Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Wireless Networking Communications Hardware

Linksys WiFi Gateway Remote Attack Risk Discovered 311

Glenn Fleishman writes "According to InternetNews.com, a tech consultant discovered that even if you turn the remote administration feature off on a Linksys WRT54G -- the single bestselling Wi-Fi device in the world -- you can still remotely access it through ports 80 and 443. Linksys sets the HTTP username to nothing and password to 'admin' on all of its devices by default. Web site scanning from anywhere in the world to devices that have routable Internet-facing addresses would allow script kiddie remote access, at which point you could flash the unit with new firmware, extract the WEP or WPA key, or just mess up someone's configuration and change the password."
This discussion has been archived. No new comments can be posted.

Linksys WiFi Gateway Remote Attack Risk Discovered

Comments Filter:
  • by Space cowboy ( 13680 ) * on Thursday June 03, 2004 @08:32AM (#9324261) Journal
    Security consultants Secunia rates the flaw as "moderately critical" and urged users to configure a strong password for the administrative Web interface or restrict access to the interface altogether.

    Whereas I (owning one of these boxes) rate the flaw as a combination of 'wide open', 'come and hack me, here I am', and 'criminally stupid'. What the [insert expletive] is the point of the 'turn off remote administration' option, if it doesn't turn off remote administration ??!!

    I always make sure I enter my own password into every system of mine that lets me. At least that way it's only ever *my* mistakes that will trip me up...


    • by VC ( 89143 ) * on Thursday June 03, 2004 @08:49AM (#9324386)
      Its not that bad... The thing is a linux box, with an admin password.

      If you did the right thing and changed you admin password, then what you've really got is a linux box on a wan, with a hard to guess password.

      Besides which, your running the Sweadish [sveasoft.com] firmware anyway arn't you. :-)
      • Even better than that.

        I picked one of these up last night.
        The admin page is set at, a route unreachable from my nat'ed router (which even resides on another subnet).

        As long as people set up WPA or something, these devices are fine. You would have to have physical access to the network to run the noted compromise, as the page in question is only accessible from the air if you first compromise whatever wireless security the user has in place.
        • Actually, the article says WAN, not WLAN. WAN == Wide Area Network, meaning the Internet, which you are probably connected to if you have a device like this. WLAN == WireLess Area Network, I guess, and is the wireless part you're talking about.
    • It's only "moderately" critical (for now) because a simple hardware reset button fixes the problem. Once reset, go into the admin and set a bloody password -- problem never happens again.

      It would be more critical if the exploit permanently wrecked the router. As it is, most of them have their simple boot code in flashable ROM. Just grab the last good copy and work with it (if someone figures out a way to update the firmware to a bad version, well, then people are screwed).
    • Yes, this is only moderately critical because (a) the overwhelming majority of owners of these devices have them either directly or indirectly behind a NAT'ing cable modem or DSL connection, and (b) the "exploit" (if it can even be called that) is a known entity that any owner of one of these devices (myself included) should have realized the possibility of from day 1 and changed that password immediately, possibly before even connecting it to the cable modem.

      This doesn't rate a critical or severe like the
  • by Dr Reducto ( 665121 ) on Thursday June 03, 2004 @08:34AM (#9324270) Journal
    I am grabbing my laptop right now and going to my newfound open access point!
  • psst ... (Score:5, Funny)

    by nick-less ( 307628 ) on Thursday June 03, 2004 @08:34AM (#9324271)
    don't tell to my neighbour...

    • Re:psst ... (Score:4, Interesting)

      by spoot ( 104183 ) on Thursday June 03, 2004 @08:43AM (#9324341) Homepage
      Well, I just loaded my neighbors admin page on their linksys. Logged onto their non-wep wifi, loaded, and entered "admin" as the password. Bingo. Now I could screw with it if I wanted to, but that would just screw with my ability to use their network when I'm downloading pron on mine. It was all to easy. No scripting, no hacking, just obvious. I'll bet most (wi-fi) will be just like this. There are 3 wifi networks avaiilable from neighbors (homes) and none of them use wep or mac addresses.
      • Where do you people live?!? I set up probably the only two wireless access points* in my entire town; one at my parents and one in my apartment. How the heck are you getting 2 or three open APs in your own house???

