Critical Flaw Discovered In DD-WRT 225
MagicM writes "A critical flaw has been discovered in DD-WRT, a Linux based alternative open source firmware for WLAN routers such as the fan-favorite Linksys WRT54GL. The flaw can give an attacker instant root access to the router merely by embedding an image with a specially crafted URL in a Web page (CSRF attack)." The linked page notes that a fix is being rolled out (build 12533) and gives firewall rules to thwart the attack if the fix is not available yet for a particular device.
This is a common stack in wifi APs (Score:2, Insightful)
Yes, there's a fix for this, but what is the likelihood of every person who owns a Wifi router fixing this flaw?
We talk about the dangers of homogeny, but this is exactly the type of thing that homogeny causes. All the routers with DD-WRT implemented to save costs, but in the end everyone is screwed.
Just because we love Linux doesn't mean that we should sacrifice the entire ecosystem to that love. We need to nurture other implementations to prevent this type of virus from wiping out our entire networking in
Mod Parent Up (Score:3, Interesting)
Re: (Score:3, Insightful)
If people just disabled remote admin (which you should do anyway) and used different router IPs (e.g. not 192.168.1.1 or the usual), then attackers either need to do additional stuff to figure out what your default gateway is (and thus presumably your router IP), or they need to have significant control of a PC attached to the internal network (and presumably able to access the router webpage).
Re: (Score:2, Insightful)
I'll also agree that people should change the subnet that their network uses, but if they already have "significant control" of a PC on the network, then what's the point in going after the router?
Re: (Score:3, Informative)
>If people just disabled remote admin (which you should do anyway)
FYI, the exploit is Internet-ready even if you turn off remote management.
It's in the article, if you read it. Webpages (or flash, etc) can just craft a request to exploit this and in the process, turn remote shell ON.
Web-managed routers will always be LESS secure than router types managed via local telnet or ssh. Such designs are immune to browser and cross site attacks... but they're more difficult to manage for novice users, which is w
Re: (Score:3, Funny)
Re:This is a common stack in wifi APs (Score:5, Insightful)
1. If people not only updated the firmware on their router, but had to do hacks to get it on there, don't you think they're probably at least a tad more likely to keep the firmware up to date than Joe Blammo with the factory firmware installed?
2. Do you think DD-WRT was really all that much more susceptible to having a flaw than, say, something from Cisco? Or, by the same thought process, do you think open source Linux is inherently more vulnerable than Windows?
3. Homogeny? Huh?! Do you mean the homogeny that's defined has "a significant portion of huge nerds (though certainly not even close to a majority) uses this software" ? How many routers are being used in homes and small businesses around the world? You think enough of them are running DD-WRT to call it a homogeny? Name a router that you think has more instances of DD-WRT installed than the factory firmware.
Software bugs happen. You don't need to get all philosophical about it. And besides, this is no more dangerous than the much larger number of people probably still using the default password on their router, and probably only slightly more dangerous than the huge number of people who don't have any kind of security. Relax.
Re:This is a common stack in wifi APs (Score:5, Informative)
3. Homogeny? Huh?! Do you mean the homogeny that's defined has "a significant portion of huge nerds (though certainly not even close to a majority) uses this software" ? How many routers are being used in homes and small businesses around the world? You think enough of them are running DD-WRT to call it a homogeny? Name a router that you think has more instances of DD-WRT installed than the factory firmware.
WRT54GL
http://www.linksysbycisco.com/US/en/products/WRT54GL
Re: (Score:2)
Re:This is a common stack in wifi APs (Score:5, Insightful)
If you read the comments on NewEgg.com for that router model, not everyone mentions DD-WRT. Some use other 3rd party firmwares like Tomato or Open-WRT or custom builds. And believe it or not, some even write a positive review for the default factory firmware. The nice thing about that model ("L" version) is the extra memory headroom. Earlier models were stripped and crippled to run a really crappy default firmware from Linksys. BitTorrent crashes these small memory models often.
http://en.wikipedia.org/wiki/Linksys_WRT54G_series#Hardware_and_revisions [wikipedia.org]
Re: (Score:2)
I would say likly the bufflow routers, as they get bad reviews for their factory firmware but great reviews for their hardware.
