Security issue: WRT54G-series routers and improper setups
Back in the early part of this year, it was made aware that there is a worm that can infect routers, but now it seems to me that a related attack vector is possible if the router is mis-configured. In this case, it involves WRT54G-series routers that are capable of running DD-WRT (or anything related) and their ability to allow for tunnelling via SSH.
Simply put: the same exploit that the Psyb0t worm employs is easily doable by virtually anybody and can be done without having to scan for exploitable hosts on your own.
A search for "WRT54G" using SHODAN will net you about 1,500 possible hosts. The SHODAN service is updated on a frequent basis and appears to be fairly reliable for netting current, operating hosts. Within the search results, you will find many opportunities to mess with a username and password prompt.
In my experience with the prompt so far, about one out of every five hosts accepts the default Linksys "admin" and "admin" combination, which is the default credential on this particular series of routers. However, without too much effort, an exploit can be done to bypass authentication, or a simple brute-force attack will get you in.
Once the prompt has been passed, it becomes possible that one can then employ the ability to install DD-WRT if certain conditions are met. Some of the more recent revision of the WRT54G do not have sufficient flash memory, RAM, or correct wireless chipset to operate, let alone install a third-party firmware. However, I did come across a number of WRT54GS models during my searches, and they can easily run DD-WRT with the right features to get this going--all revisions in this particular series will allow for an install.
Needless to say, it is possible that the potential attacker may run into a road block in trying to use the router for their own purposes, but relying on this is pretty silly.
Applying the firmware without the end-user knowing is fairly easy as after the install process, the settings for things such as wireless and port-forwarding should stay the same as DD-WRT will use the settings stored in NVRAM--hence why one can get away with installing the firmware without necessarily getting locked out.
Once the attacker has the firmware installed, they can easily enable SSHD and then promptly begin to use the router to tunnel through. For the unaware, the reasons for why this is quite dangerous is simply because one can effectively proxy through another connection and do so without necessarily being logged. It is not-as-likely that this method will allow for e-mail spam, but one can definitely use this for other nefarious activities.
The process to fend this off is quite simple:
- Force users to change the username and password on their routers at install.
- Make it difficult to access the router from the WAN port.
- Toss the router out of the equation all together and stop using wireless.
The latter is obviously not going to work, but the first two points stand. It's more of the responsibility of the manufacturer to prevent this from having this option easily turned on, but it is also the responsibility of the user to know what they're using.
On top of all this, any router that isn't of this variety, but has this feature enabled and is capable of running DD-WRT is affected by this problem as well. Even with third-party firmware installed prior to makes this a problem, but the deployment of the default Linksys firmware to third-party firmware ratio is quite significant. With that said, it is still a possibility.
I did some searching around to see if anyone had come up with this idea before, but it seems that I am the first one to come across this. If anyone has a link to otherwise, let me know and I'll give credit where credit is due.