What you need to show me how you "break" my ChaosCalmer? Now i use 3g usb stick to connect to isp.
So you want to say ALL routers in market must be thrown away after 2 years? I believe all are linux based.
I already provided you public links to known kernel vulnerabilities and examples of current, aggressive activity being taken against routers such as yours. Search for vulnerabilities in busybox, dropbear, and uhttpd if you want more. KRACK attacks against WPA2 are well documented and have been actively exploited. None of this is "rocket science".
All routers should have their firmware updated on a regular basis. Once they are unable to accept current, reasonably secure firmware, yes, they should be properly recycled. Replacements capable of supporting current firmware are available for under US$20.
1 Like
nobody is saying all routers must be thrown away after two years, but software
gets larger over time, and it's impractical to backport 'only important fixes'
to old versions. So the minimum spec will continue to grow over time, just like
it does with every other device.
a 5 year old router that has enough ram and flash is no problem, a 5 month old
router that doesn't is a problem.
You can build your own openwrt image that will run on the low-spec device, but
the set of packages that have been defined as 'the standard build' will no
longer fit.
This is why I suggested that we define a second set of packages, possibily a
'minimum build', just enough to boot, talk to all the hardware on the device and
have ssh, and then users can use that as the base for for custom builds or use
imagebuilder to add more features. This would make it clear that these devices
don't support the full range of standard features, but are still usable.
This sort of 'minimum build' would also be useful for the higher spec devices
for those who are making custom builds, instead of going through and removing
lots of packages (which can be a pain due to the need to track down dependencies
to figure out how to disable things), you would be going through and adding the
packages you need.
David Lang
2 Likes
This news is just 3 days old: https://arstechnica.com/information-technology/2018/11/a-100000-router-botnet-is-feeding-on-a-5-year-old-upnp-bug-in-broadcom-chips/
The header is wrong. The bug is in the software, not the chips.
I looked at the link above, but no single instance 'busybox' is found
whats more, all attackers can gain access only if i run their application?
I do not run applications, except my ones, compiled by me
All those routers were infected already in factory?
Yes, any automatic code starting like also in windows is area where viruses can spread, but i have no automatic code starting so i do not understand how linux router can be infected?
Even with you compiling your own applications from source, you are not protected from vulnerabilities.
Your source code, even if "perfectly secure", depends on:
- High-level libraries, such as TLS
- Low-level libraries, such as libC
- Kernel calls
All of the above have known vulnerabilities if taken from several years ago (which Chaos Calmer is)
Even the basic protocols, such as WPA2, have known vulnerabilities from that era.
Yes, the code may work perfectly fine with benign, "happy path" operation. However, as soon as you connect a device to the Internet, whether with a wire or over a wireless connection, you are connecting to a world that is no longer benign and willing to only operate on the happy path.
It is not that these routers are "infected" -- it is that old software, in general, has vulnerabilities discovered with time. In some cases these vulnerabilities, when exploited, result in loss of function in your device. In other cases they can result in "privilege escalation" or "execution of arbitrary code" which is a major problem. Given that everything in most every "SOHO" router runs with "root" privilege, only the ability to execute a few instructions of "arbitrary code" is needed to compromise your device.
You most certainly have "automatic code" being executed, or your router wouldn't boot.
Here's a typical scenario:
- There are common vulnerability classes where there is "buffer overflow" or "use after free" -- bytes from a packet get written to memory where they shouldn't be.
- A rouge system sends you a malformed or malicious packet that exploits this and writes "bootstrap" instructions to memory, only a handful are needed, then jumps to that location.
- That code then downloads other code that expands the "infection" past a few bytes, into most anything the rogue actor desires.
As for busybox, take a look at https://www.cvedetails.com/vulnerability-list/vendor_id-4282/Busybox.html Right at the top of the current list, from 2018-06-26
BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity.
4 Likes
And the with the latest dnsmasq vulnerabilities (or KRACK) the device in question doesn't even need to be directly exposed to the internet, querying the wrong DNS entry would be enough to exploit it.
4 Likes
No, by running outdated software, they can gain access to your router without
you installing their application.
David Lang
If you insist and love soldering, consider kexec https://oldwiki.archive.openwrt.org/doc/howto/kexec but you will need the USB-mod as well https://oldwiki.archive.openwrt.org/toh/d-link/dir-600.
This will allow a boot-kernel with minimal drivers (usb-storage and a suitable filesystem) to execute another kernel from an external (USB-)device (see https://en.wikipedia.org/wiki/Kexec). You should then be able to use the latest versions op OpenWRT, provided that your 32 MB of RAM are sufficient and that your hardware is still supported.
For some inspiration, have a look at https://forum.archive.openwrt.org/viewtopic.php?id=25699&p=1. This is how I made OpenWRT run on my WL700G (with only 2 MB of flash).
someone help please
teach me how to flash the DIR-601 1A with a saved image off of another router of the exact same model
$ ssh root@192.168.1.1
The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.
