1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security flaws in Linksys WRT54 - fixes in DD-WRT??

Discussion in 'DD-WRT Firmware' started by dellsweig, Sep 14, 2005.

  1. dellsweig

    dellsweig Network Guru Member

    Here is a link to some security issues in the Linksys code for the WRT54G

    Brainslayer - are any of these addressed in DD-WRT 23??

    http://isc.sans.org/

    Published: 2005-09-14,
    Last Updated: 2005-09-14 16:43:02 UTC by Kyle Haugsness (Version: 1)

    iDefense has released five vulnerabilities against the Linksys WRT54G wireless access point/switch/router. Some of these vulnerabilities are very serious. Users of these products are highly recommended to patch their devices. Patches for the latest versions are available at http://www.linksys.com .

    The iDefense advisories are here:
    iDefense advisory 304
    iDefense advisory 305
    iDefense advisory 306
    iDefense advisory 307
    iDefense advisory 308
     
  2. knight14th

    knight14th Network Guru Member

    I think one should simply disable the httpd and everything is fine. And to be clear: why there should be an httpd on a router? :)
     
  3. littlewhoo

    littlewhoo Network Guru Member

    no httpd -> no GUI/webinterface -> you have to use the shell to change settings

    But I have heard some rumors, that there are still a few people out there, who have no Linux experience and therefore can't use the shell as a replacement for the webinterface. :D
     
  4. BrainSlayer

    BrainSlayer Network Guru Member

    this issue has been fixed yesterday by me and will be inside the next distribution
     
  5. knight14th

    knight14th Network Guru Member

    You can allways telnet your router and start/stop httpd. How often do you realy use this config-ui?. Once your wrt is seted up it will run and run.
    For people with no linux experience:

    killall httpd
    will kill the httpd and...

    httpd -d /www

    will start httpd again.

    httpd -S -d /www

    will start httpd using a secure ssl connection.
     
  6. littlewhoo

    littlewhoo Network Guru Member

    Unfortunately it's not that easy to kill httpd. I don't know about DD-WRT, but in Alchemy the router is monitoring in several different ways, if the webinterface is still running. And if httpd was killed it will be automatically restarted.
     
  7. cyrano

    cyrano Network Guru Member

    BrainSlayer's fix is now implemented.

    changelog:
    15.09.2005
    router style setting reintroduced
    chillispot native process watch integrated
    httpd security bug fixed (negative content length)
    sipath fixed (again, i know)
    WanMac GUI fixed (sipath tab missing)
     
  8. knight14th

    knight14th Network Guru Member

    littlewhoo: my dd-wrt'ed router runs for weeks without httpd. My uptime is only limited to brainslayers v23beta releases. I configure my wrt and than kill httpd simply. If something changes (eg new firmware) i telnet and than start httpd again.
     
  9. foq99

    foq99 Network Guru Member

    Hm.... Shouldn't there be 5 security issues to deal with? The rls notes only noted one.

    http://www.idefense.com/application/poi/display?id=304&type=vulnerabilities
    http://www.idefense.com/application/poi/display?id=305&type=vulnerabilities
    http://www.idefense.com/application/poi/display?id=306&type=vulnerabilities
    http://www.idefense.com/application/poi/display?id=307&type=vulnerabilities
    http://www.idefense.com/application/poi/display?id=308&type=vulnerabilities
    ^^ Only this vulnerability is noted to be fixed.

    Thanks BrainSlayer! You rock!
     
  10. BrainSlayer

    BrainSlayer Network Guru Member

    you should recheck the issues since dd-wrt uses a very different httpd daemon now.
     

Share This Page