By the way I run Tomato on both types.
Re:This is a common stack in wifi APs (Score:4, Informative)
So you agree that earlier models which were released shortly before the WRT54GL, were stripped and crippled. Except for the part where you said he was wrong you just agreed with everything the grandparent poster said.
Re: (Score:2, Informative)
I would have said "pre-2005" models, but that's not entirely accurate either.
Last time I checked recently, stores mostly had the non-Linux versions in stock or they had the WRT54G"L" side-by-side with the low-memory non-Linux version of the same router. I know NewEgg sells both versions also. Local brick&mortar stores only carried the bad version.
Re: (Score:3, Interesting)
I hope the following tale satisfies your curiosity.
Back in the day, you had a company named Linksys. They made excellent home routers. I dare say the best you could get on the market. They release several versions of a certain wireless router, model WRT54G. People everywhere rejoice, because they can hack away at this machine to their heart's content. Modding the firmware, modding the hardware. You name it.
During this period, a certain, shall we say, rather shitty manufacturer of 'Enterprise' routers, named
Re: (Score:2, Funny)
The router appears to glow in the picture.
Does that mean the router has biochemical reactions involving free radicals as well?
Someone call Greenpeace! There's a lack of environmental progress from router makers!
Re:This is a common stack in wifi APs (Score:5, Interesting)
1. If people not only updated the firmware on their router, but had to do hacks to get it on there, don't you think they're probably at least a tad more likely to keep the firmware up to date than Joe Blammo with the factory firmware installed?
You're assuming that all these people that installed dd-wrt on their router installed it on their own routers only. Not their parents, friends etc, and forgot about it.
Do most open source projects have a mailing list in which ONLY important notifications like this go out? In comparison, two years ago I bought a coffee pot from Amazon, and the manufacturer issued a recall for the pot itself. Amazon notified me via email that there was a recall for the pot and provided instructions on how to get a new replacement glass pot. Trolling forums or slashdot isn't exactly my idea of customer service.
If I had bought a Cisco/linksys router and there was a similar problem would I have been notified after registering the product?
Re: (Score:2)
So, you want the DD-WRT people to email you when a bug is discovered? Cisco would not email you either.. Neither does Microsoft, Adobe or... ANYONE.
Umm, what? Cisco emails me all the time about bugs. Granted, they email me about larger equipment. I don't have anything as small as a Linksys router associated with my CCO ID, but Cisco most certainly has the capability to send out notifications whenever there is a bug discovered in a piece of hardware or software they sell.
I don't deal with Microsoft or Adobe so I can't speak to them, but email notifications when bugs are found are hardly an uncommon idea. I can only conclude that your comment is based ou
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Linksys WRT54GL. The one they market through online dealers (no brick-and-mortar stores that I know of) specifically for people who want a Linux-based router that's friendly to third-party firmware.
rj
Re: (Score:2)
Bought mine at Fry's Electronics here in Atlanta so there is at least one B&M you can pick it up at. Only criticism I can really throw at it is the lack of draft n.
I'm also running dd-wrt so I think I'll be updating it now.
Re: (Score:2)
I almost never update the DD-WRT firmware on mine.
According to TFA the problem is with remote web gui control though, and thats pretty trivial to turn off (and since its off by default, I don't even have to do it).
Re: (Score:2)
1. If people not only updated the firmware on their router, but had to do hacks to get it on there, don't you think they're probably at least a tad more likely to keep the firmware up to date than Joe Blammo with the factory firmware installed?
I tend to not update DD-WRT on my routers all that frequently, because they just work. I do occasionally check for new versions and update as appropriate (as with most of my other apps, drivers, etc. as well). But when you're not constantly having problems with something, it's a lot easier to forget it's even there. You tend to check for Linksys firmware updates when your router locks up every few days, but months of uptime generally don't make you run out and try to find something new.
Re: (Score:3, Informative)
"You think enough of them are running DD-WRT to call it a homogeny? Name a router that you think has more instances of DD-WRT installed than the factory firmware. "
Buffalo WHR-HP-G54DD comes with it installed by default.
