Hi,
Not neccessarily. I installed an AVM box earlier this year, which was configured securely. It was delivered with preconfiguration for an ISP and a prevonfigured USB-Stick. WPA enabled, eversthing closed ;)
So, it is possible to have secure consumer equioment.
This depends massively on which legal system you are using.
They are not.
When computers are commodities and sold next to washing machines, then you are right. (Upps, they are?)
Cheers, Jens
So the security measure he bypassed was your front door
Theres a big difference between someone inside your house and network and the evil hackers in China (or Gibraltar)
-- Jim Watt
In her defense--and despite the spastic posting Debbie has done on this--this vunerability is one that actually is remotely exploitable under common conditions via a cross site scripting attack.
Viewing a web site that convinces the browser to submit a post request to the default IP of a linksys router's webpage is all that's required to disable the security mode and bypass the admin password. It appears that at most, a second POST that enables remote management is all that'd be needed.
curl is nothing magical, by the way-- just a command line utility to replicate GET and POST transactions that a web browser does behind the scenes. It makes for an easy demonstration, but it it not required in this attack.
WRT54G hardware version 5 owners who've never upgraded their firmware should be very concerned about this unless they are extremely cautious in their websurfing. Such extreme caution breaks about half of all web sites these days, so very few folks surf with that level of caution.
Please read:
Linksys WRT54g authentication bypass
Mention of patched firmware quietly released by Linksys
Best Regards,
If you can attach the router's hardware, then you just can reset it. You don't need any password then.
Correct. And there is no security needed against this. The behaviour is documented how to reset your router, so your neighbour just found out a very complicated way to achieve the same (with the advantage not to remove the current configuration, it seems).
Nothing is dangerous here. "This behaviour is by design".
Yours, VB.
You expect otherwise in Usenet/geeksville?
This would be a better place if people checked their egos at the door. But that just doesn't happen ... there's no door, and no sheriff.
"Alfred Einstein" wrote in news:dfPji.7179$ca.6716 @bignews4.bellsouth.net:
Maybe that's why trolls also post here.
John Gray hath wroth:
Actually, the trolls aren't as much of a problem as those that post inane, useless, irrelevant, thoughtless, unsubstantiated, and generally stupid, one-line responses (like this one).
If you feel that you've wasted your time reading this message, you're correct, and I've achieved my goal.
Jeff Liebermann wrote in news: snipped-for-privacy@4ax.com:
Are you sure they aren't trolls? What makes you think just because one frequents a Usenet group for a number of months and constantly throws diatribes and jabs likely isn't a troll?
I'd already read some of the links and information you posted in this thread. Debbie could have disabled(if she didn't) remote configuration. Most people have no need for remote configuration at all. Securing the WiFi connections would have helped. Sadly, most routers would be returned when they didn't connect if the security wasn't mandatory. Additionally, updating the factory firmware to the latest version would have helped. As would not letting anyone touch the router, including the kid next door.
I don't believe that V5 and above have third party firmware. All the third party firmware for the WRT54G has been Linux based. Even if these newer routers could run it, the rom size has been reduced and these firmware wouldn't fit anyway.
Secure the computers on the LAN first,and then the router. Between the two, most people will be quite safe. Of course, none of these will protect people from themselves or guests let into their homes.
This thread has gotten quite heated. The solutions are lost in the storm of conflicting messages, and taking a confrontational stance only makes it worse regardless of the accuracy of what was posted.
John Gray hath wroth:
OK. I'll confess. I spend several hours a day answering questions in alt.internet.wireless, several other groups, and a few mailing lists for the purpose of baiting and insulting people. I provide the necessary technical details, background, URL's, and possible solutions for self engrandizement and to make others look bad by comparison. I also take pot shots at the experts when they screw up, solely for target practice. Whenever I answer a question, I always use marginal examples to maximize the potential for topic drift. I do all this to gather attention to myself, just like a troll. Happy?
Amazing. I don't even read my own postings. It's good to see that someone reads my stuff because apparently the person asking the question often fails to read my postings. For example, when I ask a specific question, such as what hardware is having a problem, I rarely get an answer. Fear of numbers, I guess.
