Help my Linksys WRT54G router was broken into using the "curl" command

It's way too easy to break into the Linksys WRT54G router!

Instantly bypassing the administrator password, my fifteen-year old
neighbor broke into my Linksys WRT54G router (firmware revision v1.0.0.6)
in ten seconds simply by sending this one "curl" command to it via the
Internet from his home next door!

c:\> curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri

This kid was kind enough to knock on my door today to tell me to fix it.

I invited him in, and from inside my own house, he showed me the Linksys
WRT54G command above which immediately disabled all my wireless security
WITHOUT him having to enter any password!

He showed me how to disable remote administration but he said the
vulnerability still exists until I get a new router. I can't believe
everyone with a Linksys WRT54G router is throwing it in the garbage.

Where/how can I find a firmware update that protects me from this
vulnerability?

Debbie Hurley wrote:
> It's way too easy to break into the Linksys WRT54G router!
>
> Instantly bypassing the administrator password, my fifteen-year old
> neighbor broke into my Linksys WRT54G router (firmware revision v1.0.0.6)
> in ten seconds simply by sending this one "curl" command to it via the
> Internet from his home next door!
>
> c:\> curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri

Unless I am getting old then if he posted this command via the Internet
it would have got him nowhere. The curl -d command would post the data
to 192.168.0.1 which is not a public IP address available on the
Internet and would have have given him a timeout, unless his router
address is 192.168.0.1.
>
> This kid was kind enough to knock on my door today to tell me to fix it.
>
> I invited him in, and from inside my own house, he showed me the Linksys
> WRT54G command above which immediately disabled all my wireless security
> WITHOUT him having to enter any password!

For him to use this command on your computer implies you are using a
Linux distribution and have installed curl and should know what it is
capable of doing.
http://curl.haxx.se/docs/manpage.html#URL
>
> He showed me how to disable remote administration but he said the
> vulnerability still exists until I get a new router. I can't believe
> everyone with a Linksys WRT54G router is throwing it in the garbage.
>
> Where/how can I find a firmware update that protects me from this
> vulnerability?
>
>
>
>
>

kev wrote:
> Debbie Hurley wrote:
>> It's way too easy to break into the Linksys WRT54G router!
>>
>> Instantly bypassing the administrator password, my fifteen-year old
>> neighbor broke into my Linksys WRT54G router (firmware revision v1.0.0.6)
>> in ten seconds simply by sending this one "curl" command to it via the
>> Internet from his home next door!
>>
>> c:\> curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri
>
> Unless I am getting old then if he posted this command via the Internet
> it would have got him nowhere. The curl -d command would post the data
> to 192.168.0.1 which is not a public IP address available on the
> Internet and would have have given him a timeout, unless his router
> address is 192.168.0.1.
>>
>> This kid was kind enough to knock on my door today to tell me to fix it.
>>
>> I invited him in, and from inside my own house, he showed me the Linksys
>> WRT54G command above which immediately disabled all my wireless security
>> WITHOUT him having to enter any password!
>
> For him to use this command on your computer implies you are using a
> Linux distribution and have installed curl and should know what it is
> capable of doing.
> http://curl.haxx.se/docs/manpage.html#URL
>>
>> He showed me how to disable remote administration but he said the
>> vulnerability still exists until I get a new router. I can't believe
>> everyone with a Linksys WRT54G router is throwing it in the garbage.
>>
>> Where/how can I find a firmware update that protects me from this
>> vulnerability?

With the IP Address changed to 192.168.1.1, my WRT54G returned "curl: (52) Empty reply from server"
and encryption was still on. Using 192.168.0.1, it timed out. I don't know what is different with
your system, but it seems not to be a general problem.

Larry

Larry Finger wrote:

>
> With the IP Address changed to 192.168.1.1, my WRT54G returned "curl:
> (52) Empty reply from server" and encryption was still on. Using
> 192.168.0.1, it timed out. I don't know what is different with your
> system, but it seems not to be a general problem.
>
> Larry
The Firmware V 1.0.0.6 suggests they are playing with the Version 5
router which used Vxworks, so I don't know what the commands were for
that and I can't really be bothered to search for them.

In article <o8Iii.3150$(E-Mail Removed)> ,
(E-Mail Removed) says...
> It's way too easy to break into the Linksys WRT54G router!
>
> Instantly bypassing the administrator password, my fifteen-year old
> neighbor broke into my Linksys WRT54G router (firmware revision v1.0.0.6)
> in ten seconds simply by sending this one "curl" command to it via the
> Internet from his home next door!
>
> c:\> curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri
>
> This kid was kind enough to knock on my door today to tell me to fix it.
>
> I invited him in, and from inside my own house, he showed me the Linksys
> WRT54G command above which immediately disabled all my wireless security
> WITHOUT him having to enter any password!
>
> He showed me how to disable remote administration but he said the
> vulnerability still exists until I get a new router. I can't believe
> everyone with a Linksys WRT54G router is throwing it in the garbage.
>
> Where/how can I find a firmware update that protects me from this
> vulnerability?

While I've not verified it, you should have googled for basic security
methods and you would have found that you need to change the default
subnet to something else, keeping the 192.168.0, which is the default,
is always a bad idea.

192.168.0 and 192.168.1 are common default subnets for home routers,
don't use them.

--
Leythos - (E-Mail Removed) (remove 999 to email me)

Learn more about PCBUTTS1 and his antics and ethic and his perversion
with Porn and Filth. Just take a look at some of the FILTH he's created
and put on his website: http://www.webservertalk.com/message1907860.html
3rd link shows what he's exposed to children (the link I've include does
not directly display his filth). You can find the same information by
googling for 'PCBUTTS1' and 'exposed to kids'.