Re: (Score:3, Insightful)
Yes, there's a fix for this, but what is the likelihood of every person who owns a Wifi router fixing this flaw?
We talk about the dangers of homogeny, but this is exactly the type of thing that homogeny causes. All the routers with DD-WRT implemented to save costs, but in the end everyone is screwed.
Just because we love Linux doesn't mean that we should sacrifice the entire ecosystem to that love. We need to nurture other implementations to prevent this type of virus from wiping out our entire networking infrastructure.
What is the likelihood of any flaw on any system getting patched? I don't see how a vulnerability in DD-WRT is any different than if Cisco announced a major vulnerability in one of their systems. I bet just about the same percentage would be patched.
Re: (Score:2)
In reality I would wager less of the dd-wrt routers would get patched, but only because a lot of them were deployed by non-professionals who will likely not see the news.
Re: (Score:2, Funny)
Re:This is a common stack in wifi APs (Score:5, Insightful)
We talk about the dangers of homogeny, but this is exactly the type of thing that homogeny causes. All the routers with DD-WRT implemented to save costs, but in the end everyone is screwed.
As opposed to using the base software from Linksys/Cisco where you don't know where the flaws lie, and if someone figures it out, it rarely ever gets published on the web openly or gets fixed soon enough in a firmware update. How is that different ? At least if you use Linux, you have people who care, and only people who care about their networks or improved experience with their routers use DD-WRT/OpenWRT/Other in the first place. Most just use the default software on their routers, which remains unpatched for a large portion of its use if at all.
Re:This is a common stack in wifi APs (Score:5, Informative)
It's hardly an issue with every wireless router. For example, the Tomato firmware is not vulnerable to this. Furthermore, most routers with DD-WRT are custom flashed, they don't come stock with it.
Re: (Score:2, Informative)
+1 for Tomato, that firmware is awesome and rock solid.
Re: (Score:2, Interesting)
Re: (Score:2)
Will the semi-crippled WRT-54GL that I have finally quit bugging out every time I use bittorrent if I used Tomato instead of DD-WRT, and does Tomato come with wireless bridging/repeater functionality?
Re: (Score:2, Insightful)
If you had a PIX, Sonicwall, Monowall, Linksys, Netgear etc.. router and it had a similar flaw, you would be equally screwed because you still have to fix it. I hope you don't think using those products is 100% risk free and that they never need patched/updated.
It doesn't matter if 1000 people are using [Router_X] or 100 million people are using it. This type of flaw on your equipment is not safer, better, worse, or any less of a flaw or risk to you and your network regardless of the overall penetration o
Re: (Score:2)
/me winces as he remembers all the web vulnerabilities on the PIX.
Re: (Score:3, Insightful)
What you're advocating, in a round about way, is security through obscurity.
Security through obscurity doesn't work.
All security through obscurity does is propagate a false sense of security that you're safe because you've not heard any major news headlines telling you that you're vulnerable... meanwhile, you've been rooted for 3 months.
Security through obscurity works. (Score:4, Interesting)
For example: in this case if you had already changed your router's IP address, it would be harder for the attackers to figure it out. For example if you use the 10.35.79.184, the same url that can exploit thousands of other dd-wrt routers (e.g. http://192.168.1.1/etcetc ), won't work on your router. So there has to be an attack specifically targeting you[1]. Which rarely happens unless you're famous or have made yourself infamous (or well-hated amongst hacker circles).
So you have more time to update your router or even have time to wait to see if the updates don't break other stuff first.
You're not as vulnerable to zero-day attacks as other people.
Same goes for putting running sshd servers on a different port. I could use port knocking or other other stuff, but so far running it on a different port works well enough for me.
I actually have my sshd server bound on an IP and port that's unreachable from outside, and my firewall has a rule to forward outside connections to it. This way if a mistake happens and my firewall rules get disabled/cleared, ssh and other crap from outside won't work.
[1] If a top hacker was targeting you specifically, they'd probably be able to pwn you.
