Help my Linksys WRT54G router was broken into using the "curl" command

It's way too easy to break into the Linksys WRT54G router!

Instantly bypassing the administrator password, my fifteen-year old
neighbor broke into my Linksys WRT54G router (firmware revision v1.0.0.6)
in ten seconds simply by sending this one "curl" command to it via the
Internet from his home next door!

c:\> curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri

This kid was kind enough to knock on my door today to tell me to fix it.

I invited him in, and from inside my own house, he showed me the Linksys
WRT54G command above which immediately disabled all my wireless security
WITHOUT him having to enter any password!

He showed me how to disable remote administration but he said the
vulnerability still exists until I get a new router. I can't believe
everyone with a Linksys WRT54G router is throwing it in the garbage.

Where/how can I find a firmware update that protects me from this
vulnerability?

Re: Help my Linksys WRT54G router was broken into using the "curl"command

Debbie Hurley wrote:
> It's way too easy to break into the Linksys WRT54G router!
>
> Instantly bypassing the administrator password, my fifteen-year old
> neighbor broke into my Linksys WRT54G router (firmware revision v1.0.0.6)
> in ten seconds simply by sending this one "curl" command to it via the
> Internet from his home next door!
>
> c:\> curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri

Unless I am getting old then if he posted this command via the Internet
it would have got him nowhere. The curl -d command would post the data
to 192.168.0.1 which is not a public IP address available on the
Internet and would have have given him a timeout, unless his router
address is 192.168.0.1.
>
> This kid was kind enough to knock on my door today to tell me to fix it.
>
> I invited him in, and from inside my own house, he showed me the Linksys
> WRT54G command above which immediately disabled all my wireless security
> WITHOUT him having to enter any password!

For him to use this command on your computer implies you are using a
Linux distribution and have installed curl and should know what it is
capable of doing.
http://curl.haxx.se/docs/manpage.html#URL
>
> He showed me how to disable remote administration but he said the
> vulnerability still exists until I get a new router. I can't believe
> everyone with a Linksys WRT54G router is throwing it in the garbage.
>
> Where/how can I find a firmware update that protects me from this
> vulnerability?
>
>
>
>
>

Re: Help my Linksys WRT54G router was broken into using the "curl"command

kev wrote:
> Debbie Hurley wrote:
>> It's way too easy to break into the Linksys WRT54G router!
>>
>> Instantly bypassing the administrator password, my fifteen-year old
>> neighbor broke into my Linksys WRT54G router (firmware revision v1.0.0.6)
>> in ten seconds simply by sending this one "curl" command to it via the
>> Internet from his home next door!
>>
>> c:\> curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri
>
> Unless I am getting old then if he posted this command via the Internet
> it would have got him nowhere. The curl -d command would post the data
> to 192.168.0.1 which is not a public IP address available on the
> Internet and would have have given him a timeout, unless his router
> address is 192.168.0.1.
>>
>> This kid was kind enough to knock on my door today to tell me to fix it.
>>
>> I invited him in, and from inside my own house, he showed me the Linksys
>> WRT54G command above which immediately disabled all my wireless security
>> WITHOUT him having to enter any password!
>
> For him to use this command on your computer implies you are using a
> Linux distribution and have installed curl and should know what it is
> capable of doing.
> http://curl.haxx.se/docs/manpage.html#URL
>>
>> He showed me how to disable remote administration but he said the
>> vulnerability still exists until I get a new router. I can't believe
>> everyone with a Linksys WRT54G router is throwing it in the garbage.
>>
>> Where/how can I find a firmware update that protects me from this
>> vulnerability?

With the IP Address changed to 192.168.1.1, my WRT54G returned "curl: (52) Empty reply from server"
and encryption was still on. Using 192.168.0.1, it timed out. I don't know what is different with
your system, but it seems not to be a general problem.

Larry

Re: Help my Linksys WRT54G router was broken into using the "curl"command

Larry Finger wrote:

>
> With the IP Address changed to 192.168.1.1, my WRT54G returned "curl:
> (52) Empty reply from server" and encryption was still on. Using
> 192.168.0.1, it timed out. I don't know what is different with your
> system, but it seems not to be a general problem.
>
> Larry
The Firmware V 1.0.0.6 suggests they are playing with the Version 5
router which used Vxworks, so I don't know what the commands were for
that and I can't really be bothered to search for them.

Re: Help my Linksys WRT54G router was broken into using the "curl" command

In article ,
dhurley@ieaccess.net says...
> It's way too easy to break into the Linksys WRT54G router!
>
> Instantly bypassing the administrator password, my fifteen-year old
> neighbor broke into my Linksys WRT54G router (firmware revision v1.0.0.6)
> in ten seconds simply by sending this one "curl" command to it via the
> Internet from his home next door!
>
> c:\> curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri
>
> This kid was kind enough to knock on my door today to tell me to fix it.
>
> I invited him in, and from inside my own house, he showed me the Linksys
> WRT54G command above which immediately disabled all my wireless security
> WITHOUT him having to enter any password!
>
> He showed me how to disable remote administration but he said the
> vulnerability still exists until I get a new router. I can't believe
> everyone with a Linksys WRT54G router is throwing it in the garbage.
>
> Where/how can I find a firmware update that protects me from this
> vulnerability?

While I've not verified it, you should have googled for basic security
methods and you would have found that you need to change the default
subnet to something else, keeping the 192.168.0, which is the default,
is always a bad idea.

192.168.0 and 192.168.1 are common default subnets for home routers,
don't use them.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Learn more about PCBUTTS1 and his antics and ethic and his perversion
with Porn and Filth. Just take a look at some of the FILTH he's created
and put on his website: http://www.webservertalk.com/message1907860.html
3rd link shows what he's exposed to children (the link I've include does
not directly display his filth). You can find the same information by
googling for 'PCBUTTS1' and 'exposed to kids'.

Re: Help my Linksys WRT54G router was broken into using the "curl" command

On Wed, 04 Jul 2007 09:40:25 +0100, kev wrote:
>> c:\> curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri
>
> Unless I am getting old then if he posted this command via the Internet
> it would have got him nowhere. The curl -d command would post the data
> to 192.168.0.1 which is not a public IP address available on the
> Internet and would have have given him a timeout, unless his router
> address is 192.168.0.1.

I called him about this just now. He said there were two easy ways to wipe
out the security of any Linksys WRT54G router without having to enter any
log in information by taking advantage of Linksys widespread "access
control error" vulnerabilities.

The first was to access my router by it's IP address and then to do a
remote configuration into the router that way. I had the remote
configuration enabled so he showed me how to disable that in the router so
the average person wouldn't disable my router security from half way around
the world. He says it definately can be done remotely and said he'd mail me
the instructions. He ended with saying that anyone who says it can't be
done doesn't know what they're talking about. I'll wait for his
instructions before I go any further on that.

Re: Help my Linksys WRT54G router was broken into using the "curl" command

Debbie Hurley writes:
> It's way too easy to break into the Linksys WRT54G router!
>
> Instantly bypassing the administrator password, my fifteen-year old
> neighbor broke into my Linksys WRT54G router (firmware revision v1.0.0.6)
> in ten seconds simply by sending this one "curl" command to it via the
> Internet from his home next door!
>
> c:\> curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri
>

Among the reasons having wireless security disabled and letting
neighbors join your local network for free is a bad idea.

> He showed me how to disable remote administration but he said the
> vulnerability still exists until I get a new router. I can't believe
> everyone with a Linksys WRT54G router is throwing it in the garbage.
>
> Where/how can I find a firmware update that protects me from this
> vulnerability?

http://www.securityfocus.com/archive/1/452020


or... use third party firmware such as

http://www.dd-wrt.com/
http://openwrt.org/

--
Todd H.
http://www.toddh.net/

Re: Help my Linksys WRT54G router was broken into using the "curl" command

On Wed, 04 Jul 2007 09:40:25 +0100, kev wrote:
> For him to use this command on your computer implies you are using a
> Linux distribution and have installed curl and should know what it is
> capable of doing.
> http://curl.haxx.se/docs/manpage.html#URL

No. He showed me how to do it on my OWN Windows computer.
All he did was download curl from http://curl.haxx.se/download.html and put
the windows binary into my c:\os\winxp\system32\curl.exe location.

He told me curl works on just about every operating system in the world,
and from the looks of the web page above, it sure looks like it.
http://www.paehl.com/open_source/index.php?CURL_7.16.3

When I type Start cmd and then curl, I get a response of:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\My Stuff\Documents and Settings\debbie>curl
curl: try 'curl --help' or 'curl --manual' for more information

Re: Help my Linksys WRT54G router was broken into using the "curl" command

comphelp@toddh.net (Todd H.) writes:

> Debbie Hurley writes:
> > It's way too easy to break into the Linksys WRT54G router!
> >
> > Instantly bypassing the administrator password, my fifteen-year old
> > neighbor broke into my Linksys WRT54G router (firmware revision v1.0.0.6)
> > in ten seconds simply by sending this one "curl" command to it via the
> > Internet from his home next door!
> >
> > c:\> curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri
> >
>
> Among the reasons having wireless security disabled and letting
> neighbors join your local network for free is a bad idea.

I meant to paste this vulnerability of v5 wrt54g's here:

Linksys WRT54GS POST Request Configuration Change Authentication
Bypass Vulnerability
http://www.securityfocus.com/bid/19347/references

It's a known issue. The fix is to upgrade firmware per the link
below.

> > He showed me how to disable remote administration but he said the
> > vulnerability still exists until I get a new router. I can't believe
> > everyone with a Linksys WRT54G router is throwing it in the garbage.
> >
> > Where/how can I find a firmware update that protects me from this
> > vulnerability?
>
> http://www.securityfocus.com/archive/1/452020
>
>
> or... use third party firmware such as
>
> http://www.dd-wrt.com/
> http://openwrt.org/

And I'd have a chat with the parents of the kid, thanking him for
bringing the issue to your attention, but alwso warning him that his
"gray hat" actitivities can get him sent to jail, despite being well
meaning.