        *Don't get any ideas; they both use WPA and MAC address limiting, so neither of them are open.

        • Well in Manhattan, the most densely populated county in the U.S. (67,000 people / square mile), I've generally had no fewer than 3 WiFi access points available in the various apartments I've lived in... I can reach 7 access points from different corners of my 400 square foot apartment now.

          Not that WiFi is the reason to live here, but hey, free Internet is nice when you're paying through the nose for the apartment!

        • Re:psst ... OFFTOPIC (Score:4, Interesting)

          by digitalsushi ( 137809 ) * <slashdot@digitalsushi.com> on Thursday June 03, 2004 @10:34AM (#9325385) Journal
          I live in a mill building on both sides of a river. There's 310 apartments with about 700 to 1100 people, I guess. When I moved in during May 2003, there was 7 broadcasting wireless networks. When we renewed our lease this May, we warwalked it again and there were 22. Both times, about 60% were completely wide open, and about 75% of them were linksys devices. One fellow across the river must have a booster or something because his network punches through way too many walls. He would seem to be on the interior side, facing the river, and I can get him on the opposite side of his building, as well as into my own building on the opposite side of the river. My roommate's girlfriend lives down the hallway and she can see exactly 6 wireless networks. 3 are wide open.

          With people giving away USB 802.11b cards for free [ecost.com], the temptation to steal all that free interenet is just well, it's inevitable that it gets used.

          Oh, and we had this great idea! See, there's so many open wireless networks at our place, and so many people with open filesystem shares, that one of the things we do to make a little spare cash is that we use that unified network adapter linux has where you can bind interfaces together. It's a little sloppy but we effectively have an aggregate 12.0 megabit connection out, and 1.2 megabit connection in, from the internet over 4 wireless lans we connected to. Then we did some filesystem on a filesystem type things with the open file shares and made a psuedo RAID using the neighbor's unknowingly shared directories. We can sell 1.2 megabit webhosting for 12.95 a month with zero infrastucture costs. I guess if I had to describe it in a word I'd say that it's "sweet."
      • But you're doing it from the internal network, technically.

        Try doing it from the internet side, and see if you can still get in. It seems some people here are calling bluff.....
        • Re:psst ... (Score:3, Informative)

          by itwerx ( 165526 )
          Try doing it from the internet side...
          It works from the outside as well.
          This has actually been a problem for a long time. I first noticed it on one of their 802.11b series WAP/firewalls. I don't remember the model; it was an early one and died of over-heating a couple years ago, like most of their stuff does.
          (Tip for anybody w/a LinkSys WAP - put a fan on/in it!)
          Like somebody else commented, I just forwarded to ports to a bogus IP. I also sent a note to their tech support who told me to upda
  • by tedgyz ( 515156 ) * on Thursday June 03, 2004 @08:35AM (#9324278) Homepage
    All your gateways are belong to us
  • by yebb ( 142883 ) * on Thursday June 03, 2004 @08:36AM (#9324281)
    Seems like a rather obvious issue, I'm suprised nobody noticed this before.
  • by Gothmolly ( 148874 ) on Thursday June 03, 2004 @08:36AM (#9324282)
    Since 70%+ of the wireless users on my block do not activate WEP, or change the default channel, or use a non-default SSID, I'm willing to bet that nobody went through the effort to manually deactivate the admin interface, or change the password. You could argue that that is merely a de facto flaw, while the listed vulnerability is de jure, but from a practical perspective, this is no less secure than everything was anyway.
    • by ideatrack ( 702667 ) on Thursday June 03, 2004 @08:39AM (#9324304)
      You could argue that, but seeing as there are decent sysadmins out there (no really) who will have turned this feature off, it's pretty severe. Admittedly if I had turned it off, then I'd check to see if that was actually the case, but it's very easy to just believe the interface. After all, they'll have checked it before shipping it, won't they? Won't they?
      • If you're a descent sysadmin, you're also not going to leave the default password to 'admin' either. Not that this excuses Linksys for an obvious oversight or anything, but for those of us who know what we're doing with our equipment it's not armaggedon or anything.
    • this is no less secure than everything was anyway

      That's debatable. The admin pages are exposed to the internet at large by default, with a known username and password. Whereas with no WEP and so on you at least have to be physically close.