For example:
1) I'm sure there are many zero-day browser/plugin exploits left (just look at how fast the pwn2own winners pwn stuff - they just sacrifice one of the zero-day exploits they have).
2) I doubt most ISPs have locked their BGP stuff down, so the attackers could use "BGP eavesdropping/prefix attacks" to hijack your connections.
With 1) and 2) you'd be merrily browsing your usual sites and pwned without noticing a thing- the hacker would just pass most of the traffic on, and just alter one or two connections to exploit the relevant browser bug.
Re: (Score:3)
For example: in this case if you had already changed your router's IP address, it would be harder for the attackers to figure it out. For example if you use the 10.35.79.184, the same url that can exploit thousands of other dd-wrt routers (e.g. http://192.168.1.1/etcetc [192.168.1.1] ), won't work on your router...So you have more time to update your router or even have time to wait to see if the updates don't break other stuff first.
However,...:
Same goes for putting running sshd servers on a different port...but so far running it on a different port works well enough for me.
Of course, all it would take for someone to discover that you were running sshd on an alternate port for them to run "nmap -sV -p1-65535" on your IP address. However, that is time consuming, and most hackers are after the low hanging fruit, so instead, they "nmap -sV -p22 1.2.3.0/24
Re: (Score:2)
Security through obscurity DOES work. I invite you to try exploiting any MenuetOS box. Good luck without knowing the actual hardware of the system and having the source code to the ASM-coded drivers written for each individual piece of hardware!
Re: (Score:2)
but in the real world security through obscurity works, even if you like it or not.
It's working alright, for those who exploit unknown vulnerabilities to create problematic disasters such as botnets. And then there was those instances of flaws discovered in Diebold Election Systems (now known as Premier Election Solutions [wikipedia.org] ) voting machines too.
Re: (Score:2)
Botnet building malware actually use common exploits, that are known and patched. And the reason they are found so quickly is becouse they are used on souch a large scale, to build botnets. Your example has nothing to do with security trough obscurity. The reason botnets exist is becouse people leave their computers turned on and unpatched.
How do you think the common exploits were found? When $Random_Software_Company releases software -- say, perhaps an operating system -- do they publish all of the "common exploits" on their web site so black hats can create botnets? Do the black hats have the source code for $Random_Commercial_Operating_System so they can find exploits?
Of course not! That's absurd. Therefore, it stands to reason that at one time, the common exploits were unknown exploits that someone with a lot of time, pe
It's "homogeneity" (Score:2, Informative)
Sorry about that.
Re:It's "homogeneity" (Score:4, Funny)
langs morf. get use 2 it.
Re: (Score:2)
Should be modded insightful.
Gods damned descriptivists.
Re: (Score:2)
No. Languages may morph, but that is not a good excuse for looking like a lazy idiot. Typing text messages on a cell phone is a pain, but when you have a full keyboard there is no excuse for such lazy spelling.
I have noticed, however, that all the phonics being taught in school are really making a mess of my kids' spelling abilities. They learn one way to spell a sound, and then all words with that sound must be spelled that way. Maybe it's a good thing to get all those annoying silent letters to disappear
Standard Practices (Score:4, Insightful)
I was wondering: How can this attack be carried out if the external web management is turned off? From the article:
Note: The exploit can only be used directly from outside your network over the internet if you have enabled remote Web GUI management in the Administration tab. As immediate action please disable the remote Web GUI management. But that limitation could be easily overridden by a Cross-Site Request Forgery (CSFR) where a malicious website could inject the exploit from inside the browser.
The Shashdot blurb does state "The linked page notes that a fix is being rolled out (build 12533) and gives firewall rules to thwart the attack if the fix is not available yet for a particular device." but that statement doesn't curb a lot of the "The Sky is FALLING!" reactions....
Basically, I would NEVER allow remote web management of a device if it's on the internet. I believe the default for DD-WRT is to disable it as well, so you'd have to go in and tell the device that you want to enable this feature. All in all, I think for most users, this issue is a non-issue.
Re:Standard Practices (Score:5, Informative)
Maybe I'm misunderstanding, but if the exploit is "injected from inside the browser" then won't the management of the device be coming from the local interface, not the internet side?
