl and should know what it is
capable of doing.
http://curl.haxx.se/docs/manpage.html#URL
Quoted text here. Click to load it

Re: Help my Linksys WRT54G router was broken into using the "curl" command
kev wrote:
Quoted text here. Click to load it

With the IP Address changed to 192.168.1.1, my WRT54G returned "curl: (52) Empty
reply from server"
and encryption was still on. Using 192.168.0.1, it timed out. I don't know what
is different with
your system, but it seems not to be a general problem.

Larry

Re: Help my Linksys WRT54G router was broken into using the "curl" command
Larry Finger wrote:

Quoted text here. Click to load it
The Firmware V 1.0.0.6 suggests they are playing with the Version 5
router which used Vxworks, so I don't know what the commands were for
that and I can't really be bothered to search for them.

Re: Help my Linksys WRT54G router was broken into using the "curl" command
On Wed, 04 Jul 2007 13:42:28 +0100, kev wrote:
Quoted text here. Click to load it

On the bottom of the Linksys WRT54G router it says it's version 5.

My neighbor has been sending me emails as I told him about this thread.
He says it happens with a lot of versions, his being a Linksys WRT54g home
router, firmware revision 1.00.9 and he says all his friends' routers are
similarly vulnerable which he called the "GENERIC-MAP-NOMATCH"
vulnerability.






Re: Help my Linksys WRT54G router was broken into using the "curl" command

Quoted text here. Click to load it

Okay.
--
W. Oates

Re: Help my Linksys WRT54G router was broken into using the "curl" command
wrote:


Quoted text here. Click to load it

Oh really. If you're daft enough to put an open access point in the big bad
world, you deserve everything coming.

Quoted text here. Click to load it

Oh really.


Very dangerous, especially where there is a self identifying problem
between the chair and keyboard.



greg


--
?Ħaah, los gringos otra vez!?

Re: Help my Linksys WRT54G router was broken into using the "curl" command

Quoted text here. Click to load it


Right.  Blame the victim.  Nicely done.  

Look carefully at the paper box the consumer routers are packaged.
They're mostly advertising material and are full of acronyms attesting
to the high levels of security the user gets if they buy the product.
"Buy me and you'll be safe" from evil hackers like me is the mantra.
Well, there's just one problem.  All the security is disabled by
default.  Plug, play, and you're wide open.  

Now, I know a little about business/commercial law.  I'll spare
everyone the hair splitting and leave out the legal rubbish.
Basically, the consumer has a perceived notion that this router will
protect them for evil.  If it fails to do that, who's fault would you
guess it is?  To an average person, of average abilities, the level of
education necessary to properly administer a wireless router is
substantial and well above what a court of law would consider
necessary.  Therefore, the responsibility for adequate security falls
on the manufacturer, and not the consumer.  The not so minor detail
that all consumer grade wireless router manufacturers, except 2Wire,
are shipping their routers insecure by default, should open up
suitable opportunities for litigation.  I've been contacted by a few
ambulance chasers planning to do exactly that, but have declined their
offers.

A suitable analogy would be if you purchased a consumer device that
allegedly protected you from some evil, but required that you upgrade
your esoteric knowledge level considerably.  During this several year
long education process, you discover that the device has been
essentially disabled and wasn't doing anything useful.  Whom would you
blame?

Quoted text here. Click to load it

Blame the victim again.  At least you didn't resort to name calling
and labeling.

I have a loaded question for you:  Are you so in love with the
technology that you forget that real humans are expected to operate
the devices?  I'm curious because this problem seems to be epidemic
among technical types.  I'm sometimes guilty of it myself.

--
Jeff Liebermann     jeffl@cruzio.com
150 Felker St #D    http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann     AE6KS    831-336-2558

Re: Help my Linksys WRT54G router was broken into using the "curl" command
jeffl@cruzio.com says...
Quoted text here. Click to load it

Did you miss the part where the OP enabled wireless access and also
enabled remote management?