    • this always interests me how people from other countries talk of how WEP is never turned on. I'm from Australia and every ADSL wireless router or whatever that i have seen has WEP on by default and it comes with its own setup stuff on the cd that configures WEP without joe user even realising it. so what is the case with routers where you come from? do they just come with installation software that sets everything up automagically but for some insane reason doesn't configure WEP? or is joe user actually exp
      • I'm from the US and I've configured a few different routers, and from what I've seen, the majority of those come with an automagical cd that does not enable WEP, it just configures the network with the default SSID and the default username/password/port settings. One router specifically was by network everywhere, which you plugged in and attached to a modem and it was broadcast wirelessly, no setup, no cd, no nothing. You could just plug it in and let your wireless card detect the network. It was config

  • Yes, but could they reconfigure the WAP to turn on that "unrestricted access to internet" feature that maps every inbound port on the router to one internal machine? Lesee - they know your internal IP block from the router config, and even the addresses of your DHCP workstation. If you haven't kept your patches up to date.....


    Maybe it's just the way the summary was written, but for some reason the original article poster makes this sound like more of a nuisance than the serious problem it re
  • by fabs64 ( 657132 ) <beaufabry+slashdot,org&gmail,com> on Thursday June 03, 2004 @08:38AM (#9324290)
    honestly these sort of completely blatant and downright dangerous security holes in software i think should pave the way for making developers culpable for damages incurred by defects in their software.

    I mean honestly, if a Surgeon said that they sewed up a hole in your stomach but really didn't they would be considered criminally negligent wouldn't they? How is a company allowed to release something as obviously dangerous as this to the public without having some sort of liability?

    • by jimicus ( 737525 ) on Thursday June 03, 2004 @08:48AM (#9324382)
      Mod parent up as insightful... it's an excellent point.

      We sue architects for designing buildings which collapse before they're even completed. We sue car manufacturers who build cars which have an annoying tendency to explode. Our relatives sue doctors who say "that little lump is nothing to worry about". In each case, a person in a profession which requires a degree of understanding greater than expected of the general public has screwed up.

      I can only imagine that the IT industry has convinced the general public that computers are Just So Complicated that nobody on earth can possibly understand them properly, and therefore such mistakes are to be expected. One day someone will be killed because of such complacency. Perhaps then the industry will start to take some responsibility for its mistakes.
      • by gclef ( 96311 ) on Thursday June 03, 2004 @09:09AM (#9324542)
        There's a concept called "fitness for purpose" that I think applies here. If you used bicycle tires on a car, for whatever reason (price being an obvious one), if you then got hurt in your car, you'd have no one to blame but yourself. Bike tires aren't fit for use on a car.

        By the same logic, if you used a cheap, home-user piece of crap for a life-critical operation, you deserve to be sued into oblivion, since it wasn't designed for something critical. Personal firewalls like this Linksys thing are not suited for life-critical use, and everyone who knows what the hell they're doing should realize that.

        If you use a piece of software that is sold as "fit for this purpose" (like, using windows-embedded health monitoring devices) and it fails due to a poor design, then you're right on...the vendor of that device should be sued.
      • by dfn5 ( 524972 )
        We sue architects for designing buildings which collapse before they're even completed.

        When was the last time you saw someone firmware upgrade a building? This analogy is hardly acurate. Software is correctable. I would hardly consider something like this "Dangerous" as the previous poster put it.

        And as far as Wi-Fi security is concerned I think that people have blown it way out of proportion. If people just treat Wi-Fi networks as insecure as the Internet and keep it seperated from their internal

      • We sue architects

        Ah, great solution, "sue". Guess you must be American.

        As soon as folk start suing, FOSS goes out the window - remember the kernel this Linksys box runs is GPL'd and it's for that reason folk have been doing so many great things with it.

        Now you want every programmer, every kid who wants to release an application to take out public indemnity insurance. Why, because a user couldn't be bothered to RTFM and set a password. The user is at fault by not following the supplied instructions, but f

        • Ah, great solution, "sue". Guess you must be American.

          I'm not. I'm English.