You don't "test" stuff you don't own or are engaged to test with
written legal permission of the owner.


Some news stories to drive the point home:

http://news.com.com/2009-1001-958129.html
http://news.zdnet.com/2100-1009_22-958920.html


Best Regards,
--
Todd H.
http://www.toddh.net/

Re: Help my Linksys WRT54G router was broken into using the "curl" command

On Wed, 04 Jul 2007 11:38:05 GMT, Larry Finger wrote:

> With the IP Address changed to 192.168.1.1, my WRT54G returned "curl: (52) Empty reply from server"
> and encryption was still on. Using 192.168.0.1, it timed out. I don't know what is different with
> your system, but it seems not to be a general problem.

I just grabbed my horrified notes from yesterday.

Try this which is the simplified test my neighbor wrote down for me when he
showed it to me yesterday - and let us know if it disables your Linksys
WRT54G router security without asking for a password.

1. Assume the vulnerable WRT54G Linksys router (mine is v5 v1.0.0.6).
2. Connect a yellow wire from the router to the computer
3. Install curl on Windows XP from http://curl.haxx.se/download.html
4. Add curl to your path (or put it in system32)
5. Start Run cmd telnet 192.168.0.1 80
6. Enter the web command to disable wireless security
POST /Security.tri
SecurityMode=0&layout=en
7. Look at your router to see you now have NO SECURITY!

He said the only reason we used the wire was to make it easier to show me.
He even did it wirelessly while out on my driveway outside my house. He
said ANYONE could do it from the Internet if they knew my IP address.
Luckily, he said nobody knows my IP address. Whew!

I didn't realize using a Linksys WRT54G router was so dangerous!

Re: Help my Linksys WRT54G router was broken into using the "curl" command

On Wed, 04 Jul 2007 13:42:28 +0100, kev wrote:
> The Firmware V 1.0.0.6 suggests they are playing with the Version 5
> router which used Vxworks, so I don't know what the commands were for
> that and I can't really be bothered to search for them.

On the bottom of the Linksys WRT54G router it says it's version 5.

My neighbor has been sending me emails as I told him about this thread.
He says it happens with a lot of versions, his being a Linksys WRT54g home
router, firmware revision 1.00.9 and he says all his friends' routers are
similarly vulnerable which he called the "GENERIC-MAP-NOMATCH"
vulnerability.

Re: Help my Linksys WRT54G router was broken into using the "curl" command

On Wed, 4 Jul 2007 09:35:17 -0400, Leythos wrote:
> While I've not verified it, you should have googled for basic security
> methods and you would have found that you need to change the default
> subnet to something else, keeping the 192.168.0, which is the default,
> is always a bad idea.
>
> 192.168.0 and 192.168.1 are common default subnets for home routers,
> don't use them.

My neighbor says what you said above is totally wrong in that it doesn't
matter what IP address I use because he uses something called winpcap to
snair the router IP address off the air!

He says he gets an "ARP" from a program called ethereal which tells him all
the "who" and "tell" arp commands which tells him every router's IP address
in the neighborhood. So he called it 'smoke and mirrors' to change my IP
address.

That's why he suggested I find a patch to the Linksys WRT54G
GENERIC-MAP-NOMATCH vulnerability.

By the way, he said there are more than one vulnerabilities. I asked him to
show me in writing and he just sent me something which I'll post to you
once I clean it up a bit.

Re: Help my Linksys WRT54G router was broken into using the "curl" command

Debbie Hurley hath wroth:

>It's way too easy to break into the Linksys WRT54G router!
>
>Instantly bypassing the administrator password, my fifteen-year old
>neighbor broke into my Linksys WRT54G router (firmware revision v1.0.0.6)
>in ten seconds simply by sending this one "curl" command to it via the
>Internet from his home next door!
>
>c:\> curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri

Old bugs never die. They just get reposted:




etc...
Note the dates from about a year ago. This was fixed with a firmware
update to the v5/v6 hardware mutation router with v1.01.0. The
current version is v1.02.0. Please download, install, and retest.

All the routers I have handy are running DD-WRT v23 SP2 and SP3. The
curl trick doesn't work on any of them from either Ubuntu 6.10 or
Cygwin 1.5.xx on W2K.

You must really be concerned as you also posted the comment to the
Linksys Forums at:


>This kid was kind enough to knock on my door today to tell me to fix it.

Nice kid. Be sure to thank him. If you're in the computah biz, hire
him.

>I invited him in, and from inside my own house, he showed me the Linksys
>WRT54G command above which immediately disabled all my wireless security
>WITHOUT him having to enter any password!

If he's doing it from the LAN side, that's cheating a bit. In order
to do the same thing from the WAN side, your router would need to have
remote admin enabled, which is disabled by default. Note the default
settings:

This is v1.00.6.

>He showed me how to disable remote administration but he said the
>vulnerability still exists until I get a new router.

If remote admin was enabled, someone has been tinkering with the
default setup.

Incidentally, all the router manufacturers, except 2Wire ship their
routers not very secure by default. If you simply plugged the router
in straight out of the box, you have a wide open system, with well
know passwords, and an invitation for problems. I've been trying to
get various manufacturers to change their evil ways and start shipping
routers that require the user to setup:
1. A suitable router password
2. A unique SSID
3. A reasonable WPA-PSK encryption key
The wireless would be disabled until this is done. None of them want
to do this for fear that it would diminish your "out of box
experience".

>I can't believe
>everyone with a Linksys WRT54G router is throwing it in the garbage.

I've been tempted quite often as there are plenty of other things I
detest about the WRT54G/GS v5 and v6 mutations. The general lack of
RAM and NVRAM are my biggest gripe, which make loading alternative
firmware a PITA. v5 and v6 routers also tend to lockup and hang for
no obvious reason. The inability to simultaneously connect more than
a few clients:
http://www.smallnetbuilder.com/component/option,com_chart/It emid,189/chart,124/
(see bottom of chart) in v5 and v6 also sucks. Yeah, it's a terrible
router. If you're planning on recycling yours, please mail it to the
address in my .signature.

>Where/how can I find a firmware update that protects me from this
>vulnerability?

The kid didn't tell you this? First he breaks in. He leaves remote
admin turned on so he can break in again. Then he shows you how it
works, but doesn't tell you how to fix it? Is he selling wireless
routers door to door? Smart kid.

Perhaps you should try the Linksys support web pile:

Your WRT54G hardware mutation number is on the serial number tag on
the bottom of the router.


--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Re: Help my Linksys WRT54G router was broken into using the "curl" command

On 04 Jul 2007 09:32:11 -0500, Todd H. wrote:
>> c:\> curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri
> Among the reasons having wireless security disabled and letting
> neighbors join your local network for free is a bad idea.

But, he showed me it works while WIRED to my vulnerable Linksys WRT54G
router! He said the GENERIC-MAP-NOMATCH vulnerability has nothing to do
with wireless. It's inherent in the Linksys WRT54G router unfortunately!

Here is his email talking about TWO vulnerabilities in the Linksys WRT54G
router!

"You have two problems. The first is the password validation for
configuration settings is not needed for your Linksys WRT54G router and the
second is that with java turned on any web site anywhere can force a
request to the linksys router, and the router will accept the request."

He also sent me a 2600 web address explaining the whole thing but I didn't
understand it at all.

Re: Help my Linksys WRT54G router was broken into using the "curl" command

On 04 Jul 2007 09:36:41 -0500, Todd H. wrote:
> I meant to paste this vulnerability of v5 wrt54g's here:
> Linksys WRT54GS POST Request Configuration Change Authentication
> Bypass Vulnerability
> http://www.securityfocus.com/bid/19347/references
> It's a known issue. The fix is to upgrade firmware per the link
> below.

Here is a forwarded email which explains the severe Linksys WRT54G
vulnerability I'm afraid. It looks like this vulnerability which allows any
web site to disable your browser security has been around for a long time
based on the time stamps of the email!

Debbie

Date: Fri, 04 Aug 2006 14:00:01 +0000
From: "Ginsu Rabbit"
Subject: [Full-disclosure] linksys WRT54g authentication bypass

I'm having some trouble believing this hasn't been reported before. If you
have a linksys router handy, please check to see whether it is vulnerable
to this attack. It's possible that all of the linksys router web UIs have
the same bug. Hopefully the problem is isolated to one particular model or
firmware revision.

I. DESCRIPTION

Tested product: Linksys WRT54g home router, firmware revision 1.00.9.

Problem #1: No password validation for configuration settings.

The WRT54g does not attempt to verify a username and password when
configuration settings are being changed. If you wish to read
configuration settings, you must provide the administrator ID and password
via HTTP basic authentication. No similar check is done for configuration
changes.

This request results in a user-id and password prompt:
GET /wireless.htm

This request disables wireless security on the router, with no password
prompt:
POST /Security.tri
Content-Length: 24

SecurityMode=0&layout=en

Problem #2: Cross-site request forgery

The web administration console does not verify that the request to change
the router configuration is being made with the consent of the
administrator. Any web site can force a browser to send a request to the
linksys router, and the router will accept the request.


II. Exploitation

The combination of these two bugs means that any internet web site can
change the configuration of your router. Recently published techniques for
port-scanning and web server finger printing via java and javascript make
this even easier. The attack scenario is as follows:

- intranet user visits a malicious web site
- malicious web site returns specially crafted HTML page
- intranet user's browser automatically sends a request to the router that
enables the remote administration interface
- the owner of the malicious web site now has complete access to your
router

I'm not going to share the "specially crafted HTML page" at this time, but
it isn't all that special.


III. DETECTION

If your router is vulnerable, the following curl command will disable
wireless security on your router. Tests for other router models and
firmware revisions may be different:

curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri


IV. MITIGATION

1) Make sure you've disabled the remote administration feature of your
router. If you have this "feature" enabled, anybody on the internet can
take control of the router.