On Wed, 04 Jul 2007 09:40:25 +0100, kev wrote:
>> c:\> curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri
>
> Unless I am getting old then if he posted this command via the Internet
> it would have got him nowhere. The curl -d command would post the data
> to 192.168.0.1 which is not a public IP address available on the
> Internet and would have have given him a timeout, unless his router
> address is 192.168.0.1.

I called him about this just now. He said there were two easy ways to wipe
out the security of any Linksys WRT54G router without having to enter any
log in information by taking advantage of Linksys widespread "access
control error" vulnerabilities.

The first was to access my router by it's IP address and then to do a
remote configuration into the router that way. I had the remote
configuration enabled so he showed me how to disable that in the router so
the average person wouldn't disable my router security from half way around
the world. He says it definately can be done remotely and said he'd mail me
the instructions. He ended with saying that anyone who says it can't be
done doesn't know what they're talking about. I'll wait for his
instructions before I go any further on that.

Debbie Hurley <(E-Mail Removed)> writes:
> It's way too easy to break into the Linksys WRT54G router!
>
> Instantly bypassing the administrator password, my fifteen-year old
> neighbor broke into my Linksys WRT54G router (firmware revision v1.0.0.6)
> in ten seconds simply by sending this one "curl" command to it via the
> Internet from his home next door!
>
> c:\> curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri
>

Among the reasons having wireless security disabled and letting
neighbors join your local network for free is a bad idea.

> He showed me how to disable remote administration but he said the
> vulnerability still exists until I get a new router. I can't believe
> everyone with a Linksys WRT54G router is throwing it in the garbage.
>
> Where/how can I find a firmware update that protects me from this
> vulnerability?

http://www.securityfocus.com/archive/1/452020


or... use third party firmware such as

http://www.dd-wrt.com/
http://openwrt.org/

--
Todd H.
http://www.toddh.net/

On Wed, 04 Jul 2007 09:40:25 +0100, kev wrote:
> For him to use this command on your computer implies you are using a
> Linux distribution and have installed curl and should know what it is
> capable of doing.
> http://curl.haxx.se/docs/manpage.html#URL

No. He showed me how to do it on my OWN Windows computer.
All he did was download curl from http://curl.haxx.se/download.html and put
the windows binary into my c:\os\winxp\system32\curl.exe location.

He told me curl works on just about every operating system in the world,
and from the looks of the web page above, it sure looks like it.
http://www.paehl.com/open_source/index.php?CURL_7.16.3

When I type Start cmd and then curl, I get a response of:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\My Stuff\Documents and Settings\debbie>curl
curl: try 'curl --help' or 'curl --manual' for more information

(E-Mail Removed) (Todd H.) writes:

> Debbie Hurley <(E-Mail Removed)> writes:
> > It's way too easy to break into the Linksys WRT54G router!
> >
> > Instantly bypassing the administrator password, my fifteen-year old
> > neighbor broke into my Linksys WRT54G router (firmware revision v1.0.0.6)
> > in ten seconds simply by sending this one "curl" command to it via the
> > Internet from his home next door!
> >
> > c:\> curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri
> >
>
> Among the reasons having wireless security disabled and letting
> neighbors join your local network for free is a bad idea.

I meant to paste this vulnerability of v5 wrt54g's here:

Linksys WRT54GS POST Request Configuration Change Authentication
Bypass Vulnerability
http://www.securityfocus.com/bid/19347/references

It's a known issue. The fix is to upgrade firmware per the link
below.

> > He showed me how to disable remote administration but he said the
> > vulnerability still exists until I get a new router. I can't believe
> > everyone with a Linksys WRT54G router is throwing it in the garbage.
> >
> > Where/how can I find a firmware update that protects me from this
> > vulnerability?
>
> http://www.securityfocus.com/archive/1/452020
>
>
> or... use third party firmware such as
>
> http://www.dd-wrt.com/
> http://openwrt.org/

And I'd have a chat with the parents of the kid, thanking him for
bringing the issue to your attention, but alwso warning him that his
"gray hat" actitivities can get him sent to jail, despite being well
meaning.

You don't "test" stuff you don't own or are engaged to test with
written legal permission of the owner.


Some news stories to drive the point home:

http://news.com.com/2009-1001-958129.html
http://news.zdnet.com/2100-1009_22-958920.html


Best Regards,
--
Todd H.
http://www.toddh.net/

On Wed, 04 Jul 2007 11:38:05 GMT, Larry Finger wrote:

> With the IP Address changed to 192.168.1.1, my WRT54G returned "curl: (52) Empty reply from server"
> and encryption was still on. Using 192.168.0.1, it timed out. I don't know what is different with
> your system, but it seems not to be a general problem.

I just grabbed my horrified notes from yesterday.

Try this which is the simplified test my neighbor wrote down for me when he
showed it to me yesterday - and let us know if it disables your Linksys
WRT54G router security without asking for a password.

1. Assume the vulnerable WRT54G Linksys router (mine is v5 v1.0.0.6).
2. Connect a yellow wire from the router to the computer
3. Install curl on Windows XP from http://curl.haxx.se/download.html
4. Add curl to your path (or put it in system32)
5. Start Run cmd telnet 192.168.0.1 80
6. Enter the web command to disable wireless security
POST /Security.tri
SecurityMode=0&layout=en
7. Look at your router to see you now have NO SECURITY!

He said the only reason we used the wire was to make it easier to show me.
He even did it wirelessly while out on my driveway outside my house. He
said ANYONE could do it from the Internet if they knew my IP address.
Luckily, he said nobody knows my IP address. Whew!

I didn't realize using a Linksys WRT54G router was so dangerous!