          Here in Merrie Olde England, a few years ago, the London Ambulance Service decided that a computer could work out the most efficient route from A to B through a busy city far better than a human controller. Reference Here [ucl.ac.uk]

          Thus the computer could decide which ambulance was best placed to answer a specific call based on its geographic location far more efficiently than a person.

          It couldn't. People died. Nobody was ultimately held
      • There's several cases where software failure has been fatal.

        How about the case of the THERAC-25 [vt.edu], where several died or were seriously injured.

        This is a typical case study shown in any ethics course involving software design. It turns out the cause of the severe radiation burns was from the operator entering commands and parameters faster than the unit could handle.

        Then there's the Soviet pipeline that blew up due to delibrately buggy software stolen from the US.

        Then there's the Osprey [zpub.com] , had software b
      • Bugs in software are inevitable... its a fact of life.

        The only chance of having a bug free system is one organization having control of the entire system from hardware design, to the firmware, to the OS, the support libraries, and the application software. In the current IT world, where your hardware consists of generic components from half a dozen manufacturers, your OS from someone else, and application software and support libraries from other companies, none of which have influence over each other a
    • You *can* sue software companies for their software. The problem is that it needs to be something serious, like "the software failed to sew up the hole in my stomach" or "the software failed to build the support beam properly", although both situations require human interaction.

      If the cruise control in your car were to go berserk and drive you into a brick wall, you'd bet your ass you'd be sueing the car manufacturer (read: company that wrote the firmware). Having your firewall vulnerable on the Internet
  • 2 points (Score:5, Informative)

    by millahtime ( 710421 ) on Thursday June 03, 2004 @08:38AM (#9324294) Homepage Journal
    1) 90% of the people that buy these are your basic at home user. They don't ever change the default settings. It's just a setup and go. There are 5 such ones in my apartment alone in range of my apartment

    2) 99% of people aren't going to update the firmware when it comes out so this bug will be floating around for some time.

    The average joe 6 pack needs to be forced to use the security with it. If you give it as an option then it many times will be ignored. Security needs to be made part of the setup and updates need to be easy to install.
  • port fowarding (Score:4, Interesting)

    by Anonymous Coward on Thursday June 03, 2004 @08:38AM (#9324298)
    What happens if you are fowarding port 80 to an internal box? Thats what I currently do. If i access my external ip I get my webpage, I can only get my routers admin page by using its internal IP.
    • Re:port fowarding (Score:5, Informative)

      by mccalli ( 323026 ) on Thursday June 03, 2004 @08:45AM (#9324361) Homepage
      What happens if you are fowarding port 80 to an internal box?

      From the article:

      "As a workaround until a firmware upgrade is issued, Rateliff recommends the use of port forwarding send ports 80 and 443 to non-existent hosts. "Note that forwarding the ports to any hosts -- including listening ones if you are actually running servers -- will override the default behavior," he explained."

      So you're ok. As am I, or at least as I will be after I've just finished forwarding 443...


      • Did you test before setting the new forwarding?
        I think Rateliff had some cables crossed and, becuase I am using the exact same firmware, I don't forward 80 or 443, and I can't get the admin page from the WAN.
        • I think he clarified his experience. Try turning off the Firewall function and then test again. According to Rateliff, with the Firewall option turned off and the Remote Admin turned off, he still could get to the admin tool through 80 and 443. With the firewall turned on, he no longer saw the problem.
  • in short (Score:3, Informative)

    by andy1307 ( 656570 ) on Thursday June 03, 2004 @08:39AM (#9324299)
    The problem is the default password: admin....?

    How does changing the default password help if you don't turn on WEP? Can't someone get on the network using the default SSID(linksys) and sniff for passwords?

    • As long as you don't manage the device via your wireless connection, changing the password and leaving WEP disabled does not present a security problem for the router.

      Once you have configured the router to perform the tasks you need, most people never have a need to log into the router again. As a result the new password does not appear on the wireless net any more for the vast majority of the users who do set the password.