2) Change the IP address of the router to a random value, preferably in the
range assigned to private networks. For example, change the IP address to
10.x.y.z, where x, y, and z are numbers between 0 and 255 inclusive. This
makes it more difficult for an attacker to forge the request necessary to
change the router configuration. This mitigation technique might not help
much if you have a java-enabled browser, because of recently published
techniques for determining gateway addresses via java applets.

3) Disable HTTP access to the administration interface of the router,
allowing only HTTPS access. Under most circumstances, this will cause the
browser to show a certificate warning before the configuration is changed.

V. VENDOR NOTIFICATION

Linksys customer support was notified on June 24, 2006.
Full disclosure on August 4, 2006

Re: Help my Linksys WRT54G router was broken into using the "curl" command

In article ,
Debbie Hurley wrote:

> 2. Connect a yellow wire from the router to the computer

Okay.
--
W. Oates

Re: Help my Linksys WRT54G router was broken into using the "curl" command

On Wed, 04 Jul 2007 08:03:13 -0700, Jeff Liebermann wrote:

> Nice kid. Be sure to thank him. If you're in the computah biz, hire
> him.

You are giving advice to hire someone just because they could search the
web and find some outdated information? How does this qualify them? You
are kidding right? You don't happen to be in the computer business
yourself are you?




--

Regards
Robert

Smile... it increases your face value!


----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

Re: Help my Linksys WRT54G router was broken into using the "curl" command

On Wed, 04 Jul 2007 08:03:13 -0700, Jeff Liebermann wrote:
>
>
>
>
> You must really be concerned as you also posted the comment to the
> Linksys Forums.

> Note the dates from about a year ago. This was fixed with a firmware
> update to the v5/v6 hardware mutation router with v1.01.0. The
> current version is v1.02.0. Please download, install, and retest.

Hi Jeff!
Yes. I am really concerned. And scared that it takes all of ten seconds to
break into my router by a fifteen year old cute kid who mows my lawn every
month. I believ him when he says I need to upgrade my router. You are the
only one here who believed me. Thank you. Thank you. Thank you. For a
moment, I thought I was going crazy when the "experts" were telling me what
I saw I didn't see. I felt like I was being persecuted for reporting this.
I didn't realize that the Linksys WRT54G router I bought was so weak. Why
didn't Linksys TELL me about this in the package? I have never updated my
"firmware" before. Can you hand hold my hands a bit to tell me how to do
it. I don't want to ruin the router.

I'll first read everything I can find on updating the router and then post
back if I ruin it doing so. I can read well but I don't know how to debug
once I hit a problem. But I keep trying and that's why I'm here taling to
you!

Thank you - I love your post the best because I was beginning to wonder why
nobody else knew about this which seemed pretty bad that it took all of ten
seconds to wipe out all my hardware security.

BTW, my neighbor said to change my IP address and the hostname and media
address of my router and pc constantly because that's what he used to
figure out which was mine in the neighborhood. Is there a way to change the
router & PC hostname and media name automatically every day or do I have to
do it manually every day to be safe?

Re: Help my Linksys WRT54G router was broken into using the "curl" command

On Wed, 04 Jul 2007 08:03:13 -0700, Jeff Liebermann wrote:
>>I can't believe
>>everyone with a Linksys WRT54G router is throwing it in the garbage.
>
> I've been tempted quite often as there are plenty of other things I
> detest about the WRT54G/GS v5 and v6 mutations.

One thing I'd like to do is change the login name!
I asked on the linksys forums and will check to see if there is a way to
change the login name from just a dumb blank stare to something interesting
so others can't get in so easily through the front door of the router.

I will also read up on how to upgrade the firmware of my router using your
links. Thanks. I love you!

Re: Help my Linksys WRT54G router was broken into using the "curl" command

"Robert" wrote in message
news:pan.2007.07.04.15.29.00.348591@noplace.nowhere...
> On Wed, 04 Jul 2007 08:03:13 -0700, Jeff Liebermann wrote:
>
>> Nice kid. Be sure to thank him. If you're in the computah biz, hire
>> him.
>
> You are giving advice to hire someone just because they could search the
> web and find some outdated information? How does this qualify them? You
> are kidding right? You don't happen to be in the computer business
> yourself are you?
>
>

The kid knew how to find the information and use it. That's the key to using
Information Technology is does one know how to go find the information when
needed and apply it.

Most don't know how to do it.

Re: Help my Linksys WRT54G router was broken into using the "curl" command

On Wed, 04 Jul 2007 08:03:13 -0700, Jeff Liebermann wrote:
> I've been trying to get various manufacturers to change their
> evil ways and start shipping routers that require the user to setup
> 1. A suitable router password

What I don't get is why the Linksys WRT54G router has a password but not a
login name. Wouldn't it be MORE SECURE if I could change the login name?

I can type anything I want into the login name field but it doesn't take.

Am I doing something wrong?

Why does the Linksys v5 WRT54G router have a login name if it isn't used?
Likewise with the host name. Why does it have a host name that isn't used
and why can't I just set the hostname to a blank.

It seems topsy turvy to me. Am I wrong?

Re: Help my Linksys WRT54G router was broken into using the "curl" command

Debbie Hurley writes:

> On 04 Jul 2007 09:32:11 -0500, Todd H. wrote:
> >> c:\> curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri
> > Among the reasons having wireless security disabled and letting
> > neighbors join your local network for free is a bad idea.
>
> But, he showed me it works while WIRED to my vulnerable Linksys WRT54G
> router!

This is among the reasons you only let trusted parties on your LAN if
at all possible.

IIRC, it requires LAN access to exploit unless you are running a
non-default configuration whereby remote admin is enabled.

It pertains to wireless insofar as if you don't have wireless security
enabled, then any old neighbor can join to your LAN and then exercise
the vulnerability.

--
Todd H.
http://www.toddh.net/

Re: Help my Linksys WRT54G router was broken into using the "curl" command

Debbie Hurley hath wroth:

>I believ him when he says I need to upgrade my router.

You don't need a new router. You need a firmware update. No big
deal. What I'm concerned about his how remote access got turned on
and who did it (and why). You might want to interrogate the kid.

>You are the
>only one here who believed me.

Yes, but don't presume it's my good intentions or generous attitude.
The problem is that old bugs tend to come back. One version fixes a
problem, the next version brings it back as sloppy coders recycle old
code. In the software biz, it's part of regression testing.

>I thought I was going crazy when the "experts" were telling me what
>I saw I didn't see.

Chuckle. Ever see any magic tricks or sleight of hand? It looks
real, but you just know something is going on in the background. Well,
hacking and breaking in are like that. I derived considerable
entertainment at the expense of a few IT people (who now hate my guts)
breaking into their systems using social engineering, and then making
it look like some kind of vulnerability or systemic problem. Yeah, I
know I have a warped sense of humor, but it keeps me entertained. The
only problem is that the IT people now hate my guts. Oh well.

Anyway, be careful that what you're seeing is actually a breakin or
vulnerability in progress, and not the residue from a previous
breaking. The fact that remote access was apparently enabled makes me
VERY suspicious.

>I felt like I was being persecuted for reporting this.

Well sure. Blame the victim and all that. Nobody wants to be told
their network is full of holes and vulnerable to attack. Why bother
fixing the problem when you can simply discredit the person that found
the problem?

>I didn't realize that the Linksys WRT54G router I bought was so weak.

It's old firmware. Someone goofed and it's been fixed. All vendors
have their security holes and problems.

>Why didn't Linksys TELL me about this in the package?

Actually, that's a good point because I couldn't find it in the
firmware release notes. It's fashionable to disclose vulnerabilities
only after the fixes are available. That's a fair method, but doesn't
work if users like yourself do not perform ritualistic firmware
version checks and updates.

>I have never updated my
>"firmware" before. Can you hand hold my hands a bit to tell me how to do
>it. I don't want to ruin the router.

There are instructions on the Linksys web site (somewhere). It's
basically very easy. Download the firmware image file. Make an extra
effort to be sure you have the correct version and file. You still
haven't bothered to disclose your WRT54G hardware mutation, so I can't
offer specific advice, filenames, and URL's.

Uncompress the download if it's a ZIP file. Go to the firmware update
page:

and browse merrily to the .bin (or whatever) file. Hit update and
wait. When you think it's done, wait some more. Figure on about 2
minutes to be safe. With v5/v6, I don't think you have to reset
anything. That's it.

>BTW, my neighbor said to change my IP address and the hostname and media
>address of my router and pc constantly because that's what he used to
>figure out which was mine in the neighborhood. Is there a way to change the
>router & PC hostname and media name automatically every day or do I have to
>do it manually every day to be safe?

Don't bother. Almost all of that manner of improving security
consists of either obscuring your setup or introducing additional
obstacles. Those are good if you enjoy complicating your own life as
well as that of the prospective hacker, but are generally near
worthless. See the FAQ at:

Your real security is in:
WPA-PSK or WPA2-PSK encryption
Password for router access
Firmware updates
Most of the tweaks are of marginal value.

If you want real security, setup a VPN and a RADIUS server. The
RADIUS server provides a login and password per user, but also
delivers a unique one time WPA encryption key which cannot be leaked.
If I wanted to attack your system, I would not attack the router, but
would try to extract the WPA key from your Windoze registry. See:

A RADIUS server eliminates the use of a shared key, but preventing it
from being leaked. Ummm... Don't tell the 15 year old brat.

As for your other questions....

>One thing I'd like to do is change the login name!
>I asked on the linksys forums and will check to see if there is a way to
>change the login name from just a dumb blank stare to something interesting
>so others can't get in so easily through the front door of the router.

You can't do that with the stock Linksys firmware. There's only one
user and that's admin. Other routers allow additional users and even
user levels, such as read-only users. If you really want this
feature, the alternative firmware (DD-WRT, OpenWRT) all have
additional users. However, again, this is nothing but security by
obscurity and doesn't provide any real security. Anyway, user names
are suppose to be publicly accessible and not hidden like a password.

