nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
 ·AT&T Midwest
| Ouch! Security problem in linksys routers
Quoting from a recent bugtraq message (from Steve Scherf):
Subject: Serious flaw in Linksys wireless AP password security
It appears that firmware version 4.50.6 for the Linksys WRT54GS (hardware version 1) wireless router allows wireless clients to connect and use the network without actually authenticating. With WPA Personal/TKIP authentication enabled, the unit allows both clients using encryption with the correct settings and key, and clients not using any encryption. It disallows clients attempting to use encryption with the wrong settings and/or key. |
|
Techless
Like I care
Premium
join:2002-07-19
Hypoluxo | A link ??? |
|
funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC | »msgs.securepoint.com/cgi-bin/get···164.html
I'd sure like to see this verified by a second party before we spread any alarm. |
|
Bill
Light Up The Halo
Premium,VIP
join:2001-12-09
clubs: | reply to nwrickert
Are you guys gonna make me flash the Linksys firmware onto my WRT54GS to test this?  :p |
|
funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC
·Verizon Online DSL
 ·Skype
| said by Bill  :Are you guys gonna make me flash the Linksys firmware onto my WRT54GS to test this? :p C'mon, you can't tell me you're not curious.
--
Robb Topolski http://www.funchords.com/  Hillsboro, Oregon USA
Dear Anonymous, Thank you!!! Thank you!!! |
|
Bill
Light Up The Halo
Premium,VIP
join:2001-12-09
clubs:
| said by funchords :said by Bill :Are you guys gonna make me flash the Linksys firmware onto my WRT54GS to test this? :p C'mon, you can't tell me you're not curious. I gave it about 2 seconds of thought, then decided to do it
Downloading the Linksys stuff right now. Will report back..
--
Folding Monitor
Network Status
Weather Stats |
|
funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC
·Verizon Online DSL
·Skype
| Just to clarify, Sw Bill, it seems from reading the bugtraq report that the fw is allowing a blank key in the supplicant. A wrong key seems to be rejected.
Suggest you take a look at the report. The bugtraq poster also seemed to be confused as to what to expect from Auto mode.
--
Robb Topolski http://www.funchords.com/ Hillsboro, Oregon USA
Dear Anonymous, Thank you!!! Thank you!!! |
|
seezar
Premium
join:2001-07-01
Rochester, NY
·ViaTalk
| reply to Bill
said by Bill :I gave it about 2 seconds of thought, then decided to do it Downloading the Linksys stuff right now. Will report back.. {patiently sits by and awaits the results} |
|
Bill
Light Up The Halo
Premium,VIP
join:2001-12-09
clubs: | reply to nwrickert
I don't see it...
I tried setting up the wireless card with a blank WPA-PSK key. I tried setting the wireless card with no security.
Nothing.
Maybe I'm doing something wrong? |
|
funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC
·Verizon Online DSL
·Skype
1 edit | My read of the test cases are this:
•Router configured for WPA-PSK TKIP
•Client profile configured for same SSID, no encryption
REPORTED RESULT: Access granted
EXPECTED: Access denied
•Router configured for WPA-PSK TKIP
•Client not configured with a profile
REPORTED RESULT: Router is listed in a site survey as an AP with no encryption enabled
EXPECTED: Router is listed in a site survey with encryption
NOTE: Macstumbler was used by the original observer
--
Robb Topolski http://www.funchords.com/ Hillsboro, Oregon USA
Dear Anonymous, Thank you!!! Thank you!!! |
|
Scherf
@gracenote.com
| reply to Bill
Hi, I'm the original poster to Bugtraq. I wouldn't be surprised if this was a hard one to reproduce. To recount what I did in the hopes that someone else will be able to make it happen: I set the AP to use WPA personal/TKIP with a very long and random password (generated with /dev/random). At the time I was using an older firmware, perhaps a year old. I don't recall what version. I was not getting great reception, so I installed two aftermarket directional antennas. Not a lot of improvement, but not surprising given that there are something like 10 networks in my neighborhood. So I upgraded the firmware in the hope that perhaps they improved some of the connectivity issues. I upgraded through the usual web browser interface without changing any settings before or after. It all seemed to work fine, and I ran with it for a month until a friend noted that my network seemed to be open. His Win XP box showed my net as open, and he connected without a password. I cranked up Macstumbler, and it showed the network as open as well, even though my 4 Macs are configured to use TKIP and were working just fine that way. The Linksys AP was definitely configured to use TKIP, no question, but the network still showed up as open in the scans I ran. The original post tells the rest of the details. I wonder if the firmware update process put the unit into a weird state or something? |
|
Bill
Light Up The Halo
Premium,VIP
join:2001-12-09
clubs:
| When you upgraded the firmware from the previous version, did you "Restore Factory Defaults" after the upgrade?