RSA key fingerprint is SHA256:aY19mm4rxAz+o1sHFj6+tDr0yeld0MbyqQd3yiU0p5k.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.1' (RSA) to the list of known hosts.
BusyBox v1.29.3 () built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt SNAPSHOT, r8629-f98fde2db4
-----------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@OpenWrt:~# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/root 2048 2048 0 100% /rom
tmpfs 13584 80 13504 1% /tmp
/dev/mtdblock5 320 228 92 71% /overlay
overlayfs:/overlay 320 228 92 71% /
tmpfs 512 0 512 0% /dev
root@OpenWrt:~# opkg install luci
Unknown package 'luci'.
Collected errors:
* opkg_install_cmd: Cannot install package luci.
root@OpenWrt:~# opkg update
Downloading http://downloads.openwrt.org/snapshots/targets/ar71xx/tiny/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_core
Downloading http://downloads.openwrt.org/snapshots/targets/ar71xx/tiny/packages/Packages.sig
Signature check passed.
Downloading http://downloads.openwrt.org/snapshots/targets/ar71xx/tiny/kmods/4.14.82-1-71ae5951a032a37f170c70651c6ffef6/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_kmods
Downloading http://downloads.openwrt.org/snapshots/targets/ar71xx/tiny/kmods/4.14.82-1-71ae5951a032a37f170c70651c6ffef6/Packages.sig
Signature check passed.
Downloading http://downloads.openwrt.org/snapshots/packages/mips_24kc/base/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_base
Downloading http://downloads.openwrt.org/snapshots/packages/mips_24kc/base/Packages.sig
Signature check passed.
Downloading http://downloads.openwrt.org/snapshots/packages/mips_24kc/luci/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_luci
Downloading http://downloads.openwrt.org/snapshots/packages/mips_24kc/luci/Packages.sig
Signature check passed.
Downloading http://downloads.openwrt.org/snapshots/packages/mips_24kc/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_packages
Downloading http://downloads.openwrt.org/snapshots/packages/mips_24kc/packages/Packages.sig
Signature check passed.
Downloading http://downloads.openwrt.org/snapshots/packages/mips_24kc/routing/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_routing
Downloading http://downloads.openwrt.org/snapshots/packages/mips_24kc/routing/Packages.sig
Signature check passed.
Downloading http://downloads.openwrt.org/snapshots/packages/mips_24kc/telephony/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_telephony
Downloading http://downloads.openwrt.org/snapshots/packages/mips_24kc/telephony/Packages.sig
Signature check passed.
root@OpenWrt:~# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/root 2048 2048 0 100% /rom
tmpfs 13584 816 12768 6% /tmp
/dev/mtdblock5 320 228 92 71% /overlay
overlayfs:/overlay 320 228 92 71% /
tmpfs 512 0 512 0% /dev
root@OpenWrt:~# opkg install luci
Installing luci (git-18.346.55559-aa954d1-1) to root...
Downloading http://downloads.openwrt.org/snapshots/packages/mips_24kc/luci/luci_git-18.346.55559-aa954d1-1_all.ipk
Installing uhttpd (2018-11-28-cdfc902a-1) to root...
Downloading http://downloads.openwrt.org/snapshots/packages/mips_24kc/base/uhttpd_2018-11-28-cdfc902a-1_mips_24kc.ipk
Installing liblua (5.1.5-1) to root...
Downloading http://downloads.openwrt.org/snapshots/packages/mips_24kc/base/liblua_5.1.5-1_mips_24kc.ipk
Configuring uhttpd.
ln: /etc/rc.d/S50uhttpd: No space left on device
Collected errors:
* pkg_write_filelist: Failed to open //usr/lib/opkg/info/liblua.list: No space left on device.
* opkg_install_pkg: Failed to extract data files for liblua. Package debris may remain!
* opkg_install_cmd: Cannot install package luci.
* opkg_conf_write_status_files: Can't open status file //usr/lib/opkg/status: No space left on device.
root@OpenWrt:~#
LuCI won't install because it ran out of room...
Not a very helpful description of what you have in hand. How did you save the image, exactly?
To "clone" an OpenWrt system to another router of exactly the same model, use this process. This only works for NOR flash. Do not attempt on routers with NAND flash.
Run cat /proc/mtd to identify which mtd partition number is the "firmware". The "firmware" is a psuedo-partition that combines the kernel, rootfs, and rootfs-data (the JFFS overlay FS). Thus you have both the base OS as well as any installed packages and configuration settings in the overlay fs.
In this example say it is mtd5. Next run cat /dev/mtd5 > /tmp/firmware.bin to dump the interesting parts of the flash chip to a regular file on the RAM disk. This may take several seconds to complete.
The firmware.bin file will work like a sysupgrade file. Copy it to the other router and run sysupgrade -n to flash it.
manual build the image and disable ipv6 and other things not needed, luci will fit, I also have one