Incidentally, one of my accomplices decided that I should test his
system security. He did all the right things, but I still managed to
break in. I tricked him into using his laptop to "test" the security
by claiming my laptop was dead. He stupidly saves all his passwords
in his Firefox browser. It was a simple matter to connect,
automatically login with the saved password, and collect my free
lunch. This is again why I don't like shared keys, stored passwords,
and other convenience features.

>What I don't get is why the Linksys WRT54G router has a password but not a
>login name. Wouldn't it be MORE SECURE if I could change the login name?

Lack of sufficient RAM and NVRAM in the router limits the features
that can be crammed inside. Again, the login name is suppose to be
publicly known and accessible and should not be treated as yet another
password. It also doesn't add much security as the same mechanisms
I've previously listed to bypass passwords will work with login names.

>Am I doing something wrong?

1. You didn't specify WRT54G hardware mutation after being asked by
multiple people for this information.
2. You didn't search with Google to see if it was a known problem.
3. Declared the WRT54G to be worthless BEFORE asking if there was a
fix.
4. Trusted my advice. Don't trust ANYONE about security without
first understanding what you're doing, why it's necessary, and
verifying that it's considered a reasonable thing to do.
5. Posted far too many replies. I'm lazy and don't like hopping from
message to message.

>Likewise with the host name. Why does it have a host name that isn't used
>and why can't I just set the hostname to a blank.

That's been asked before, but with no definitive conclusion. The
current guess is that a hostname is required for syslog to work. It
can be anything, but not blank.

--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Re: Help my Linksys WRT54G router was broken into using the "curl" command

On Wed, 4 Jul 2007 00:37:07 -0700, Debbie Hurley wrote:

> It's way too easy to break into the Linksys WRT54G router!

So far, here's what people have emailed to my yahoo address or posted here
or in the linksys forum about this horrid WRT54G vulnerability which allows
anyone to eliminate all my security settings in a single curl command
without ever logging into my router.

http://securitytracker.com/alerts/2006/Aug/1016638.html
http://archive.cert.uni-stuttgart.de/bugtraq/2006/08/msg0012 9.html
http://www.securityfocus.com/archive/1/442467/30/0/threaded
http://www.securityfocus.com/bid/19347/exploit
http://www.securityfocus.com/bid/19347/references
http://www.securityfocus.com/archive/1/452020
http://www.securityfocus.com/bid/19347/references
http://seclists.org/bugtraq/2006/Aug/0218.html

And the solution is here apparently although I haven't found any
confirmation that it actually works (I need to read more before I get the
confidence to "flash" my router having never flashed anything before).

http://www.linksys.com/servlet/Satellite?c=L_CASupport_C2&ch ildpagename=US%2FLayout&cid=1166859837401&packedargs=sku%3DW RT54G&pagename=Linksys%2FCommon%2FVisitorWrapper&lid=3740137 401B01&displaypage=download

Debbie

Re: Help my Linksys WRT54G router was broken into using the "curl" command

Robert hath wroth:

>On Wed, 04 Jul 2007 08:03:13 -0700, Jeff Liebermann wrote:
>> Nice kid. Be sure to thank him. If you're in the computah biz, hire
>> him.

>You are giving advice to hire someone just because they could search the
>web and find some outdated information? How does this qualify them? You
>are kidding right? You don't happen to be in the computer business
>yourself are you?
>
>

Good questions that deserve an answer.

I've done some hiring in the past with mixed results. I tend to judge
applicants and employees by their "willingness and ability to learn"
and not what they currently know. This is currently not a very
popular method. I have a variety of (illegal) tricks to test for
these attributes. I've found it amazingly difficult to find someone
that is actually able to learn something new. Who needs to learn
anything when you can just look it up on the internet? I even find
myself guilty of such intellectual laziness.

At age 15, this kid hasn't experienced the alleged benefits or the
stultifying and regressive practices of the US secondary and college
educational system. He seems to have initiative, which is a sure sign
that he is still able to think for himself. He may be a script
kiddie, but he has the guts to show off what he knows, which suggests
he has pride in what he knows. He mows lawns, which implies that he
knows what money is worth and how it's obtained. He's trying to be
helpful, which is a substantial improvement over those that just try
to be destructive.

At age 15, I would not expect him to be particularly useful as an
employee. I haven't hired anyone quite that young, but I've had some
experience hiring the local high skool and college inmates. Results
have been mixes, but in general, the smart ones do very well, while
the intellectually lazy eventually screw up and do badly.

I'm self employed and have been successfully playing computer
consultant since about 1982. Prior to that, I designed communications
radios for various employers, owned a communications repair shop, and
owned a print shop. A minor reason why I'm self employed is my
unwillingness to deal with employees (and partners). I currently hire
contractors as needed, but not employees.

I suspect that the OP could hire the kid to fix her wireless security.
However, that's not what's needed. I think he might be more useful in
cleaning up the system security, including the desktops and laptops,
as well as possibly teaching the OP how it all works. He may be
recycling stuff from the internet, but that's how kids learn things
these days. In effect, she would be hiring him as her personal
security advisor and update manager, something a 15 year old could
easily do for a single small system.

Incidentally, in the distant past, when the internet was mostly usenet
news, I ran a Cnews server and BBS in my office. A common initiation
rite at the local high school was to break into my system. Some of
the methods used were amazingly clever and ingenious. I learned quite
a bit. I would later pay some of the better hackers to help maintain
my systems. All of them did well after graduation, although not
necessarily in computing.

It's possible that you fear that your job in firewall security might
be in danger from a 15 year old. I've seen some rather impressive IOS
configuration work done by 18 year olds. I've also seen some
disgusting security holes found by kids who simply don't know that
you're not suppose to do this or that. My former neighbors 12 year
old was an amazing "finger hacker" who could read my keystrokes almost
as fast as I could type. How many older IT people do you know that
can spot a hacked and wiretapped KVM switch? Are your server room
keystrokes being recorded by the security camera? Are your backup
tapes and drives encrypted and/or secure? Done any dumpster diving
lately? None of this is particularly appealing to the typical IT
employee, but is stock and trade to a 15 to 18 year old. What we gain
in knowledge and experience, we lose in imagination and initiative.

In case you're wondering, I got my start in tech as a 16 year old
phone phreak, which was the accessible high tech of the 1960's. You'll
probably find my name in some Ma Bell horror stories. I was later
lucky enough to find part time employment with companies and
individuals that needed imagination and smarts more than experience
and knowledge.



--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Re: Help my Linksys WRT54G router was broken into using the "curl" command

On Wed, 04 Jul 2007 09:59:06 -0700, Jeff Liebermann wrote:

> You don't need a new router. You need a firmware update. No big
> deal.

This recommended reference says the Linksys WRT54G firmware update only
fixes half the problems in that something called "authentication bypass
vulnerability" was fixed but not something called "the CSRF vulnerability"
(http://www.securityfocus.com/archive/1/452020).

> The fact that remote access was apparently enabled makes me
> VERY suspicious.

Yes. It was enabled. I don't know how as I never touched that before. Web
access, whatever that is, was also enabled, as was pnp and a zillion other
things.

> It's old firmware. Someone goofed and it's been fixed. All vendors
> have their security holes and problems.

I understand but I would have thought this would warrant a recall like they
do with cars where you bring it in and they bring it back up to safety
specifications. There's no way they should have sold that router to me with
such an unsafe vulnerability. Why do we recall cars but not routers that
have safety problems?

>>I have never updated my
>>"firmware" before. Can you hand hold my hands a bit to tell me how to do
>>it. I don't want to ruin the router.

> Your real security is in:
> WPA-PSK or WPA2-PSK encryption

Hmmm... that's not one of my options. I have WPA2 Personal on the Linksys
WRT54G router (which I looked up to be the same thing as WPA2 PSK) but I
don't have WPA2-Personal or WPA2-PSK options on my Windows XP fully
updated. Something must be wrong with my windows setup so I will keep
looking to see what I need to fix. At least Microsoft constantly updates my
operating system automatically so I don't have to worry about "flashing"
the computer! :)

>
>>Am I doing something wrong?
> 1. You didn't specify WRT54G hardware mutation after being asked by
> multiple people for this information.
I thought I did. It's version 5, and firmware version v1.00.6.
Is there ANOTHER version I need to be aware of?

> 2. You didn't search with Google to see if it was a known problem.
I did search for "curl" but I didn't know what to look for. I did find the
linksys forums and searched there and posted there the exact same question.
They said to upgrade the firmware and tell them if it worked or not to stop
the next curl attempt.

> 3. Declared the WRT54G to be worthless BEFORE asking if there was a
> fix.
The fix seems good but (see prior) it only fixes "authentication bypass
vulnerability" but not "the CSRF vulnerability" according to the references
cited above.

> 4. Trusted my advice. Don't trust ANYONE about security without
> first understanding what you're doing, why it's necessary, and
> verifying that it's considered a reasonable thing to do.

Huh. I trust you. Aren't you trying to help me?

> 5. Posted far too many replies. I'm lazy and don't like hopping from
> message to message.

Oh. I was trying to be responsive and courteous to my friends who were
trying to help me. I'll stop replying so as to prevent the confusion and
allow you to get me to the point I need to be.

Thank you!
Debbie

BTW, which is the "right" newsgroup forum for this kind of Linksys WRT54G
security vulnerability solution type of question?

Re: Help my Linksys WRT54G router was broken into using the "curl" command

Debbie Hurley hath wroth:

>This recommended reference says the Linksys WRT54G firmware update only
>fixes half the problems in that something called "authentication bypass
>vulnerability" was fixed but not something called "the CSRF vulnerability"
>(http://www.securityfocus.com/archive/1/452020).

I'll look at it later. It's a holiday and I'm lazy.

>I understand but I would have thought this would warrant a recall like they
>do with cars where you bring it in and they bring it back up to safety
>specifications. There's no way they should have sold that router to me with
>such an unsafe vulnerability. Why do we recall cars but not routers that
>have safety problems?

Easy. Because no router manufacturer has been successfully sued for
damages resulting from security holes, while automobile manufacturers
tend to get sued for anything and everything.