      Some of us do things like checking statistics, setting up port forwarding, etc. tha
  • by Ath ( 643782 ) on Thursday June 03, 2004 @08:40AM (#9324314)
    1) This problem is specific to one version of firmware. I can guarantee it has not been there in many of the versions I have used. 2) It only affects units that have not had their default password changed. I agree it is a security risk but it should be kept in perspective. If a user does not change the password, that is not a design problem of the firmware. The only real problem is that the function to turn off remote administration on the WAN port stopped working in the specific release of firmware. The article does not mention which version of firmware this guy was using, so we cannot confirm it. I personally use a modified version of the Linksys firmware, of which there are now quite a few.
    • If a user does not change the password, that is not a design problem of the firmware.
      I'd say the design problem is in having a default password to start with. Surely there is a better way to do it, like printing the password on a removable label stuck to the router?
    • The risk is based on the unit and not how many were sold. If you own a unit the risk is extreeeeeeem. Not only can someone redirect to the inside, they can use it as a proxy from the WAN. Oh the trouble they can cause.
    • by Ath ( 643782 ) on Thursday June 03, 2004 @08:56AM (#9324443)
      This problem is specific to one version of firmware.

      I should correct this because some people with the 2.02.07 version that this guy claimed to be using are reporting they cannot reproduce the problem.

      This could be basic user error. By the way, the remote admin function is disabled by default in the WRT54G firmware.

      What gets me is that if you want to bitch about the WRT54G firmware, there are plenty of better reasons than this apparently bogus one. Only the hacked firmwares really make this hardware shine (and have all functions plus new ones work properly).

    • I have a similar but different model, the WAG 54G. It has an integrated ADSL modem. Just tested here and it's not affected by the bug.
    • I actually consider this to be a pretty serious security risk for the reasons many others have already pointed out. The average user isn't going to change the password, or mess with port forwarding, let alone upgrade the firmware.

      The sad truth is that linksys has gone down the drain since being acquired by Cisco. I own a BEFSX41 and for the past 3 or 4 firmware revisions things have been constantly broken. Either various yahoo services just plain don't work, DynDNS support was broken at one point, VPN tunn
  • Firmware flash (Score:3, Interesting)

    by thedillybar ( 677116 ) on Thursday June 03, 2004 @08:40AM (#9324316)
    Recent articles show that this little thing is pretty powerful. What stops someone from flashing a box, running an open relay, ftp server, web server, or anything else of the sort (besides a strong, non-default password)? Just what we need is spambots on these damn Linksys routers..
  • Bugtraq submission (Score:5, Informative)

    by mrgrey ( 319015 ) on Thursday June 03, 2004 @08:41AM (#9324317) Homepage Journal

    Manufacturer: LinkSys (a division of Cisco)
    Product: Wireless-G Broadband Router
    Model: WRT54G
    Product Page:
    http://www.linksys.com/products/product.asp ?grid=3 3&scid=35&prid=601
    Firmware tested: v2.02.7

    In a recent client installation I discovered that even if the remote
    administration function is turned off, the WRT54G provides the
    administration web page to ports 80 and 443 on the WAN. The implications
    are obvious: out of the box the unit gives full access to its administration
    from the WAN using the default or, if the user even bothered to change it,
    an easily guessed password.

    I reported this to LinkSys (along with a number of other non-security
    related issues) on April 28. I received no reponse addressing this, and no
    updated firmware has yet appeared on their firmware page
    http://www.linksys.com/download/firmware.asp ?fwid= 201

    To work around this, you can use the port forwarding (irritatingly renamed
    to Games and whatever) to send ports 80 and 443 to non-existant hosts. Note
    that forwarding the ports to any hosts -- inluding listening ones if you are
    actually running servers -- will override the default behavior.

    On a personal note, there are a number of reasons for which I am thoroughly
    disappointed with LinkSys since the acquisition by Cisco. For the sake of
    what was once a rock-solid product and great brand name, I hope things
    change soon.

    Alan W. Rateliff, II : RATELIFF.NET
    Independent Technology Consultant : alan2@rateliff.net
    (Office) 850/350-0260 : (Mobile) 850/559-0100

    [System Administration][IT Consulting][Computer Sales/Repair]
    • by bhmit1 ( 2270 )
      This was followed up by multiple people saying it doesn't work. The most likely explination comes from Jason Munro who says:
      > Testing this issue with a recently purchased WRT54G here showed that while
      > I can access the web interface on the WAN IP from the LAN behind the
      > linksys, I can not access it from another location on the WAN side.