Re: (Score:3, Informative)
The easy way is to go directly in through the remote Web GUI.
slightly harder to go in through the browser running inside the network.
Re: (Score:3, Interesting)
Re: (Score:2)
Re: (Score:3, Interesting)
coming from the internet, but executed from YOUR browser. That's the danger they're talking about.
Re: (Score:2)
Indeed. Though CSRF flaws are also dependent on you being logged into the vulnerable application at the time that you visit the compromised website (or that the application doesn't require any login but I'd be very surprised if that were the case here).
Re: (Score:2, Redundant)
Alright, I'm a n00b. I didn't read that second line fully before posting regarding the injection.
Re:Standard Practices (Score:5, Informative)
Basically, I would NEVER allow remote web management of a device if it's on the internet.
Good idea, but this is a critical exploit because hackers can make an img tag load the malformed URL. If they can trick you into viewing that image, then your router will be compromised from your computer on the network. Disabling the external management will prevent internet users from compromising your router, but it is still vulnerable to local threats, as executed through the CSRF method.
Re: (Score:2, Funny)
What about dentists? Can dentists make an img tag to load the malformed URL too, or just hackers?
Likely not just images... (Score:2)
Re: (Score:2)
<A HREF="http://192.168.0.1/webmanagementinterface/ownyourfrakkingrouter.pl">Hey, since you're inside your network and able to access the web interface directly, why don't you click on this for me?</a>
That's how. For bonus points load the exploit as an image and inline it on as many web pages as you can find.
Need anything else explained? The London police probably won't arrest be for telling you
Worse than that (Score:4, Informative)
It's worse than a specially crafted image - there's a code injection flaw in the httpd server so merely accessing a URL that looks like "http://routerIP/cgi-bin/;command_to_execute" will do the trick. That URL can be put in a malicious tag on an HTML page and the user most likely won't even notice it.
See the Register article [theregister.co.uk] on it from a couple of days ago.
Re: (Score:2)
disable http.
only use https for router config access.
All of a sudden the attack vector is useless.
Re: (Score:2)
Congrats on not understanding how the internet works.
Re: (Score:2, Informative)
Re: (Score:3, Interesting)
Did you bother even reading the article? The code is in httpd.c, which obviously handled both types of connections. I almost hate SSL sometimes because people equate it with security -- but not encryption or integrity, but that somehow it's a magical fix-all for whatever the security flaw is. I see this kind of thinking in IT people in charge of the enterprise and it scares me. Security is not about having a setting enabled, and it certainly requires much more analysis than a simple dismissive suggestion.
Re: (Score:2)
I almost hate SSL sometimes because people equate it with security -- but not encryption or integrity
Yeah, SSL really bugs me. Most of the time, I don't care about authenticating the server I'm connecting to. Most of the time, all I want is encryption between me and the server I'm talking with. In fact, unless I actually examine the certificate the server presented, my browser authenticating the server just tells me that the server has a certificate from a certificate authority my browser knows about. And
Re: (Score:2)
only use https for router config access.
Most home router owners can't afford $$$ per year for an SSL certificate for their routers. Or what am I fundamentally misunderstanding?
Besides, let me fix the post to which you replied: It's worse than a specially crafted image - there's a code injection flaw in the httpd server so merely accessing a URL that looks like "https://routerIP/cgi-bin/;command_to_execute" will do the trick. That URL can be put in a malicious tag on an HTML page and the user most likely won't even notice it.
Re: (Score:2)
Most home router owners can't afford $$$ per year for an SSL certificate for their routers.
Which is good. Because if anyone ever feeds you a malicious https:/// [https] URL trying to hack your router, you'll get a bunch of dialog boxes coming up telling you that the certificate can't be validated... and you'll know something bad is going on.
Basically, though, this is merely demonstrating again that web-based hardware admin is a really, really, really bad idea. It's an even worse flaw than my router which has a bug that allows any remote site to reconfigure DNS without a password by sending you a maliciou
Re: (Score:2)
[Lack of a certificate for SSL to a home router] is good. Because if anyone ever feeds you a malicious https:/// [https] [https] URL trying to hack your router, you'll get a bunch of dialog boxes coming up telling you that the certificate can't be validated... and you'll know something bad is going on.