It's entirely the OP's fault.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Learn more about PCBUTTS1 and his antics and ethic and his perversion
with Porn and Filth. Just take a look at some of the FILTH he's created
and put on his website: http://www.webservertalk.com/message1907860.html
3rd link shows what he's exposed to children (the link I've include does
not directly display his filth). You can find the same information by
googling for 'PCBUTTS1' and 'exposed to kids'.

Re: Help my Linksys WRT54G router was broken into using the "curl" command
wrote:

Quoted text here. Click to load it

On the contrary, speaking as someone who is the one eyed man in the land of
blind for half a dozen folks who have no PC knowledge.

I am intimately aware of the frustration caused by technology and go out of
my way to avoid causing the 1000 yard stare inflicted by an overdose of
geekese which is so easy to slip into.

Quoted text here. Click to load it

Someone changed the router from it's default settings. The question is who.
If you're capable of posting to a newsgroup, securing one of the best
selling wireless routers out should not be that much of a challenge.




greg

--
?Ħaah, los gringos otra vez!?

Re: Help my Linksys WRT54G router was broken into using the "curl" command

Quoted text here. Click to load it

Well, it's fairly easy to get lost in the flurry of postings and
followups, so I'll summarize.  There is no security risk to enabling
remote management as longs as one uses SSH or SSL (if available) to
access the router config and the router has a reasonably secure
password setup.  For the stock WRT54G firmware, there is no secure
method of doing remote access, as it lacks SSH or SSL and the password
is probably sent unencrypted, so remote management is disabled by
default.  See settings as show at:
<http://www.linksysdata.com/ui/WRT54G/v5/1.00.6/Manage.htm

The problem I had with the original start of this thread question was
that she indicated that:
  "He showed me how to disable remote administration but he
  said the vulnerability still exists until I get a new router."
The implication was that someone had previously turned on remote
admin.  We can only speculate as to whom at this time.  Until a
suitable culprit is established, we really shouldn't be assigning the
blame.  The first step to solving a problem is NOT to assign he blame.

There is also an open issue as to who is responsible for updating the
firmware.  Linksys formerly had a "check for firmware updates" button,
but that never worked even in the original incantation.  It was long
ago quietly dropped.  Is Linksys responsible for informing customers
that their firewall is porous?  Probably, but I don't see an easy way
to implement updates, especially since the prime directive at Linksys
seems to be to reduce costs by reducing RAM, NVRAM, and features.  At
the present time, the customer is responsible for updates.  This is
more by the abdication of responsibility than by intenet, as few
customers are qualified and even fewer understand the necessity of
updates.

There's also a skool of thought that suggest that if things are
working, don't touch them.  I've probably seen more systems destroyed
by updates than by hacking, viruses, and worms.  After a few
disasters, customers tend to be paranoid.  I hear "leave it alone" all
too often.  I fight it, but not very well.  With some vendors, I
intentionlly delay updates as they have a track record of breaking
more things than they fix.  Who's responsible for these updates?  I
guess it's me.

Quoted text here. Click to load it

Really?  Then why are there so many FAQ's, guides, blogs, and
re-hashed instructions on how to setup a "simple" wireless router?
Could it be that it's really not that simple?  Just read through the
questions on the Linksys wireless forums for a clue.
<http://forums.linksys.com/linksys/board?board.id=Wireless_Routers
For today, there are already 51 questions, a mess of followups, and
the day isn't half over.  There seem to be an awful lot of people
having problems with Linksys wireless.  Perhaps it's because wireless
is NOT so simple?

Switching over to dslreports.com, it's somewhat better:
<http://www.dslreports.com/forum/linksys

I'll spare you my list horror stories that illustrate that there are
still plenty of problems to be solved with consumer wireless hardware,
drivers, and config.  Try roaming between consumer wireless AP's for a
great exercise in frustration.