      Also, there were other replies saying that you could fix this by forwarding these ports to non-existant IP's if you were able to reproduce the issue.
      • Hold on... The work around is to set up port forwarding to non existant hosts. But then they are complaining that when you do this, you can't access the device from the WAN side? ISN'T THAT THE WHOLE POINT???
  • Well... (Score:5, Funny)

    by Rican ( 666150 ) on Thursday June 03, 2004 @08:41AM (#9324319)

    ...anyone dumb enough to leave the router with the default password deserves to be h4x0red. I assume that by now pretty much anyone that owns a computer knows the need to create their own password not only for their PC but other devices/peripherals.

    Although, I tried changing mine to "penis" and it returned a message saying: "Password is too small."

    Go figure...

  • Does anyone know if the Wifi-box firmware [sourceforge.net] is also at risk? I just flashed my WRT54G with it last night to get SNMPd to make pretty pictures. While this is a really terrible flaw, the source code is GPL. I am sure someone will come up with a fix even if Linksys doesn't in a reasonable period of time.
    • I personally think the reported problem is bogus. It is certainly unconfirmed.

      And I definitely do not have the problem with the Wifibox firmware that I have been using for almost 9 months.

  • This shows a lack of proper testing, quality assurance and security. THey either brought it to the market to fast or don't have the right people checking these things out.
  • by Baldrson ( 78598 ) on Thursday June 03, 2004 @08:42AM (#9324328) Homepage Journal
    The 32M RAM version of the WRT54G has enough capacity to run the current release of MeshAP [locustworld.com]. The problem is booting it off of the 8M of flash that is available on the WRT54G. You could overcome this by incrementally reflashing them to boot from the mesh itself. This would fix the security hole too.

    Understand, I'm not advocating any kids actually do this -- its just a fun, if slightly whacked, idea.

  • NOT (Score:4, Informative)

    by Merlin42 ( 148225 ) * on Thursday June 03, 2004 @08:42AM (#9324333)
    I have one such router(HW revision 1.0, firmware 2.02.7) so I gave it a guick check (again ... I tested it when I bought it) and I can't get the remote administration page on the WAN. Currently, I only forward port 22 and I disabled the DMZ.
    • Yeah I checked mine, I don't see this problem either. Something smells off about this whole thing anyway. Where is the "official" CERT advisory on this?
    • by Merlin42 ( 148225 ) * on Thursday June 03, 2004 @09:51AM (#9324924)
      Actually I was able to reproduce the 'problem' It is not mentioned in the article, but you can access the admin page from the WAN port if 'firewall protection' is disabled.

      In hind sight this sort of makes sense ... although it is NOT at all obvious at first glance.

      In any case I wouldn't consider this to be a HUGE problem since 'firewall protection' is on by default and 'Joe 6pack' is unlikely to turn it off since the general perception amoung nongeeks (at least in my experience) is that Firewalls are magical good things that block bad stuff (for varying definitions of bad).
  • Does it matter? (Score:3, Insightful)

    by thedillybar ( 677116 ) on Thursday June 03, 2004 @08:43AM (#9324337)
    even if you turn the remote administration feature off on a Linksys WRT54G

    Isn't it safe to say that if someone finds the "remote administration feature" and turns it off, they're also going to change the default password while they're in there? Or do people think oh, since you can't remotely administer this thing from outside, it doesn't matter? Sounds sketchy to me, I don't think it's going to be a big deal.

  • It has been my experience that if you use a combination of wireless and wired technology (ie, a carrier pigeon tied to a really long string so you can pull it back really fast--the cats really love to chase the carcass, but you'll get your data back without incident).
  • Okay.... (Score:4, Insightful)

    by s.a.m ( 92412 ) on Thursday June 03, 2004 @08:44AM (#9324344) Journal
    So whats the big deal here? If you change the password etc then the problem is solved right? Ohhh thats right you're talking about people not READING the damn manual telling them what they need to do!

    Well tell you what, tough. You didn't read, you didn't listen, then pay the consequences. It TELLS you that you need to change the password etc and what you should do. If you choose not to do it, then face the consequences.

    See a Red Light means stop, if you choose not to obey that and get in an accident and get hurt, well sorry but you pay the consequences of your actions.