Then how do you get past the dialog boxes when you are trying to legitimately manage your router?
Basically, though, this is merely demonstrating again that web-based hardware admin is a really, really, really bad idea.
What protocol for administration of a home-office network appliance would you recommend, if not HTTP or HTTPS?
Re: (Score:2)
SSH. You only lose the fancy GUI.
Re: (Score:2)
SSH. You only lose the fancy GUI.
And your competitor can use its fancy GUI as a bullet point against your product.
Re: (Score:2)
I agree that HTTPS will not solve this problem. But if you're paying $$$ you're paying too much. You can get 99+% of web users with certificates that cost $30/year or less.
Moreover, if it's your own browser and your own computers, you can simply set up your own CA, add the CA cert to your local X.509 authority lists, and then issue a many certs as you'd like for $0. There's a small time investment if you don't already have OpenSSL setup and configured somewhere, but probably not even $30 worth if you know w
Re: (Score:2)
Re: (Score:2)
I tried to go to that URL but I just got a message "command 'command_to_execute' not found". Why doesn't it work?
Re: (Score:2)
I am guessing this was meant as a troll/joke, but, you may to actually put a real command in there.
DD-WRT !GPL Compliant (or open source) (Score:5, Informative)
DD-WRT just isn't compliant with the GPL on so many levels.calling it an "open source" firmware is a lie and a disgrace to the open source community.
The open source parts are OpenWRT.
Re:DD-WRT !GPL Compliant (or open source) (Score:5, Informative)
DD-WRT is Harmful [bitsum.com] to open source
Please look at this picture ... (Score:5, Interesting)
... to add a firewall-rule fixing this issue.
How did this happen? (Score:5, Interesting)
The bug resides in DD-WRT's hyper text transfer protocol daemon, which runs as root.
Whhaaat??? And the command looks like:
http://routerIP/cgi-bin/;command_to_execute
Whhaaat???
This is a bug even Adobe would be ashamed to admit. An http server, running as root, accepts arbitrary commands, without authentication, embedded in a URL? That's not a bug thats... that's a design flaw... no... that's... unbelievable!
Is there a legitimate reason that the http daemon runs as root? (It is for embedded devices...) Or that commands are accepted over HTTP GET like that?
Re: (Score:2)
Actually, that's how the new firmware got on the router in the first place.
Seriously, look it up.
Re: (Score:2)
This is a bug even Adobe would be ashamed to admit.
Some of the DSL modems around here (I think it's the 2-Wire brand) had a similar bug. Basically if you know the exact url of one of the modem's built in commands you can bypass the admin password.
Re:How did this happen? (Score:4, Insightful)
It's one of the reasons I don't use DD-WRT. For an Internet-facing security device, the author seems to have little regard for security.
Also, the firmware isn't really open source and the author is a humongous hypocrite.
Use Tomato [polarcloud.com] or OpenWRT [openwrt.org].
NoScript! (Score:3, Informative)
NoScript actually mitigates this vulnerability. The ABE feature, in particular:
http://noscript.net/abe/ [noscript.net]
So although I added the firewall mitigation in dd-wrt, I was pleased to find that NoScript blocked the CSRF request before it even got to the router.
Re: (Score:3, Informative)
That might help some, but what about:
1. Places that have 40 computers, running 3 different browsers.
2. Your friend/relative that comes over with their laptop
3. Embedded browsers in applications (even if they use your FF/Gecko does it load NoScript for those?)
4. That time you disabled NoScript cause something was "all fucked up", and you may as well "test"
5. What if someone got to the NoScript update servers?
6. ???
7. Loss of profit!
An easy work around (Score:2)
Stick it somewhere in the 10. private IP space block and any code injection not also stumbling on the correct URL and will instead get a "Server not found" error.
This will vastly reduce the chances of getting hit by any future as of yet undiscovered security problems using a URL, updated patches or not.