Sure. However she didn't know what it was, where it was located, what it did, or who turned it on. Such things don't happen by accident. Someone had been playing and it wasn't her. Interestingly, nobody mentioned running an online port scan, which surely have shown port
8080 to be accessible.Agreed on all points. That would be one approach. What I recommended is that she trusts the 15 year old kid with maintaining her system and her security. It has its risks, but my experience with the local high skool hackers shows otherwise. Other approaches would be to hire someone with a clue, spend some time getting up to speed on wireless security, or find someone online that will do the job remotely.
My experiences with v5 and v6 WRT54G routers has been limited and dismal. That's because I've exchanged or sold every one that I've run into.
DD-WRT works on v5, v6, and v7. I tried it on several v5 routers and found no improvment to the chronic hangs and disconnects.
There's some work being on on v7 and v8 but all I've seen is:
Agreed. Facts, details, references, anecdotes, analysis, and sometime my opinions create considerable friction. I'll try to limit myself to tactful generalizations, respectful sympathy, and perhaps one line replies.
Jeff Liebermann wrote in news: snipped-for-privacy@4ax.com:
The DD-WRT firmware that will install on the newer WRTs is a micro version with much of the added functionality available in the larger DD-WRT firmware removed, among other changes. Below is copied from one of the replies on the first link above. The second pasted paragraph is from the second link above.
==================================================== Allright, ya see the thing is that anything after v4 or the G or GS is castrated to be blunt. They only have 2 mb of flash. This is about half of what the standard distro of DD-WRT needs. Sorry folks, but if you have a V5, 5.1 or 6 or the G or V5 or 6 of the GS your stuck with the micro version. Check ebay or something for an older one. The best version is a GS version 3. It has 32 mb of ram and *i believe* 8 mb of flash. If you really want a powerhouse router go and drop about $100 on an Asus WL-500G deluxe. That is really about a good as you can get for DD-WRT unless you want to go the MagicBox route. =====================================================
===================================================== WARNING: Flashing your router with a third-party firmware VOIDs the warranty. You can not rely on a reversion firmware being available. I never have posted the reversion firmwrare for the GS. Do not return routers after you've flashed them, this just encourages the vendors to make sure third party firmwares can not be used.
WARNING: You may brick your router if something goes wrong. You assume full liability for whatever happens and hold nobody responsible for damages, tangible or intangible, resulting from the use or mis-use of information or software found here. You (the user) assumes all liability.
WARNING: At the moment for WRT54GS units this is a one way operation. No reversion back to VxWorks is available. Since DD-WRT is profiting from this project, I believe it is their responsbility to create a reversion firmware for the GS unit. It is an easy chore, I already created the framework in the G reversion firmware and developed utilities to make the process easier. =====================================================
A year ago, I had to search the local retail stores to find an older WRT54 that had the Linksys Linux firmware. I finally gave up and got the friend a WRT54GS in order to stay away from VXWorks and to have more ram and rom available. He'll never use the GS speed on WiFi.
One line replies don't suffice either. Evidently that's all it took to trip your trigger.
John Gray hath wroth:
Correct. See table of features at:
The only version that works is the Micro version for V5 and V6. Note that the feature for the micro is about the same as what you get with the stock Linksys firmware with RADVD added. It's the added features that make DD-WRT and OpenWRT attractive (to me). In addition, installing DD-WRT on v5 and v6 routers is somewhat of an ordeal. Not recommended.
Incidentally, you brought up the problems with v5 and v6 in this discussion. Why?
Walmart was selling WRT54Gv4 routers until just recently, when they finally ran out. I switched to Buffalo routers for new installations. They have the same processor and memory as the Linksys v4, but IMHO are a better device. No problem with supply yet, but the recent injunction for patent infringement may eventually cause problems. Also note that there are a very large number of other boxes that will run DD-WRT or OpenWRT.
Well, I'm having a rather bad time of it lately. It started with a bad day, then a bad week, and may soon turn into a bad month. Try not to take my vicious attacks personally. I've been snarling at everyone lately but should be back to my normal level of hostility in about a month.
Jeff Liebermann wrote in news: snipped-for-privacy@4ax.com:
Actually, I mentioned it due to DD-WRT being recommended in this thread. I'd researched this when I was in the market for a WRT54 for a neighbor. I found a page that listed the various hardware differences between the versions. Most informed sources I visited recommended finding the earlier versions.