Please note that there are literally huge number of vulnerabilities in
various computer products. Given time and limited resources, it's
impossible to just TEST for these vulnerabilities, much less find the
time to fix them.

Open Source Vulnerability Database


Security and Vulnerability announcements

Here's the statistics for MS XP Home:

Note that 15% of the 155 vulnerabilities announced since 2003 has NOT
been patched.

>> Your real security is in:
>> WPA-PSK or WPA2-PSK encryption
>
>Hmmm... that's not one of my options.

WPA-PSK is exactly the same as WPA-Personal
WPS-RADIUS is exactly the same as WPA-Enterprise
I traced back where the name change came from. The Wi-Fi Alliance is
more consumer oriented and went for the Personal and Enterprise. The
IEEE is addicted to acronyms and elected to use PSK and RADIUS.

>I have WPA2 Personal on the Linksys
>WRT54G router (which I looked up to be the same thing as WPA2 PSK) but I
>don't have WPA2-Personal or WPA2-PSK options on my Windows XP fully
>updated. Something must be wrong with my windows setup so I will keep
>looking to see what I need to fix.




>At least Microsoft constantly updates my
>operating system automatically so I don't have to worry about "flashing"
>the computer! :)

Wrong. Microsloth only automagically updates *CRITICAL* updates or
those that compromise security. Optional updates must be downloaded
manually.
Start -> Run -> wupdmgr
It should start IE6 or IE7 and run Windoze update. If it suggests you
upgrade to "Microsoft Update", do it. Then, hit the "Custom" button.
It will grind the hard disk for perhaps 10 minutes deciding what needs
to be updated and present you with a list. Check EVERYTHING, download
and install. Shutdown when it demands and reboot.

You're not done yet. MS Office might need some updates. Start IE6 or
IE6 and go unto:

In the upper right hand corner, is a tiny obscure well buried button
for Office Update. Pick your version of MS Office and do the updates.

There are also plenty of applications on your machine that could use
an update and may have vulnerabilities. Quicktime, Itunes, Winamp,
etc as well as your favorite virus and spyware scanners all need to be
updated.

If you think this is a drag, you're right. There should be a unified
update and notification mechanism. Not this week. Meanwhile, this is
a good thing for your 15 year old prospective hacker to do after
butchering your lawn.

>> 1. You didn't specify WRT54G hardware mutation after being asked by
>> multiple people for this information.
>I thought I did. It's version 5, and firmware version v1.00.6.
>Is there ANOTHER version I need to be aware of?

Sorry. You did in another message that didn't arrive until after I
posted my reply. This is why I don't like a large number of messages.
I get easily lost.

>> 2. You didn't search with Google to see if it was a known problem.
>I did search for "curl" but I didn't know what to look for. I did find the
>linksys forums and searched there and posted there the exact same question.
>They said to upgrade the firmware and tell them if it worked or not to stop
>the next curl attempt.

Ok, you're partially forgiven. If you had typed in the curl command
(wrapped in double quotes), you would have found all the security
advisories.

>> 3. Declared the WRT54G to be worthless BEFORE asking if there was a
>> fix.
>The fix seems good but (see prior) it only fixes "authentication bypass
>vulnerability" but not "the CSRF vulnerability" according to the references
>cited above.

I think we have different criteria for acceptability. The
authentication problem (curl example) is serious and if unpatched, I
too would consider the WRT54G to be dangerously insecure. However, I
know of other vulnerabilities and oddities that also might be used to
compromise security that do not warrant such a drastic action like
recycling the router.
Is the WRT54G useful and fairly safe (after patching)? Methinks so.
Can Linksys do better? Probably.
Would a different router do better? No way to tell.

>> 4. Trusted my advice. Don't trust ANYONE about security without
>> first understanding what you're doing, why it's necessary, and
>> verifying that it's considered a reasonable thing to do.
>
>Huh. I trust you. Aren't you trying to help me?

Nope. I'm just a wolf in sheeps clothing. In may spare time (usually
under the cover of darkness), I join the forces of evil in a never
ending effort to uncover security holes and screwups in computing. As
a side effect, security does gradually tend to improve. However, it's
the challenge that gets my attention, not the side effects. I tend to
do best with social engineering and physical security, but when those
fail, hacking will suffice. Try not to let it bother you as many of
those that really know what they're doing, didn't learn security from
a book, and also tend to have a checkered past.

>BTW, which is the "right" newsgroup forum for this kind of Linksys WRT54G
>security vulnerability solution type of question?

I don't know. I only infest alt.internet.wireless. One technical
newsgroup is all I handle in my ever shrinking spare time.

--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Re: Help my Linksys WRT54G router was broken into using the "curl"command

Jeff Liebermann wrote:
> I've done some hiring in the past with mixed results. I tend to judge
> applicants and employees by their "willingness and ability to learn"
> and not what they currently know. This is currently not a very
> popular method. I have a variety of (illegal) tricks to test for
> these attributes. I've found it amazingly difficult to find someone
> that is actually able to learn something new. Who needs to learn
> anything when you can just look it up on the internet? I even find
> myself guilty of such intellectual laziness.

My IT 'kid" is just turned 20. I turn him loose to fix customer issues - if
he can't fix it, he knows how to find the answer. There has never been a
service call that he hasn't cleared.

Its not what you know...its all in how to recognize what the problem is,
how to fix it or find the answer...and learn from it. And document the
whole episode for future references.

And he's starting up his own trucking business on the side.

Re: Help my Linksys WRT54G router was broken into using the "curl" command

In article ,
dhurley@ieaccess.net says...
> The first was to access my router by it's IP address and then to do a
> remote configuration into the router that way. I had the remote
> configuration enabled so he showed me how to disable that in the router so
> the average person wouldn't disable my router security from half way around
> the world.

Your rourter default settings, other than 192.168.0.1/24 and the
password and WPA-PSK were fine. Your choice of allowing the default
subnet and the remote access was a large mistake that let him in.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Learn more about PCBUTTS1 and his antics and ethic and his perversion
with Porn and Filth. Just take a look at some of the FILTH he's created
and put on his website: http://www.webservertalk.com/message1907860.html
3rd link shows what he's exposed to children (the link I've include does
not directly display his filth). You can find the same information by
googling for 'PCBUTTS1' and 'exposed to kids'.

Re: Help my Linksys WRT54G router was broken into using the "curl" command

In article ,
dhurley@ieaccess.net says...
> On Wed, 4 Jul 2007 09:35:17 -0400, Leythos wrote:
> > While I've not verified it, you should have googled for basic security
> > methods and you would have found that you need to change the default
> > subnet to something else, keeping the 192.168.0, which is the default,
> > is always a bad idea.
> >
> > 192.168.0 and 192.168.1 are common default subnets for home routers,
> > don't use them.
>
> My neighbor says what you said above is totally wrong in that it doesn't
> matter what IP address I use because he uses something called winpcap to
> snair the router IP address off the air!
>
> He says he gets an "ARP" from a program called ethereal which tells him all
> the "who" and "tell" arp commands which tells him every router's IP address
> in the neighborhood. So he called it 'smoke and mirrors' to change my IP
> address.
>
> That's why he suggested I find a patch to the Linksys WRT54G
> GENERIC-MAP-NOMATCH vulnerability.
>
> By the way, he said there are more than one vulnerabilities. I asked him to
> show me in writing and he just sent me something which I'll post to you
> once I clean it up a bit.

And there is more than just not using the default IP, and it does make a
difference, as there are web sites that will hack your router without
using the wireless connection, and they don't "cap it off the air". So,
again, change your subnet, that's first.

Next, you ENABLED REMOTE MANAGEMENT (which is not the fault), so you
screwed yourself there also - disable remote management and setup a
strong password.

Yes, there are exploits, for most any device, but, you can limit your
exposure.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Learn more about PCBUTTS1 and his antics and ethic and his perversion
with Porn and Filth. Just take a look at some of the FILTH he's created
and put on his website: http://www.webservertalk.com/message1907860.html
3rd link shows what he's exposed to children (the link I've include does
not directly display his filth). You can find the same information by
googling for 'PCBUTTS1' and 'exposed to kids'.

Re: Help my Linksys WRT54G router was broken into using the "curl" command

On Wed, 04 Jul 2007 08:03:13 -0700, Jeff Liebermann
wrote:


>
>If remote admin was enabled, someone has been tinkering with the
>default setup.
>

Quite, I get the distinct stench of troll......
--
?¡aah, los gringos otra vez!?

Re: Help my Linksys WRT54G router was broken into using the "curl" command

On Wed, 04 Jul 2007 14:29:53 GMT, Debbie Hurley
wrote:

> I had the remote
>configuration enabled

So, you're clever enough to change the default configuration, but you
cannot figure out how to configure WPA-PSK.


Hmmmm.
--
?¡aah, los gringos otra vez!?

Re: Help my Linksys WRT54G router was broken into using the "curl" command

On Wed, 04 Jul 2007 14:42:52 GMT, Debbie Hurley
wrote:


>
>He said the only reason we used the wire was to make it easier to show me.
>He even did it wirelessly while out on my driveway outside my house.

Oh really. If you're daft enough to put an open access point in the big bad
world, you deserve everything coming.

> He said ANYONE could do it from the Internet if they knew my IP address.
>Luckily, he said nobody knows my IP address. Whew!

Oh really.

>I didn't realize using a Linksys WRT54G router was so dangerous!

Very dangerous, especially where there is a self identifying problem
between the chair and keyboard.



greg


--
?¡aah, los gringos otra vez!?

Re: Help my Linksys WRT54G router was broken into using the "curl" command

Debbie Hurley hath wroth:

>On Wed, 4 Jul 2007 09:35:17 -0400, Leythos wrote:
>> While I've not verified it, you should have googled for basic security
>> methods and you would have found that you need to change the default
>> subnet to something else, keeping the 192.168.0, which is the default,
>> is always a bad idea.
>>
>> 192.168.0 and 192.168.1 are common default subnets for home routers,
>> don't use them.

>My neighbor says what you said above is totally wrong in that it doesn't
>matter what IP address I use because he uses something called winpcap to
>snair the router IP address off the air!

