[linux-elitists] Are we Dead Yet? (or "For every sprinkle I find, I shall kill you!)

Eugen Leitl eugen@leitl.org
Thu Feb 3 13:23:55 PST 2005


On Thu, Feb 03, 2005 at 12:39:57PM -0800, Karsten M. Self wrote:

> But if you'll look over the vulnerability notices for Linksys, you'll

Linksys default firmware is a piece of crap. There are several alternatives,
e.g. OpenWrt and Sveasoft (the $20/year one for bleeding edge firmware
access).

> note that it offers (public-side) remote administration capabilities,
> which have had several security issues.  It's also typically running the
> kernel, Apache, and SNMP, at least two of which (kernel & SNMP) have had
> remote exploits in recent memory.  Plus, by its very nature, the box

Know many crypt kitties who can write MIPSel shellcodes? Google gives 130
hitses. Don't thinkssss so.

> _lives_ on public-facing nets.

Given several millions devices sold, and that most users leave the passwords
on default, and that remote reflashing is trivial it looks like a
unnecessarily overlooked platform for nasty wormses.
  
> Which doesn't mean you can't:
> 
>   - Load something into RAM.  So long as it runs, you're golden.

That, too, but you can simply flash your stuff, so it survives a reset. Or
will not accept any new firmware henceforth. Or will just brick anything it
can infect, and then brick itself.
 
> Well....  It's rather hard to tell.  The "user interface" of such
> systems consists of a web-based tool.  Yes, it's possible to tweak the
> system to get shell, I haven't played that game yet, and the typical

Hm, let's see:

[kiki@helium ~]$ ssh -l root H
The authenticity of host 'h (192.168.1.1)' can't be established.
RSA key fingerprint is d3:1e:c9:35:5b:6d:c2:eb:10:d2:e2:fb:20:68:80:3b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'h' (RSA) to the list of known hosts.
root@h's password:
------------------------------------------

Welcome to the Sveasoft WRT54G/GS Firmware

      Alchemy-6.0-RC5a beta build
        version v3.01.3.8sv

USE OF THIS FIRMWARE IS AT YOUR OWN RISK

     http://www.sveasoft.com

------------------------------------------
sh: /usr/X11R6/bin/xauth: not found


BusyBox v1.00 (2004.12.04-16:43+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

~ # w
-sh: w: not found
~ # ps -aux
  PID  Uid     VmSize Stat Command
    1 root        716 S   init noinitrd
    2 root            SW  [keventd]
    3 root            SWN [ksoftirqd_CPU0]
    4 root            SW  [kswapd]
    5 root            SW  [bdflush]
    6 root            SW  [kupdated]
   10 root            SW  [mtdblockd]
   51 root        308 S   resetbutton
   81 root        368 S   /sbin/syslogd -R 192.168.1.3
   84 root        304 S   /sbin/klogd
   85 root        328 S   tftpd -s /tmp -c -l
   89 root        652 S   httpd -d /www
   90 root      10588 S   httpd -S -d /www
  109 root        360 S   /sbin/wland
  162 root        384 S   dropbear -r /tmp/root/.ssh/ssh_host_rsa_key -d
/tmp/root/.ssh/ssh_host_dss_key -p 22
  175 root        568 S   /usr/sbin/pppd file /tmp/ppp/options.pppoe
  176 root        340 S   /tmp/ppp/redial 30
  178 root        436 S   sh -c /usr/sbin/pppoe -I vlan1
  181 root        268 S   /usr/sbin/pppoe -I vlan1
  194 root        332 S   udhcpd /tmp/udhcpd.conf
  200 root        384 S   dnsmasq --conf-file /tmp/dnsmasq.conf
  279 root        404 S   process_monitor
  288 root        324 S   /usr/sbin/cron
  291 root        540 S   upnp -D -L br0 -W ppp0
 4346 root        740 S   dropbear -r /tmp/root/.ssh/ssh_host_rsa_key -d
/tmp/root/.ssh/ssh_host_dss_key -p 22
 4347 root        520 S   -sh
 4374 root        356 R   ps -aux


> owner is unlikely to.  One of the vulnerabilities allowed remote admin:
> 
> http://www.governmentsecurity.org/articles/LinksysRouterInformationAcollection.php



-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a>
______________________________________________________________
ICBM: 48.07078, 11.61144            http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
http://moleculardevices.org         http://nanomachines.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20050203/6b658099/attachment.pgp 


More information about the linux-elitists mailing list