Re: (Score:2)
Both the LAN and WAN IP addresses can be used to access the router's interface, and the WAN IP is not a secret to the attacker.
Internal or External IP (Score:2)
I went over the details one thing I am confused about is in this situation is the internal or External IP of the router that is Key here?
Only for WAN facing routers? (Score:3, Interesting)
It would be nice to know if this affects DD-WRT boxes that are not WAN-facing and are not in router mode.
I have three DD-WRT's in client bridge mode so as to provide wired connections throughout the house. They hop over WiFi to the WAN-facing router which still runs stock VxWorks. So I'd be inclined to think that my boxes are safe.
As for DD-WRT releasing a patch, gee thanks. I have two different (and old) versions of DD-WRT among the three devices and haven't touched them since installing, because upgrading requires lots of personal time with each device to reinstall and reconfigure and god knows what else and I simply don't have the time -- the whole point of setting up client bridges was to make life easier, not some sort of time-consuming exercise in obscure geek cred.
Re: (Score:2)
Your statement is exactly analogous to this one:
What the hell is a linux? Can someone find a list of actual computers that are affected by this instead of speaking in geek terms?
If you had dd-wrt, you would know.
Re:wtf is a DD-WRT? (Score:5, Informative)
Re: (Score:2, Insightful)
Linux is somewhat secure, but a LOT of the security of linux is due to a limited (unfortunately) market share. If Linux owned 30% or more of the market space for end-user goods, we'd see a HUGE influx of hacks, malware, adware, etc.
Exactly - that's the same reason why there are so many malware authors targetting Apache!
Oh wait..
Re: (Score:2)
Well, it is hard to compete with Apple's 91% market share [cnet.com].
Re: (Score:2)
LOT of the security of linux is due to a limited (unfortunately) market share
Well, it is hard to compete with Apple's 91% market share [cnet.com].
This isn't market share; it's a niche. The 91 percent figure is among desktop and laptop computers whose MSRP is greater than 1000 USD. But even if all expensive computers were hardened against such exploits, the majority of computers aren't expensive.
Re: (Score:2)
Also, because of package management, malware and adware is never go to be an issue, not unless you add a infected repository. My bet is most "normal" linux users, don't add repositories anyway. They just think of add/remove software as if it was a less polished iStore. They don't install stuff from any random pla
Re: (Score:2)
Sorry to see you go (Score:4, Funny)
Greetings, I am a Linksys customers service representative. While I'm sorry to hear that you'll be leaving us, I'd like to remind you that if you have to wait for your paycheck in order to purchase a piece of home networking equipment, perhaps navigating flash based websites is the least of your worries. Have you considered going back to school?
Re: (Score:3, Insightful)
Feel free to hate Linksys for any of the other reasons. I was royally pissed off for a long time by the relentless router reboots caused by poor interaction between the logging mechanism and BitTorrent; thankfully they released fixed firmware for that
Re:Linksys suck (Score:4, Informative)
Re: (Score:2)
That does block the nastier exploit (explained below). But there is another vector which that doesn't address: commands issued *from* your browser. Steps:
Re: (Score:3, Insightful)
Re: (Score:3, Informative)
Re: (Score:2)
How is that a "remote web management" issue? Remote web management would allow a login attempt from anywhere on the internet.
This attack does not need that.
I think YOU need to go re-read the article and come back and explain how a URL on an internal machine is going to try to connect to the external interface of the router (which is what the "remote web management" does, turns on the WAN interface
Re: (Score:3, Informative)
It can only be remotely exploited in that case. However, it can be exploited locally if you load any page that that has a tag of the form <img src="http://192.168.1.1/cgi-bin/;reboot"> replacing 192.168.1.1 with your router's actual IP, and the reboot command with whatever command is desired. So you visit any webpage in any browser and you don't have the browser set to not load images from another domain, and you can be exploited.
Re: (Score:2)
there is no such thing as a "flaw" in Linux.
And this isn't a flaw in Linux: it's a poorly-configured web-server that does stupid things as root. That's no more a flaw in Linux than logging into the console as root and getting the system infected by malware when someone sends you the latest 'naked hot chick' screensaver.