Baloney. All 802.11 wireless is done on by bridging on Layer 2 with
MAC addresses. There is nothing in the 802.11 protocol or specs that
even mentions IP addresses. Not all wireless packets are encrypted.
However, all packets that contain an IP address in the header,
including ARP broadcasts and responses, are encrypted. He could sniff
all he wants and without the encryption key, he's not going to see an
IP address go by.

I wasn't 100.0% sure of this so I ran some old capture log files
through Ethereal looking for telltale ARP broadcasts
(frame.pkt_len==68 and wlan.da==ff:ff:ff:ff:ff:ff)
and their corresponding responses. No IP's visible. I'll run some
more tests later as I'm still not 100.0% sure that all IP's are
suitably encapsulated in encrypted packets.

>He says he gets an "ARP" from a program called ethereal which tells him all
>the "who" and "tell" arp commands which tells him every router's IP address
>in the neighborhood. So he called it 'smoke and mirrors' to change my IP
>address.

He can do network discovery successfully from the wired ethernet part
of the network, because the packets are not encrypted. That would
require he plug his laptop into your router and run whatever
application he finds useful. However, if he were to attempt that via
wireless, on an encrypted WLAN to which he does NOT have the key, it
won't work. He would see the MAC addresses of most of the devices,
but not the IP addresses.

>That's why he suggested I find a patch to the Linksys WRT54G
>GENERIC-MAP-NOMATCH vulnerability.

Sigh. GENERIC-MAP-NOMATCH means that the vulnerability does not match
anything in the Common Vulnerabilities and Exposures database. In
other words, it's either something new, weird, or ridiculous. It's
not a specific vulnerability or problem.


>By the way, he said there are more than one vulnerabilities.

Yeah, they do reproduce themselves. Kinda like recycled year old
vulnerabilities rise from the near dead.

>I asked him to
>show me in writing and he just sent me something which I'll post to you
>once I clean it up a bit.

Ask him to post somewhere, a capture log and WireShark decode of an
wirleess encrypted session that shows exposed IP addresses. I'm too
lazy to do the work on a holiday.


--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Re: Help my Linksys WRT54G router was broken into using the "curl" command

Greg Hennessy hath wroth:

>On Wed, 04 Jul 2007 14:42:52 GMT, Debbie Hurley
>wrote:
>>He said the only reason we used the wire was to make it easier to show me.
>>He even did it wirelessly while out on my driveway outside my house.

>Oh really. If you're daft enough to put an open access point in the big bad
>world, you deserve everything coming.

Right. Blame the victim. Nicely done.

Look carefully at the paper box the consumer routers are packaged.
They're mostly advertising material and are full of acronyms attesting
to the high levels of security the user gets if they buy the product.
"Buy me and you'll be safe" from evil hackers like me is the mantra.
Well, there's just one problem. All the security is disabled by
default. Plug, play, and you're wide open.

Now, I know a little about business/commercial law. I'll spare
everyone the hair splitting and leave out the legal rubbish.
Basically, the consumer has a perceived notion that this router will
protect them for evil. If it fails to do that, who's fault would you
guess it is? To an average person, of average abilities, the level of
education necessary to properly administer a wireless router is
substantial and well above what a court of law would consider
necessary. Therefore, the responsibility for adequate security falls
on the manufacturer, and not the consumer. The not so minor detail
that all consumer grade wireless router manufacturers, except 2Wire,
are shipping their routers insecure by default, should open up
suitable opportunities for litigation. I've been contacted by a few
ambulance chasers planning to do exactly that, but have declined their
offers.

A suitable analogy would be if you purchased a consumer device that
allegedly protected you from some evil, but required that you upgrade
your esoteric knowledge level considerably. During this several year
long education process, you discover that the device has been
essentially disabled and wasn't doing anything useful. Whom would you
blame?

>Very dangerous, especially where there is a self identifying problem
>between the chair and keyboard.

Blame the victim again. At least you didn't resort to name calling
and labeling.

I have a loaded question for you: Are you so in love with the
technology that you forget that real humans are expected to operate
the devices? I'm curious because this problem seems to be epidemic
among technical types. I'm sometimes guilty of it myself.

--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Re: Help my Linksys WRT54G router was broken into using the "curl" command

In article ,
jeffl@cruzio.com says...
> Right. Blame the victim. Nicely done.

Did you miss the part where the OP enabled wireless access and also
enabled remote management?

It's entirely the OP's fault.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Learn more about PCBUTTS1 and his antics and ethic and his perversion
with Porn and Filth. Just take a look at some of the FILTH he's created
and put on his website: http://www.webservertalk.com/message1907860.html
3rd link shows what he's exposed to children (the link I've include does
not directly display his filth). You can find the same information by
googling for 'PCBUTTS1' and 'exposed to kids'.

Re: Help my Linksys WRT54G router was broken into using the "curl" command

On Wed, 04 Jul 2007 13:05:33 -0700, Jeff Liebermann
wrote:

>
>I have a loaded question for you: Are you so in love with the
>technology that you forget that real humans are expected to operate
>the devices?

On the contrary, speaking as someone who is the one eyed man in the land of
blind for half a dozen folks who have no PC knowledge.

I am intimately aware of the frustration caused by technology and go out of
my way to avoid causing the 1000 yard stare inflicted by an overdose of
geekese which is so easy to slip into.

> I'm curious because this problem seems to be epidemic
>among technical types. I'm sometimes guilty of it myself.

Someone changed the router from it's default settings. The question is who.
If you're capable of posting to a newsgroup, securing one of the best
selling wireless routers out should not be that much of a challenge.




greg

--
?¡aah, los gringos otra vez!?

Re: Help my Linksys WRT54G router was broken into using the "curl" command

In message
at 10:49:52 on Wed, 4 Jul 2007, Debbie Hurley
wrote
>> The fact that remote access was apparently enabled makes me
>> VERY suspicious.
>
>Yes. It was enabled. I don't know how as I never touched that before. Web
>access, whatever that is, was also enabled, as was pnp and a zillion other
>things.
>
I remember your post in uk.telecom.broadband about a month ago where
you'd forgotten the admin password for your router, and wondered how it
could be reset (I remember your name cos it's the same as someone I know
from work). Did you let your neighbour friend configure your router for
you then?
--
Mike News

Re: Help my Linksys WRT54G router was broken into using the "curl" command

Greg Hennessy hath wroth:

>Someone changed the router from it's default settings. The question is who.

Well, it's fairly easy to get lost in the flurry of postings and
followups, so I'll summarize. There is no security risk to enabling
remote management as longs as one uses SSH or SSL (if available) to
access the router config and the router has a reasonably secure
password setup. For the stock WRT54G firmware, there is no secure
method of doing remote access, as it lacks SSH or SSL and the password
is probably sent unencrypted, so remote management is disabled by
default. See settings as show at:


The problem I had with the original start of this thread question was
that she indicated that:
"He showed me how to disable remote administration but he
said the vulnerability still exists until I get a new router."
The implication was that someone had previously turned on remote
admin. We can only speculate as to whom at this time. Until a
suitable culprit is established, we really shouldn't be assigning the
blame. The first step to solving a problem is NOT to assign he blame.

There is also an open issue as to who is responsible for updating the
firmware. Linksys formerly had a "check for firmware updates" button,
but that never worked even in the original incantation. It was long
ago quietly dropped. Is Linksys responsible for informing customers
that their firewall is porous? Probably, but I don't see an easy way
to implement updates, especially since the prime directive at Linksys
seems to be to reduce costs by reducing RAM, NVRAM, and features. At
the present time, the customer is responsible for updates. This is
more by the abdication of responsibility than by intenet, as few
customers are qualified and even fewer understand the necessity of
updates.

There's also a skool of thought that suggest that if things are
working, don't touch them. I've probably seen more systems destroyed
by updates than by hacking, viruses, and worms. After a few
disasters, customers tend to be paranoid. I hear "leave it alone" all
too often. I fight it, but not very well. With some vendors, I
intentionlly delay updates as they have a track record of breaking
more things than they fix. Who's responsible for these updates? I
guess it's me.

>If you're capable of posting to a newsgroup, securing one of the best
>selling wireless routers out should not be that much of a challenge.

Really? Then why are there so many FAQ's, guides, blogs, and
re-hashed instructions on how to setup a "simple" wireless router?
Could it be that it's really not that simple? Just read through the
questions on the Linksys wireless forums for a clue.

For today, there are already 51 questions, a mess of followups, and
the day isn't half over. There seem to be an awful lot of people
having problems with Linksys wireless. Perhaps it's because wireless
is NOT so simple?

Switching over to dslreports.com, it's somewhat better:


I'll spare you my list horror stories that illustrate that there are
still plenty of problems to be solved with consumer wireless hardware,
drivers, and config. Try roaming between consumer wireless AP's for a
great exercise in frustration.

Another clue is the cancerous growth of wireless acronyms, buzzwords,
protocols, and specs. I'm directly involved in all this and even I
can't keep them straight. Every time I open a magazine, new terms
appear out of nowhere. Then, there are the vendor proprietary
hang-on's (Cisco Compatible Extensions). I can't even pronounce some
of the wireless company names. I can barely keep up to date and you
claim that setting up one of these isn't much of a challenge?

As for a persons posting abilities being indicative of their ability
to setup a wireless network, I don't think there's much of a
connection. An amazing (and alarming) number of help requests in
alt.internet.wireless are missing the absolute minimum information
necessary to craft a sane reply. Briefly:
1. What problem are you trying to solve? One sentence is fine.
2. What do you have to work with? (Hardware, software, versions).
3. What did you do and what happened? (Exact error messages).
The same people would never dream of asking the clerk at the auto
parts store for advice on their vehicle without specifying the
necessary info, yet they expect answers on usenet without doing the
same.

Finally, permit me the liberty of some semantic hair splitting and
guesswork. You suggest that "... securing one of the best selling
wireless router..." I have a very tiny problem with this statement.
You don't secure the router, you secure the system (or network). In
home wireless, it takes at least two to tango. Each link has at least
two ends. Securing one end is insufficient as I can breach security
just as easily at the client end. I posted a few examples in a
previous message in this thread.