The WRT300N looks promising.
We all have days like that. I've had to delay responding sometimes. On reading the post later that I was going to reply to, my outlook or take on what and why something was written often changes. Often, what one means to say is interpreted incorrectly, either due to bad composition or the reader's different POV or baggage. We all have baggage, and not all if it is helpful experience all the time.
A shot of Jack Daniels at bedtime may help. Just don't overindulge. Hangovers don't help one's disposition. As for me, I'm just a 'ray of sunshine'.
John Gray hath wroth:
I just checked all my postings on the topic. I did mention DD-WRT as she wanted to change the login name as well as the password. It's not exactly a recommendation. See:
"Other routers allow additional users and even user levels, such as read-only users. If you really want this feature, the alternative firmware (DD-WRT, OpenWRT) all have additional users. However, again, this is nothing but security by obscurity and doesn't provide any real security."
For a moment there, I thought I had made a mistake. Whew...
v1 only. v2 doesn't play (as a friend recently discovered the hard way). He bricked it so well that I had to use the JTAG firmware load in order to recover. See "blacklist" at:
Also, the WRT300N v1 requires DD-WRT v24, which is still very beta.
Yep. I have all that and more. Add massive confusion on my part as to the topic of discussion precipitated by posting to perhaps 12 different but similar threads every day. It's really difficult to keep them straight. Re-reading the previous postings is required, but I still manage to mix things up. Add to that medical problems, problems with the ladyfriend(s), customers from hell, and gaining some more surplus mass around the waist. I also don't bother doing battle with myself (I always lose) or apply much tact when answering questions. The results are predictable.
I don't drink. It's not anything religious, moral, or ethical. I simply have low dissipation and can't handle booze very well. I also have one drunk and one recovering alcoholic in the family, and I don't want to end up like them.
Time to take out my aggressions on the piano (synthesizer) instead of the newsgroup.
Hi, my name is Adrian, and i`m interestin in how to use curl command to break the password and login to the wrt54g LINKSYS acces point, i dont know the version of firmware but i think is the same like yours, i need help because i thing someone change my password administrator. Plis send a reply as soon as posible.
ATTE. Adrian
kev wrote:
Regardless of the firmware (which can be found on the back label), it can be reset.
Hold down the reset button for at least a full 30 seconds. This will default your router to factory settings, including the password. Of course, you'll have to reset all your custom settings.
It IS *your* router, right?
Jeff Liebermann wrote in news: snipped-for-privacy@4ax.com:
Thanks. If I was in a buying mode, I'd be hunting for such articles for a couple of weeks minimum before committin to a decision. No decision comes lightly for me.
Am I missng something here? Isn't the WRT54GL the one they now sell specifically for those who want to use replacement firmware? Not castrated and simple to change FW.
If one must have a new linksys running DD-WRT, that's the one to get.
Steve
seaweedsteve wrote in news: snipped-for-privacy@i38g2000prf.googlegroups.com:
That was the one that Cisco came out with after it neutered the WRT54G by reducing the rom flash and buffer memory as well as switching to VXWorks firmware. It was in response to customer complaints of removal of the Linux open source firmware that could be rewritten for the DD-WRT and other third party firmware. With the new rom size, it wouldn't fit anyway.
Yes.
Nope. The WRT54GL is identical to the reduced flash/RAM WRT54G v4. It was Linksys knee jerk reaction to general disgust over the v5 and v6 mutations. Of course, they raised the price at the same time. To underscore Linksys commitment to open source, they came out with the WRT54 v8 which so far can't run Linux, and has non-removeable antennas.
Nope. Many people working on open source alternatives have given up on the WRT54G/GS line for the aformentioned reasons. Meanwhile, DD-WRT and OpenWRT have been ported to a growing number of other devices, which are not as disgusting as the WRT54G v5, v6, and v7. For example, I've been using mostly Buffalo products and have not regretted the change.
Free advice: Never try to oil a power supply fan while it's running.
Jeff Liebermann wrote in news: snipped-for-privacy@4ax.com:
The V4 only changed the chipset to a Broadcom BCM5352EKPB Chipset. It has the same rom and ram as previous versions. V5 and above did that. The GL has the same rom and ram as the WRT54G V1 thru V4 according to this site.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.