Another clue is the cancerous growth of wireless acronyms, buzzwords,
protocols, and specs.  I'm directly involved in all this and even I
can't keep them straight.  Every time I open a magazine, new terms
appear out of nowhere.  Then, there are the vendor proprietary
hang-on's (Cisco Compatible Extensions).  I can't even pronounce some
of the wireless company names.  I can barely keep up to date and you
claim that setting up one of these isn't much of a challenge?

As for a persons posting abilities being indicative of their ability
to setup a wireless network, I don't think there's much of a
connection.  An amazing (and alarming) number of help requests in
alt.internet.wireless are missing the absolute minimum information
necessary to craft a sane reply.  Briefly:
1.  What problem are you trying to solve?  One sentence is fine.
2.  What do you have to work with?  (Hardware, software, versions).
3.  What did you do and what happened?  (Exact error messages).
The same people would never dream of asking the clerk at the auto
parts store for advice on their vehicle without specifying the
necessary info, yet they expect answers on usenet without doing the
same.

Finally, permit me the liberty of some semantic hair splitting and
guesswork.  You suggest that "... securing one of the best selling
wireless router..."  I have a very tiny problem with this statement.
You don't secure the router, you secure the system (or network).  In
home wireless, it takes at least two to tango.  Each link has at least
two ends.  Securing one end is insufficient as I can breach security
just as easily at the client end.  I posted a few examples in a
previous message in this thread.



--
Jeff Liebermann     jeffl@cruzio.com
150 Felker St #D    http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann     AE6KS    831-336-2558

Re: Help my Linksys WRT54G router was broken into using the "curl" command
Hi,

Quoted text here. Click to load it

Not neccessarily. I installed an AVM box earlier this year, which was
configured securely. It was delivered with preconfiguration for an ISP
and a prevonfigured USB-Stick. WPA enabled, eversthing closed ;)

So, it is possible to have secure consumer equioment.

Quoted text here. Click to load it

This depends massively on which legal system you are using.

Quoted text here. Click to load it

They are not.

Quoted text here. Click to load it

When computers are commodities and sold next to washing machines,
then you are right. (Upps, they are?)

Cheers,
   Jens

Re: Help my Linksys WRT54G router was broken into using the "curl" command
Quoted text here. Click to load it

You expect otherwise in Usenet/geeksville?

This would be a better place if people checked their egos at the door.
But that just doesn't happen ... there's no door, and no sheriff.



Re: Help my Linksys WRT54G router was broken into using the "curl" command
@bignews4.bellsouth.net:

Quoted text here. Click to load it

Maybe that's why trolls also post here.<G>


--
                                          John Gray

If you don't have a reason, at least have an excuse.

Re: Help my Linksys WRT54G router was broken into using the "curl" command

Quoted text here. Click to load it

Actually, the trolls aren't as much of a problem as those that post
inane, useless, irrelevant, thoughtless, unsubstantiated, and
generally stupid, one-line responses (like this one).

If you feel that you've wasted your time reading this message, you're
correct, and I've achieved my goal.

--
Jeff Liebermann     jeffl@cruzio.com
150 Felker St #D    http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann     AE6KS    831-336-2558

Re: Help my Linksys WRT54G router was broken into using the "curl" command

Quoted text here. Click to load it

Are you sure they aren't trolls?<G>  What makes you think just because one
frequents a Usenet group for a number of months and constantly throws
diatribes and jabs likely isn't a troll?

I'd already read some of the links and information you posted in this
thread.  Debbie could have disabled(if she didn't) remote configuration.  
Most people have no need for remote configuration at all.  Securing the
WiFi connections would have helped. Sadly, most routers would be returned
when they didn't connect if the security wasn't mandatory.  Additionally,
updating the factory firmware to the latest version would have helped.  As
would not letting anyone touch the router, including the kid next door.

I don't believe that V5 and above have third party firmware.  All the third
party firmware for the WRT54G has been Linux based.  Even if these newer
routers could run it, the rom size has been reduced and these firmware
wouldn't fit anyway.