--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Re: Help my Linksys WRT54G router was broken into using the "curl" command

Mike hath wroth:

>In message
>at 10:49:52 on Wed, 4 Jul 2007, Debbie Hurley
>wrote
>>> The fact that remote access was apparently enabled makes me
>>> VERY suspicious.

>>Yes. It was enabled. I don't know how as I never touched that before. Web
>>access, whatever that is, was also enabled, as was pnp and a zillion other
>>things.

>I remember your post in uk.telecom.broadband about a month ago where
>you'd forgotten the admin password for your router, and wondered how it
>could be reset (I remember your name cos it's the same as someone I know
>from work). Did you let your neighbour friend configure your router for
>you then?

Go unto the Google Advanced Search:

Inscribe uk.telecom.broadband into the Group field.
Then try various versions of her name and email address in the Author
box. Nothing found.

Try a Google Profile for Debbie Hurley at:

This could be more than one person, but it does list all the groups to
which Debbie Hurley has posted. 57 groups in the pull down box and
uk.telecom.broadband is NOT among them.

Interestingly, her email address changed from dhurley@ieaccess.net to
debbie.hurley@yahoo.com along with a change in IP address in the last
message. Both appear to be valid. That should add some additional
fuel to any conspiracy theories.

Punch her IP addresses of 69.110.27.48 or 69.110.17.91 into:

Located near San Jose on SBCglobal/at&t, not in the UK.

Is this really a security newsgroup?


--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Re: Help my Linksys WRT54G router was broken into using the "curl"command

Hi,

> All the security is disabled by
> default. Plug, play, and you're wide open.

Not neccessarily. I installed an AVM box earlier this year, which was
configured securely. It was delivered with preconfiguration for an ISP
and a prevonfigured USB-Stick. WPA enabled, eversthing closed ;)

So, it is possible to have secure consumer equioment.

>Therefore, the responsibility for adequate security falls
> on the manufacturer, and not the consumer.

This depends massively on which legal system you are using.

> I have a loaded question for you: Are you so in love with the
> technology that you forget that real humans are expected to operate
> the devices?

They are not.

> I'm curious because this problem seems to be epidemic
> among technical types. I'm sometimes guilty of it myself.

When computers are commodities and sold next to washing machines,
then you are right. (Upps, they are?)

Cheers,
Jens

Re: Help my Linksys WRT54G router was broken into using the "curl" command

Post removed (X-No-Archive: yes)

Re: Help my Linksys WRT54G router was broken into using the "curl" command

Jim Watt writes:

> On Wed, 04 Jul 2007 14:34:19 GMT, Debbie Hurley
> wrote:
>
> >He showed me how to do it on my OWN Windows computer.
>
> So the security measure he bypassed was your front door
>
> Theres a big difference between someone inside your house
> and network and the evil hackers in China (or Gibraltar)

In her defense--and despite the spastic posting Debbie has done on
this--this vunerability is one that actually is remotely exploitable
under common conditions via a cross site scripting attack.

Viewing a web site that convinces the browser to submit a post
request to the default IP of a linksys router's webpage is all that's
required to disable the security mode and bypass the admin password.
It appears that at most, a second POST that enables remote management
is all that'd be needed.

curl is nothing magical, by the way-- just a command line utility to
replicate GET and POST transactions that a web browser does behind the
scenes. It makes for an easy demonstration, but it it not required in
this attack.

WRT54G hardware version 5 owners who've never upgraded their firmware
should be very concerned about this unless they are extremely cautious
in their websurfing. Such extreme caution breaks about half of all
web sites these days, so very few folks surf with that level of
caution.

Please read:

Linksys WRT54g authentication bypass
http://www.securityfocus.com/archive/1/442452/30/0/threaded

includes: "The combination of these two bugs means that any
internet web site can change the configuration of your
router. Recently published techniques for port-scanning and
web server finger printing via java and javascript make this
even easier."

Mention of patched firmware quietly released by Linksys
http://www.securityfocus.com/archive/1/452020



Best Regards,
--
Todd H.
http://www.toddh.net/

Re: Help my Linksys WRT54G router was broken into using the "curl" command

Debbie Hurley wrote:
> 2. Connect a yellow wire from the router to the computer

If you can attach the router's hardware, then you just can reset it. You
don't need any password then.

> 7. Look at your router to see you now have NO SECURITY!

Correct. And there is no security needed against this. The behaviour is
documented how to reset your router, so your neighbour just found out a
very complicated way to achieve the same (with the advantage not to
remove the current configuration, it seems).

> I didn't realize using a Linksys WRT54G router was so dangerous!

Nothing is dangerous here. "This behaviour is by design".

Yours,
VB.
--
"Es muss darauf geachtet werden, dass das Grundgesetz nicht mit Methoden
geschützt wird, die seinem Ziel und seinem Geist zuwider sind."

Gustav Heinemann, "Freimütige Kritik und demokratischer Rechtsstaat"

Re: Help my Linksys WRT54G router was broken into using the "curl" command

"Jeff Liebermann" wrote in message
news:lcun83tlftq8lijs89ob1guhn2hgigq3i3@4ax.com...
> I have a loaded question for you: Are you so in love with the
> technology that you forget that real humans are expected to operate
> the devices?

You expect otherwise in Usenet/geeksville?

This would be a better place if people checked their egos at the door.
But that just doesn't happen ... there's no door, and no sheriff.

Re: Help my Linksys WRT54G router was broken into using the "curl" command

Post removed (X-No-Archive: yes)

Re: Help my Linksys WRT54G router was broken into using the "curl" command

John Gray hath wroth:

>Maybe that's why trolls also post here.

Actually, the trolls aren't as much of a problem as those that post
inane, useless, irrelevant, thoughtless, unsubstantiated, and
generally stupid, one-line responses (like this one).

If you feel that you've wasted your time reading this message, you're
correct, and I've achieved my goal.

--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Re: Help my Linksys WRT54G router was broken into using the "curl" command

Post removed (X-No-Archive: yes)

Re: Help my Linksys WRT54G router was broken into using the "curl" command

John Gray hath wroth:

>Jeff Liebermann wrote in
>news:07e293dqtp8khur7p0fiubnjqcnu070410@4ax.com:
>
>> John Gray hath wroth:
>>
>>>Maybe that's why trolls also post here.
>>
>> Actually, the trolls aren't as much of a problem as those that post
>> inane, useless, irrelevant, thoughtless, unsubstantiated, and
>> generally stupid, one-line responses (like this one).
>>
>> If you feel that you've wasted your time reading this message, you're
>> correct, and I've achieved my goal.

>Are you sure they aren't trolls? What makes you think just because one
>frequents a Usenet group for a number of months and constantly throws
>diatribes and jabs likely isn't a troll?

OK. I'll confess. I spend several hours a day answering questions in
alt.internet.wireless, several other groups, and a few mailing lists
for the purpose of baiting and insulting people. I provide the
necessary technical details, background, URL's, and possible solutions
for self engrandizement and to make others look bad by comparison. I
also take pot shots at the experts when they screw up, solely for
target practice. Whenever I answer a question, I always use marginal
examples to maximize the potential for topic drift. I do all this to
gather attention to myself, just like a troll. Happy?

>I'd already read some of the links and information you posted in this
>thread.

Amazing. I don't even read my own postings. It's good to see that
someone reads my stuff because apparently the person asking the
question often fails to read my postings. For example, when I ask a
specific question, such as what hardware is having a problem, I rarely
get an answer. Fear of numbers, I guess.

>Debbie could have disabled(if she didn't) remote configuration.

Sure. However she didn't know what it was, where it was located, what
it did, or who turned it on. Such things don't happen by accident.
Someone had been playing and it wasn't her. Interestingly, nobody
mentioned running an online port scan, which surely have shown port
8080 to be accessible.

>Most people have no need for remote configuration at all. Securing the
>WiFi connections would have helped. Sadly, most routers would be returned
>when they didn't connect if the security wasn't mandatory. Additionally,
>updating the factory firmware to the latest version would have helped. As
>would not letting anyone touch the router, including the kid next door.

Agreed on all points. That would be one approach. What I recommended
is that she trusts the 15 year old kid with maintaining her system and
her security. It has its risks, but my experience with the local high
skool hackers shows otherwise. Other approaches would be to hire
someone with a clue, spend some time getting up to speed on wireless
security, or find someone online that will do the job remotely.

>I don't believe that V5 and above have third party firmware. All the third
>party firmware for the WRT54G has been Linux based. Even if these newer
>routers could run it, the rom size has been reduced and these firmware
>wouldn't fit anyway.

My experiences with v5 and v6 WRT54G routers has been limited and
dismal. That's because I've exchanged or sold every one that I've run
into.

DD-WRT works on v5, v6, and v7. I tried it on several v5 routers and
found no improvment to the chronic hangs and disconnects.


There's some work being on on v7 and v8 but all I've seen is:


>Secure the computers on the LAN first,and then the router. Between the
>two, most people will be quite safe. Of course, none of these will protect
>people from themselves or guests let into their homes.
>
>This thread has gotten quite heated. The solutions are lost in the storm
>of conflicting messages, and taking a confrontational stance only makes it
>worse regardless of the accuracy of what was posted.

Agreed. Facts, details, references, anecdotes, analysis, and sometime
my opinions create considerable friction. I'll try to limit myself to
tactful generalizations, respectful sympathy, and perhaps one line
replies.

--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Re: Help my Linksys WRT54G router was broken into using the "curl" command

Post removed (X-No-Archive: yes)

Re: Help my Linksys WRT54G router was broken into using the "curl" command

John Gray hath wroth:

>Jeff Liebermann wrote in
>news:q70393hlqn0boq2s0ses5d2jve57s19f55@4ax.com:
>> My experiences with v5 and v6 WRT54G routers has been limited and
>> dismal. That's because I've exchanged or sold every one that I've run
>> into.
>>
>> DD-WRT works on v5, v6, and v7. I tried it on several v5 routers and
>> found no improvment to the chronic hangs and disconnects.
>>
>>
>> There's some work being on on v7 and v8 but all I've seen is:
>>

>The DD-WRT firmware that will install on the newer WRTs is a micro version
>with much of the added functionality available in the larger DD-WRT
>firmware removed, among other changes.

