[linux-elitists] Are we Dead Yet? (or "For every sprinkle I find, I shall kill you!)
Eugen Leitl
eugen@leitl.org
Thu Feb 3 13:23:55 PST 2005
On Thu, Feb 03, 2005 at 12:39:57PM -0800, Karsten M. Self wrote:
> But if you'll look over the vulnerability notices for Linksys, you'll
Linksys default firmware is a piece of crap. There are several alternatives,
e.g. OpenWrt and Sveasoft (the $20/year one for bleeding edge firmware
access).
> note that it offers (public-side) remote administration capabilities,
> which have had several security issues. It's also typically running the
> kernel, Apache, and SNMP, at least two of which (kernel & SNMP) have had
> remote exploits in recent memory. Plus, by its very nature, the box
Know many crypt kitties who can write MIPSel shellcodes? Google gives 130
hitses. Don't thinkssss so.
> _lives_ on public-facing nets.
Given several millions devices sold, and that most users leave the passwords
on default, and that remote reflashing is trivial it looks like a
unnecessarily overlooked platform for nasty wormses.
> Which doesn't mean you can't:
>
> - Load something into RAM. So long as it runs, you're golden.
That, too, but you can simply flash your stuff, so it survives a reset. Or
will not accept any new firmware henceforth. Or will just brick anything it
can infect, and then brick itself.
> Well.... It's rather hard to tell. The "user interface" of such
> systems consists of a web-based tool. Yes, it's possible to tweak the
> system to get shell, I haven't played that game yet, and the typical
Hm, let's see:
[kiki@helium ~]$ ssh -l root H
The authenticity of host 'h (192.168.1.1)' can't be established.
RSA key fingerprint is d3:1e:c9:35:5b:6d:c2:eb:10:d2:e2:fb:20:68:80:3b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'h' (RSA) to the list of known hosts.
root@h's password:
------------------------------------------
Welcome to the Sveasoft WRT54G/GS Firmware
Alchemy-6.0-RC5a beta build
version v3.01.3.8sv
USE OF THIS FIRMWARE IS AT YOUR OWN RISK
http://www.sveasoft.com
------------------------------------------
sh: /usr/X11R6/bin/xauth: not found
BusyBox v1.00 (2004.12.04-16:43+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
~ # w
-sh: w: not found
~ # ps -aux
PID Uid VmSize Stat Command
1 root 716 S init noinitrd
2 root SW [keventd]
3 root SWN [ksoftirqd_CPU0]
4 root SW [kswapd]
5 root SW [bdflush]
6 root SW [kupdated]
10 root SW [mtdblockd]
51 root 308 S resetbutton
81 root 368 S /sbin/syslogd -R 192.168.1.3
84 root 304 S /sbin/klogd
85 root 328 S tftpd -s /tmp -c -l
89 root 652 S httpd -d /www
90 root 10588 S httpd -S -d /www
109 root 360 S /sbin/wland
162 root 384 S dropbear -r /tmp/root/.ssh/ssh_host_rsa_key -d
/tmp/root/.ssh/ssh_host_dss_key -p 22
175 root 568 S /usr/sbin/pppd file /tmp/ppp/options.pppoe
176 root 340 S /tmp/ppp/redial 30
178 root 436 S sh -c /usr/sbin/pppoe -I vlan1
181 root 268 S /usr/sbin/pppoe -I vlan1
194 root 332 S udhcpd /tmp/udhcpd.conf
200 root 384 S dnsmasq --conf-file /tmp/dnsmasq.conf
279 root 404 S process_monitor
288 root 324 S /usr/sbin/cron
291 root 540 S upnp -D -L br0 -W ppp0
4346 root 740 S dropbear -r /tmp/root/.ssh/ssh_host_rsa_key -d
/tmp/root/.ssh/ssh_host_dss_key -p 22
4347 root 520 S -sh
4374 root 356 R ps -aux
> owner is unlikely to. One of the vulnerabilities allowed remote admin:
>
> http://www.governmentsecurity.org/articles/LinksysRouterInformationAcollection.php
--
Eugen* Leitl <a href="http://leitl.org">leitl</a>
______________________________________________________________
ICBM: 48.07078, 11.61144 http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
http://moleculardevices.org http://nanomachines.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20050203/6b658099/attachment.pgp
More information about the linux-elitists
mailing list