If you didn't it is possible it was in a "weird state".
I upgraded a few months ago from Alchemy to DD-WRT and since I didn't "Restore Factory Defaults" some settings would not take and I was getting random errors in the web GUI. It's like random garbage was stored in memory instead of the values I tried setting.
I will try flashing to DD-WRT, then back to Linksys, without restoring defaults and see what happens.
Thanks
Bill.
--
Folding Monitor
Network Status
Weather Stats |
|
Kabanos
Premium
join:2001-06-29
|  reply to Bill
said by Bill :...Maybe I'm doing something wrong? Do not use the newest Firmware Version: 4.70.6; try it with the old one (Firmware Version: 4.50.6)
--
non nova, sed nove |
|
Bill
Light Up The Halo
Premium,VIP
join:2001-12-09
clubs:
1 edit | reply to nwrickert
Ok, I was able to recreate this problem. Here's what I did:
•Flash from Linksys 4.50.6 to DD-WRT.
•I looked in the web GUI after the flash and the WPA settings from my previous Linksys firmware were still in there.
•I set my wireless card to "Disabled" for security settings
I was able to connect right up (see attached image).
I'm guessing that even though the WRT54GS web config is reporting WPA is enabled, it's not really enabled.
One more reason to be sure to "Restore Factory Defaults" after firmware upgrades
Edit: Fixed picture |
|
funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC | Is it expected that this router would retain its memory across firmware updates?
-- Robb (not a Linksys router user) |
|
Bill
Light Up The Halo
Premium,VIP
join:2001-12-09
clubs:
| I don't know much about the internal workings of this router, but I do know they act weird when they aren't "Restoring" after updates. I am not sure why the web config is reporting inaccurate data.
As an update, I got the same results when flashing from DD-WRT to Linksys 4.50.6, without "Restoring". When I did the flash, with "Restoring", everything worked fine (no WPA problem).
--
Folding Monitor
Network Status
Weather Stats |
|
Bill
Light Up The Halo
Premium,VIP
join:2001-12-09
clubs: | reply to nwrickert
Anyone else out there with a WRT54GSv1 able to get the same results as me? |
|
scherf
join:2005-08-16
|  reply to Bill
Good job reproducing this! I guess it actually is an issue with updating. I don't agree about WPA actually being disabled, though, because password validation is functioning. If your password is wrong, you can't connect. Also, my computer reports that it is connected with WPA. The bug is that WPA is "optional". 
As for whether it is expected for this unit to keep config after updating, I'm not sure what the vendor advertises. But the unit does seem to keep config and report it exactly as it was before the update. But apparently what it reports doesn't necessarily match what's going on inside. |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| reply to nwrickert
Thanks to the people who have been testing this, particularly Bill and scherf .
Even if this is a configuration/update issue, I see it as still a problem. But it isn't as serious a problem as it might have been. |
|
dad123
join:2001-02-18
Bremerton, WA | reply to nwrickert
I always wondered if you restore factory defaults can you reapply your previously saved configuration file and not mess up the settings ? |
|