Correct. See table of features at:

The only version that works is the Micro version for V5 and V6.
Note that the feature for the micro is about the same as what you get
with the stock Linksys firmware with RADVD added. It's the added
features that make DD-WRT and OpenWRT attractive (to me). In
addition, installing DD-WRT on v5 and v6 routers is somewhat of an
ordeal. Not recommended.

Incidentally, you brought up the problems with v5 and v6 in this
discussion. Why?

>A year ago, I had to search the local retail stores to find an older WRT54
>that had the Linksys Linux firmware. I finally gave up and got the friend
>a WRT54GS in order to stay away from VXWorks and to have more ram and rom
>available. He'll never use the GS speed on WiFi.

Walmart was selling WRT54Gv4 routers until just recently, when they
finally ran out. I switched to Buffalo routers for new installations.
They have the same processor and memory as the Linksys v4, but IMHO
are a better device. No problem with supply yet, but the recent
injunction for patent infringement may eventually cause problems. Also
note that there are a very large number of other boxes that will run
DD-WRT or OpenWRT.


>> Agreed. Facts, details, references, anecdotes, analysis, and sometime
>> my opinions create considerable friction. I'll try to limit myself to
>> tactful generalizations, respectful sympathy, and perhaps one line
>> replies.

>One line replies don't suffice either. Evidently that's all it took to
>trip your trigger.

Well, I'm having a rather bad time of it lately. It started with a
bad day, then a bad week, and may soon turn into a bad month. Try not
to take my vicious attacks personally. I've been snarling at everyone
lately but should be back to my normal level of hostility in about a
month.

--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Re: Help my Linksys WRT54G router was broken into using the "curl" command

Post removed (X-No-Archive: yes)

Re: Help my Linksys WRT54G router was broken into using the "curl" command

John Gray hath wroth:

>Actually, I mentioned it due to DD-WRT being recommended in this thread.

I just checked all my postings on the topic. I did mention DD-WRT as
she wanted to change the login name as well as the password. It's not
exactly a recommendation. See:


"Other routers allow additional users and even
user levels, such as read-only users. If you really
want this feature, the alternative firmware (DD-WRT,
OpenWRT) all have additional users. However, again,
this is nothing but security by obscurity and doesn't
provide any real security."

For a moment there, I thought I had made a mistake. Whew...

>>
>
>The WRT300N looks promising.

v1 only. v2 doesn't play (as a friend recently discovered the hard
way). He bricked it so well that I had to use the JTAG firmware load
in order to recover. See "blacklist" at:

Also, the WRT300N v1 requires DD-WRT v24, which is still very beta.

>We all have days like that. I've had to delay responding sometimes. On
>reading the post later that I was going to reply to, my outlook or take on
>what and why something was written often changes. Often, what one means to
>say is interpreted incorrectly, either due to bad composition or the
>reader's different POV or baggage. We all have baggage, and not all if it
>is helpful experience all the time.

Yep. I have all that and more. Add massive confusion on my part as
to the topic of discussion precipitated by posting to perhaps 12
different but similar threads every day. It's really difficult to
keep them straight. Re-reading the previous postings is required, but
I still manage to mix things up. Add to that medical problems,
problems with the ladyfriend(s), customers from hell, and gaining some
more surplus mass around the waist. I also don't bother doing battle
with myself (I always lose) or apply much tact when answering
questions. The results are predictable.

>A shot of Jack Daniels at bedtime may help. Just don't overindulge.
>Hangovers don't help one's disposition. As for me, I'm just a 'ray of
>sunshine'.

I don't drink. It's not anything religious, moral, or ethical. I
simply have low dissipation and can't handle booze very well. I also
have one drunk and one recovering alcoholic in the family, and I don't
want to end up like them.

Time to take out my aggressions on the piano (synthesizer) instead of
the newsgroup.


--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Re: Help my Linksys WRT54G router was broken into using the "curl" command

Hi, my name is Adrian, and i`m interestin in how to use curl command
to break the password and login to the wrt54g LINKSYS acces point, i
dont know the version of firmware but i think is the same like yours,
i need help because i thing someone change my password administrator.
Plis send a reply as soon as posible.

ATTE. Adrian



kev wrote:
> Debbie Hurley wrote:
> > It's way too easy to break into the Linksys WRT54G router!
> >
> > Instantly bypassing the administrator password, my fifteen-year old
> > neighbor broke into my Linksys WRT54G router (firmware revision v1.0.0.6)
> > in ten seconds simply by sending this one "curl" command to it via the
> > Internet from his home next door!
> >
> > c:\> curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri
>
> Unless I am getting old then if he posted this command via the Internet
> it would have got him nowhere. The curl -d command would post the data
> to 192.168.0.1 which is not a public IP address available on the
> Internet and would have have given him a timeout, unless his router
> address is 192.168.0.1.
> >
> > This kid was kind enough to knock on my door today to tell me to fix it.
> >
> > I invited him in, and from inside my own house, he showed me the Linksys
> > WRT54G command above which immediately disabled all my wireless security
> > WITHOUT him having to enter any password!
>
> For him to use this command on your computer implies you are using a
> Linux distribution and have installed curl and should know what it is
> capable of doing.
> http://curl.haxx.se/docs/manpage.html#URL
> >
> > He showed me how to disable remote administration but he said the
> > vulnerability still exists until I get a new router. I can't believe
> > everyone with a Linksys WRT54G router is throwing it in the garbage.
> >
> > Where/how can I find a firmware update that protects me from this
> > vulnerability?
> >
> >
> >
> >
> >

Re: Help my Linksys WRT54G router was broken into using the "curl"command

zacek wrote:
> Hi, my name is Adrian, and i`m interestin in how to use curl command
> to break the password and login to the wrt54g LINKSYS acces point, i
> dont know the version of firmware but i think is the same like yours,
> i need help because i thing someone change my password administrator.
> Plis send a reply as soon as posible

Regardless of the firmware (which can be found on the back label), it can
be reset.

Hold down the reset button for at least a full 30 seconds. This will
default your router to factory settings, including the password. Of course,
you'll have to reset all your custom settings.

It IS *your* router, right?

Re: Help my Linksys WRT54G router was broken into using the "curl" command

Post removed (X-No-Archive: yes)

Re: Help my Linksys WRT54G router was broken into using the "curl" command

On Jul 8, 11:44 pm, John Gray wrote:

>
> >>The DD-WRT firmware that will install on the newer WRTs is a micro
> >>version with much of the added functionality available in the larger
> >>DD-WRT firmware removed, among other changes.

>
> The WRT300N looks promising.

Am I missng something here? Isn't the WRT54GL the one they now sell
specifically for those who want to use replacement firmware? Not
castrated and simple to change FW.

If one must have a new linksys running DD-WRT, that's the one to
get.

Steve

Re: Help my Linksys WRT54G router was broken into using the "curl" command

Post removed (X-No-Archive: yes)

Re: Help my Linksys WRT54G router was broken into using the "curl" command

On Fri, 13 Jul 2007 13:10:49 -0700, seaweedsteve
wrote:

>> The WRT300N looks promising.

>Am I missng something here?

Yes.

>Isn't the WRT54GL the one they now sell
>specifically for those who want to use replacement firmware? Not
>castrated and simple to change FW.

Nope. The WRT54GL is identical to the reduced flash/RAM WRT54G v4. It
was Linksys knee jerk reaction to general disgust over the v5 and v6
mutations. Of course, they raised the price at the same time. To
underscore Linksys commitment to open source, they came out with the
WRT54 v8 which so far can't run Linux, and has non-removeable
antennas.

>If one must have a new linksys running DD-WRT, that's the one to
>get.

Nope. Many people working on open source alternatives have given up
on the WRT54G/GS line for the aformentioned reasons. Meanwhile,
DD-WRT and OpenWRT have been ported to a growing number of other
devices, which are not as disgusting as the WRT54G v5, v6, and v7. For
example, I've been using mostly Buffalo products and have not
regretted the change.





Free advice: Never try to oil a power supply fan while it's running.



--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 jeffl@comix.santa-cruz.ca.us
# http://802.11junk.com jeffl@cruzio.com
# http://www.LearnByDestroying.com AE6KS

Re: Help my Linksys WRT54G router was broken into using the "curl" command

Post removed (X-No-Archive: yes)

Re: Help my Linksys WRT54G router was broken into using the "curl" command

John Gray hath wroth:

>Jeff Liebermann wrote in
>news:20fg939berhu5chsgsa20rfg51dddi5q0c@4ax.com:

>>>Isn't the WRT54GL the one they now sell
>>>specifically for those who want to use replacement firmware? Not
>>>castrated and simple to change FW.
>>
>> Nope. The WRT54GL is identical to the reduced flash/RAM WRT54G v4. It
>> was Linksys knee jerk reaction to general disgust over the v5 and v6
>> mutations. Of course, they raised the price at the same time. To
>> underscore Linksys commitment to open source, they came out with the
>> WRT54 v8 which so far can't run Linux, and has non-removeable
>> antennas.
>
>The V4 only changed the chipset to a Broadcom BCM5352EKPB Chipset. It has
>the same rom and ram as previous versions. V5 and above did that. The GL
>has the same rom and ram as the WRT54G V1 thru V4 according to this site.
>
>http://en.wikipedia.org/wiki/WRT54G#Hardware_and_revisions

From the same article at:

"To support third-party firmware, Linksys has re-released the
WRT54G v4, under the new model name WRT54GL (the 'L' in this
name allegedly stands for 'Linux')."
My inspection of both boards shows that the v4 and GL are identical
inside. However, that was a while ago and the GL may have mutated in
the meantime.


--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558