Secure the computers on the LAN first,and then the router.  Between the
two, most people will be quite safe.  Of course, none of these will protect
people from themselves or guests let into their homes.

This thread has gotten quite heated.  The solutions are lost in the storm
of conflicting messages, and taking a confrontational stance only makes it
worse regardless of the accuracy of what was posted.

--
                                          John Gray

If you don't have a reason, at least have an excuse.

Re: Help my Linksys WRT54G router was broken into using the "curl" command

Quoted text here. Click to load it


OK.  I'll confess.  I spend several hours a day answering questions in
alt.internet.wireless, several other groups, and a few mailing lists
for the purpose of baiting and insulting people.  I provide the
necessary technical details, background, URL's, and possible solutions
for self engrandizement and to make others look bad by comparison.  I
also take pot shots at the experts when they screw up, solely for
target practice.  Whenever I answer a question, I always use marginal
examples to maximize the potential for topic drift.  I do all this to
gather attention to myself, just like a troll.  Happy?

Quoted text here. Click to load it

Amazing.  I don't even read my own postings.  It's good to see that
someone reads my stuff because apparently the person asking the
question often fails to read my postings.  For example, when I ask a
specific question, such as what hardware is having a problem, I rarely
get an answer.  Fear of numbers, I guess.

Quoted text here. Click to load it

Sure.  However she didn't know what it was, where it was located, what
it did, or who turned it on.  Such things don't happen by accident.
Someone had been playing and it wasn't her.  Interestingly, nobody
mentioned running an online port scan, which surely have shown port
8080 to be accessible.

Quoted text here. Click to load it

Agreed on all points.  That would be one approach.  What I recommended
is that she trusts the 15 year old kid with maintaining her system and
her security.  It has its risks, but my experience with the local high
skool hackers shows otherwise.  Other approaches would be to hire
someone with a clue, spend some time getting up to speed on wireless
security, or find someone online that will do the job remotely.
  
Quoted text here. Click to load it

My experiences with v5 and v6 WRT54G routers has been limited and
dismal.  That's because I've exchanged or sold every one that I've run
into.  

DD-WRT works on v5, v6, and v7.  I tried it on several v5 routers and
found no improvment to the chronic hangs and disconnects.  
<http://www.dd-wrt.com/wiki/index.php/Linksys_WRT54G/GL/GS/GX
<http://www.dd-wrt.com/wiki/index.php/Version_5_And_6_Router_Information
There's some work being on on v7 and v8 but all I've seen is:
<http://wiki.openwrt.org/OpenWrtDocs/Hardware/Linksys/WRT54G

Quoted text here. Click to load it

Agreed.  Facts, details, references, anecdotes, analysis, and sometime
my opinions create considerable friction.  I'll try to limit myself to
tactful generalizations, respectful sympathy, and perhaps one line
replies.

--
Jeff Liebermann     jeffl@cruzio.com
150 Felker St #D    http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann     AE6KS    831-336-2558

Re: Help my Linksys WRT54G router was broken into using the "curl" command

Quoted text here. Click to load it

The DD-WRT firmware that will install on the newer WRTs is a micro version
with much of the added functionality available in the larger DD-WRT
firmware removed, among other changes.  Below is copied from one of the
replies on the first link above.  The second pasted paragraph is from the
second link above.

====================================================
Allright, ya see the thing is that anything after v4 or the G or GS is
castrated to be blunt. They only have 2 mb of flash. This is about half of
what the standard distro of DD-WRT needs. Sorry folks, but if you have a
V5, 5.1 or 6 or the G or V5 or 6 of the GS your stuck with the micro
version. Check ebay or something for an older one. The best version is a GS
version 3. It has 32 mb of ram and *i believe* 8 mb of flash. If you really
want a powerhouse router go and drop about $100 on an Asus WL-500G deluxe.
That is really about a good as you can get for DD-WRT unless you want to go
the MagicBox route.
=====================================================

=====================================================
WARNING: Flashing your router with a third-party firmware VOIDs the
warranty. You can not rely on a reversion firmware being available. I never
have posted the reversion firmwrare for the GS. Do not return routers after
you've flashed them, this just encourages the vendors to make sure third
party firmwares can not be used.

