Remote Linksys 0-Day Root Exploit Uncovered

Orome1 writes "DefenseCode researchers have uncovered a remote root access vulnerability in the default installation of Linksys routers. They contacted Cisco and shared a detailed vulnerability description along with the PoC exploit for the vulnerability. Cisco claimed that the vulnerability was already fixed in the latest firmware release, which turned out to be incorrect. The latest Linksys firmware (4.30.14) and all previous versions are still vulnerable."

WRT54GL

[markdavis]

Yes, you would think the summary would at LEAST say *WHICH* router it affects, since Linksys has lots of different models. It is the WRT54GL.

I *love* that router and have probably 30 of them. Low power draw, real antenna, wall mountable, etc. My recommendation- install Toastman Tomato on it. They never crash, freeze, freak out, not work with certain devices, etc. Rock solid stuff.

Strangely, the WRT54GL is STILL BEING SOLD!

WRT54GL?

[Anonymous Coward]

Just gotta ask: have they tried it on any OTHER models? Because that's an OLD OLD router that shouldn't even be running cisco/linksys firmware anymore. Tomato, ddwrt, and openwrt all support it, all have support for it and much improved kernel and userspace versions.

Additionally though the number of different arm processors and SoC arches they're running in their hardware makes me question the odds of a common exploit across all of them, especially since this isn't even a router support the new 'Cisco Cloud' configuration garbage.

Anyway, what do the rest of you think, some wanna-be 'security' company trying to make a name for themselves scaremongering?

Re:WRT54GL

[Synerg1y]

People still run their 54gl's stock???

Repeat after me: d-d--w-r-t [dd-wrt.com]

Turns your router into something more like one of those fancy enterprise cisco routers. The 54gl is dd-wrt's 1st platform I believe (too lazy to look it up), so compatibility is bound to be around 100%.

Re:Remote?

[Amouth]

that is far more difficult to do than if the exploit works on the WAN side.

Re:WRT54GL?

[Baloroth]

Just gotta ask: have they tried it on any OTHER models? Because that's an OLD OLD router that shouldn't even be running cisco/linksys firmware anymore.

If by "OLD OLD" you mean "is still produced, sold, and obviously supported, and can be purchased on Newegg right this second with stock firmware" then sure. It's an extremely common router, even among the non-techie crowd, so I wouldn't be surprised if the majority of them are still on stock firmware.

Is this actually a big deal?

[jht]

So it's a vulnerability in the WRT54GL (and maybe the related routers) running mainly older firmware - it's a pretty old router model as are its cousins. And from watching the exploit video, it's a local vulnerability - not one you can exercise against the WAN port. So it looks like not such a big deal. After all, 98% of those just have the default password anyways.

If the more advanced gear (like the RV routers and such) have this issue then I might be concerned. But I don't have enough info yet to worry or not.

Re:WRT54GL

[VValdo]

I agree it's bad form not to put the router models in the summary. But from the press release [defensecode.com]...

Exploit shown in this video [youtube.com] has been tested on Cisco Linksys WRT54GL, but other Linksys versions/models are probably also affected.

(emphasis mine)

Incidentally, re: the GL model of the Linksys-- the "L" I'm pretty sure stands for Linux, and was the model that was in response [wikipedia.org] to everyone reinstalling dd-wrt and other firmware...

Public Service Announcement

[Raystonn]

Unless you have remote administration enabled, this exploit is only achievable from a system within the local network. This attack is not an internet threat.

Re:WRT54GL

[formfeed]

Incidentally, re: the GL model of the Linksys-- the "L" I'm pretty sure stands for Linux, and was the model that was in response [wikipedia.org] to everyone reinstalling dd-wrt and other firmware...

The WRT54GL was in response to the people being unable to run Linux on the newer revisions of the WRT54G, after Linksys "updated" the WRT54G by reducing the memory in the newer models. They basically restored the specs. of the original router and sold it for a premium.

Re:WRT54GL watch out for openwrt

[shoor]

Recent openwrt distros have a problem with the classic wrt54gl in that it doesn't have enough memory. I know because it happened to me. It installs, but when you try to change configuration, it bricks and you need to ground pin 15 to get it to reflash something. From the openwrt site:

"In a test with OpenWrt 10.03.1-rc6, the OS will install but LuCI will be unable to update settings because there isn't enough flash left free."

Old enough versions should work, but I'm happy with my tomato install.

Re:WRT54GL

[Lothsahn]

I love Tomato too--in fact, I use it at my house. However, Tomato was originally based off Stock Linksys, and might also be affected. Until full disclosure occurs, we'll not know for sure.