    I hate being so negative sometimes but damn, there comes a time when even the Big red letters not the widespread panic across the news won't help.

    Yes, I agree, the companies should make these things where you have to create a new password and username etc, but there's only so much they can do. B/c we all know that most people would leave the password field blank. I know this all to well as the CEO of my company has a blank password on his personal email addy.
    • No. This is Lynksys' fault. Perhaps the user runs WEP, and trusts all the other users of his LAN. Therefore, in theory, they don't need ot bother with passwording their box, because as far as they know, no untrusted person has access to it anyways. So an intelligent user just damn might well be able to reasonably say "fuck it, admin is fine, not like anyone else has access to it". If they knew that the thing was gonna be exposed to the internet regardless, then they would've changed it.

      You know how I
      • Re:Okay.... (Score:2, Insightful)

        Fine, and it's Master's fault when I leave my front door unlocked and then get robbed. But, but, I had a sign on the gate that said "FRIENDS ONLY"!!!!! That's a lame damn excuse.

        I'll let you know when I find an intelligent user that says "fuck it, admin is fine, not like anyone else has access to it."
        • But its not my front door. Its the door to my basement. I don't have a front door. Or I wouldn't, if Lynksys made shit that worked like it was supposed to.
      • And you know what? I don't think you can even set the username. I have the WRT54G and I tried to configure a username (instead of just nothing) and I wasn't able to. Maybe I overlooked something, but I went through every tab and read the documentation.

        Anyone know how to do it? I'd love to have a name for the "root" user.

    • Re:Okay.... (Score:3, Insightful)

      by David Byers ( 50631 )
      We've known for years or even decades that people for whatever reason often won't change the default password of the default account.

      Saying "change the password" in the manual in no way absolves the manufacturer of the responsibility to provide reasonable default, especially when they know that many of their customers won't change that default.

      If you make a product for the mass market, design your product accordingly and make it easy for your customers to do the right thing and hard to do the wrong thing.
  • Fair play to the guy for spotting it and warning Linksys but to go and post it in a public board a couple of days later (after the weekend) is just asking for trouble. Could he not have waited a week to give Linksys a chance to notify as many customers as possible before going public ?
  • by Anonymous Coward
    You can flash the firmware to one from sveasoft http://www.sveasoft.com [sveasoft.com] and avoid the whole problem. You also get a nifty linux environ to work with.
  • by alanxyzzy ( 666696 ) on Thursday June 03, 2004 @08:46AM (#9324372)
    This BUGTRAQ article [securityfocus.com] has some interesting observations made by the original reporter [securityfocus.com] of this vulnerability.
    I have made the effort to grab three additional units, all v2 hardware, off-the-shelf, and here is what I have found: Two of three units came with the firewall enabled, while one of the three came with it disabled. The packaging leaves no evidence as to whether any of these items were previously opened and returned.

    Interestingly, all three units from local resalers came with v2.02.2 firmware, while the second unit from CDW I tested in March came with v2.02.7. BOTH of the units which came off-the-shelf with v2.02.7 behaved as previously described in my original notice; I do not have records of the firewall setting of the units from March, although they both did behave as predicted after a factory reset.

    I would like to assume that the one-of-three v2.02.2 firmware units which came with the firewall disabled was an anomoly, and possibly a customer return. Nicely, flashing these units to v2.02.7 retains all settings, including the firewall status.

    Now the catch. In v2.02.7 with the firewall disabled and remote admin turned off, the admin page becomes available on ports 80 and 443 on the WAN. This works whether the unit is in DHCP or PPPoE mode.

    Port State Service
    80/tcp open http
    443/tcp open https
    Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20

    So part of the original notice is valid, with the exceptions noted. I don't have any more v2.02.2 units to test as they have all now been flashed with v2.02.7, I have no more unmolested v2.02.7, and I am out of petty funds to purchase more :)

    So, I will eat some crow on the original notice. To sum up, the admin page is most definitely available to the WAN if the firewall is disabled, regardless of the remote admin setting. And at best the potential for getting a unit off-the-shelf with this behavior is somewhat like an Easter egg hunt. I have received an even mix of responses positive and negative to the original notice, so others are reproducing this OTS.

    Some thoughts...