WARNING: You may brick your router if something goes wrong. You assume full
liability for whatever happens and hold nobody responsible for damages,
tangible or intangible, resulting from the use or mis-use of information or
software found here. You (the user) assumes all liability.

WARNING: At the moment for WRT54GS units this is a one way operation. No
reversion back to VxWorks is available. Since DD-WRT is profiting from this
project, I believe it is their responsbility to create a reversion firmware
for the GS unit. It is an easy chore, I already created the framework in
the G reversion firmware and developed utilities to make the process
easier.
=====================================================

A year ago, I had to search the local retail stores to find an older WRT54
that had the Linksys Linux firmware.  I finally gave up and got the friend
a WRT54GS in order to stay away from VXWorks and to have more ram and rom
available.  He'll never use the GS speed on WiFi.

Quoted text here. Click to load it

One line replies don't suffice either.  Evidently that's all it took to
trip your trigger.<G>


--
                                          John Gray

If you don't have a reason, at least have an excuse.

Re: Help my Linksys WRT54G router was broken into using the "curl" command

Quoted text here. Click to load it


Correct.  See table of features at:
<http://www.dd-wrt.com/wiki/index.php/What_is_%22DD-WRT%22%3F
The only version that works is the Micro version for V5 and V6.
Note that the feature for the micro is about the same as what you get
with the stock Linksys firmware with RADVD added.  It's the added
features that make DD-WRT and OpenWRT attractive (to me).  In
addition, installing DD-WRT on v5 and v6 routers is somewhat of an
ordeal.  Not recommended.

Incidentally, you brought up the problems with v5 and v6 in this
discussion.  Why?

Quoted text here. Click to load it

Walmart was selling WRT54Gv4 routers until just recently, when they
finally ran out.  I switched to Buffalo routers for new installations.
They have the same processor and memory as the Linksys v4, but IMHO
are a better device.  No problem with supply yet, but the recent
injunction for patent infringement may eventually cause problems. Also
note that there are a very large number of other boxes that will run
DD-WRT or OpenWRT.
<http://www.dd-wrt.com/wiki/index.php/Supported_Devices

Quoted text here. Click to load it


Well, I'm having a rather bad time of it lately.  It started with a
bad day, then a bad week, and may soon turn into a bad month.  Try not
to take my vicious attacks personally.  I've been snarling at everyone
lately but should be back to my normal level of hostility in about a
month.

--
Jeff Liebermann     jeffl@cruzio.com
150 Felker St #D    http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann     AE6KS    831-336-2558

Re: Help my Linksys WRT54G router was broken into using the "curl" command

Quoted text here. Click to load it

Actually, I mentioned it due to DD-WRT being recommended in this thread.  
I'd researched this when I was in the market for a WRT54 for a neighbor.  I
found a page that listed the various hardware differences between the
versions.  Most informed sources I visited recommended finding the earlier
versions.

<http://en.wikipedia.org/wiki/WRT54G#Hardware_and_revisions
 
Quoted text here. Click to load it

The WRT300N looks promising.
 
Quoted text here. Click to load it

We all have days like that.  I've had to delay responding sometimes.  On
reading the post later that I was going to reply to, my outlook or take on
what and why something was written often changes.  Often, what one means to
say is interpreted incorrectly, either due to bad composition or the
reader's different POV or baggage.  We all have baggage, and not all if it
is helpful experience all the time.

A shot of Jack Daniels at bedtime may help.  Just don't overindulge.<G>  
Hangovers don't help one's disposition. As for me, I'm just a 'ray of
sunshine'.<G>

--
                                          John Gray

If you don't have a reason, at least have an excuse.

Site Timeline