1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Critical Security Flaw in Tomato by Shibby Firmware Found by Teo En Ming

Discussion in 'Tomato Firmware' started by Teo En Ming, Apr 13, 2014.

  1. Teo En Ming

    Teo En Ming Network Newbie Member

    I suspect that my Asus RT-N15U wireless router with Tomato by Shibby firmware version 116 "Big VPN" has been hacked.

    Although I tried to disable Remote Access for the sshd daemon in the router web configuration page, I could still login to the router by ssh from the router's *PUBLIC* IP address. This means that the sshd daemon is exposed to the internet by remote access even when remote access for the sshd daemon is disabled in the router web configuration page. Anyone from the internet could login to the sshd daemon on the router and perform administrative tasks.

    Similarly, although there is no remote access option for the telnet daemon, it is accessible from the router's *PUBLIC* IP address. Anyone from the internet could login to the telnet daemon on the router and perform administrative tasks.

    I chanced upon the open ports (sshd and telnetd on the router) when I ran a nmap scan against my public IP address.

    Shibby, could you fix these security flaws in your Tomato firmware? The sshd daemon and telnet daemon on the router should *NOT* be exposed to the internet.

    Teo En Ming
     
    Last edited: Apr 13, 2014
  2. Morac

    Morac Network Guru Member

    Are you running the scan from your LAN? It's possible that the router is picking this up and redirecting the scan to the private IP.

    It would be more accurate to scan from an external port scan tool.
    For example https://www.grc.com/x/ne.dll?bh0bkyd2
     
  3. Teo En Ming

    Teo En Ming Network Newbie Member

    Dear Morac,

    I could login to the router by SSH from its public IP address.

    Teo En Ming
     
  4. gschnasl

    gschnasl Networkin' Nut Member

    I've checked this issue:
    From inside LAN I can reach the ssh port with public IP, but in the logs I see an entry from an internal IP.
    From extern (UMTS) I can't reach the ssh port with public IP and I can't see any entry in the logfile.

    No issue with tomato!
     
  5. Spyros

    Spyros LI Guru Member

    spyros@Uranos:~$ ssh xxxx.ddns.org
    ssh: connect to host xxxx.dns.org port 22: Connection refused
    spyros@Uranos:~$ telnet xxxx.ddns.org
    Trying 176.x.x.x...
    telnet: Unable to connect to remote host: Connection refused
     
  6. Marcel Tunks

    Marcel Tunks Networkin' Nut Member

    Loopback from within the LAN (accessing your public ip address from within the LAN) is not the same as access from the WAN. The former is enabled by default (and is of limited utility for most people) and the latter is blocked by default in Tomato.
     
  7. Edrikk

    Edrikk Network Guru Member

    You never wondered why such a HUGE flaw wasn't discovered by anyone before?
    LOL
    Its called NAT Loopback. Please read-up.
     
  8. shibby20

    shibby20 Network Guru Member

    bug busted :)
     
  9. BikeHelmet

    BikeHelmet Networkin' Nut Member

    I've encountered routers that lack NAT Loopback. It's a pain when there's no option to enable it. Makes it impossible to easily connect to DDNS that points to yourself. (To keep things consistent.)
     

Share This Page