    It could be resonable that units which come v2.02.2 OTS then flash to v2.02.7 may not experience this behavior due to stored factory settings from original v2.02.2 system carried over to v2.02.7. That would explain the exception of the OTS behavior of the v2.02.7 units received in March.

    Now I am also aware that other LinkSys items I have received have come with firmwares not yet available on the website -- most recent example, a WPS54GU2 which came with firmware 6032 while only 6031 was available on the website. It may be more reasonable that since the firmware v2.02.7 is dated March 17, my order for the WRT54G was placed on March 23, maybe a pre-release of the firmware? I cannot imagine that there would be such a diverse distribution of this product direct from LinkSys?

  • Any bets on whether the first one out exploits the problem or "patches" it by changing the admin password to something random?

    After all, if you didn't change it in the first place, you'll probably never notice the "upgrade".

  • I've bought lots of Linksys products for my company. I won't do it any more. They just stop working sometimes. They're flakey. It's not a security issue.

    Netgear is consistently better.
  • Just think of the havoc that a Linksys Flash worm would cause: a worm that searches out other vulnerable Linksys boxes, re-flashes them with the wormed software, and contines on while the offspring does likewise. Something like that would spread very rapidly and result in a lot of junked undead WiFi gateways.

    Anyone know of another WiFi gateway company that would be good to buy stock in? They might suddenly be getting a massive number of orders.

  • This is all about setting reasonable default security options. If I set "Firewall Protection: Enable", the problem goes away -- whether or not I've set a good password. (This is not a WEP issue. WAN exposure to the world is a lot worse than wireless exposure to the neighbors, IMO.)

    The author of this report is likely to be using an earlier firmware version that did not have a firewall setting.

    I don't know if Firewall/enable is the factory default now, but it might be. Problem solved? Not exactly -- t

  • by jridley ( 9305 ) on Thursday June 03, 2004 @09:05AM (#9324505)
    I have one, as do several of my friends.

    Pretty much the first thing I did when I took mine out of the box was to try to access port 80 and 443. No go.

    After seeing this, we tried again. None of us can access the box from the WAN port, only the LAN side.

    I wonder if this guy got a refurb or one that had been returned to a store after a user screwed with it?
  • by acz ( 120227 ) <z@herEULERt.org minus math_god> on Thursday June 03, 2004 @09:17AM (#9324606) Homepage
    Most of slashdot readers already know that there are a bunch of modified firmwares for the wrt54g such as this one [ncsu.edu]. You should also be aware to realise that they are already backdoored/rootkit version (custom version of teso's adore [lwn.net] of the wrt54g which will hide specific clients, processes, mac address and connections. It should also be noted that vulnerable linksys access point are trivial to detect using kismet [hert.org] (runs on linux, *bsd, zaurus, wrt54g) or kismac [hert.org] (runs on Mac OS X).
  • With the firmware I have been using (acquired from Linksys) it would not allow remote administration until you changed the default password. How is this vulnerability possible as described?
  • by Pascal Sartoretti ( 454385 ) on Thursday June 03, 2004 @09:26AM (#9324689)
    A basic problem with factory settings are the well-known usernames and passwords. Why not simply set them to the device's serial number?
  • Linksys are really notoriously cheap and shonkey though, so this short of thing shouldn't really come as a surprise to anyone (not a troll).

    While Linksys devices are a option if your looking for something thats very cheap and easy to administer (the CLI and Web based interfaces on their more complex switches are really user friendly), but they are historically flakey (to lack of support for key options, non upgradability or straight forward incompatibility with other devices) as well as insecure.

    I wouldn'
  • by moyix ( 412254 ) on Thursday June 03, 2004 @06:07PM (#9330191) Homepage

    I've been following this on BugTraq. As others in this discussion have pointed out, it's not that big a deal, since most people turn the firewall on. There's also an interesting post about someone who bought a few of them and checked whether the firewall was enabled by default--it turns out that two of the three units he tested came with the firewall enabled. [securityfocus.com]

    Much more terrifying, though, is the fact that Netgear WG602 Access Points have a default admin account [securityfocus.com] that can't be turned off, with the username "super" and the password "5777364". So expect anyone on the WLAN/LAN to be able to own your router if you have this product and enable the admin interface.

Someday your prints will come. -- Kodak