Why you shouldn't expose LuCI to the world

Installing and Using OpenWrt
1

I found this pretty entertaining, but was especially amused by the mention of the "LuCI Injection" attack vector mentioned about halfway through...

5 Likes
3

Your understanding is wrong.

3 Likes
5

WAN, or WAN IP from the LAN side ?

1 Like
6

Wan side, I had no client devices connected on the lan

7

If you managed to connect to port 22 or port 80 then you either:

  • weren't using an official OpenWRT image to create the VM,
  • had made changes to the default configuration, or
  • weren't connecting through the WAN.

The default firewall configuration does not allow traffic from the WAN zone to the LAN zone for either port 22 or port 80.

3 Likes
8

A fresh install says this for SSH port 22

ssh
ssh1002×674 17.9 KB

9

Yes, it does. However,

3 Likes
10

…but the firewall explicitly blocks incoming connections -all- from WAN.

6 Likes
11

I read it from end to end. None - literally none - of it is new or newsworthy. The entire piece can be summed up thus:

"Exposing a webserver to the internet will allow lots of bots to try decades of exploits against it".

Substitute "webserver" by "literally any TCP or UDP listener".

2 Likes
12

Yeah, that doesn't matter because the firewall blocks all ingress. You can have all sorts of stuff listening on the WAN, but nothing will get through until you make an effort to allow it.

1 Like
13

I tried out the exploit on snapshot and it no longer works, as the cgi-bin stuff has been reorganized so much with the lua-ectomy that it probably only applies to 19.07 and earlier anyhow. Yet another reason to upgrade... (As if it's needed.)

4 Likes
15

That LuCI injection never applied to vanilla OpenWrt, it targets an insecure vendor customization. See also Meaning of the "cgi-bin" command - #4 by lleachii for another such example. Vendors love to hack LuCI and adding textbook vulnerabilities to it.

3 Likes
16

Oh, that's even more entertaining! Same root cause as all the .lan dns queries "coming from OpenWrt"...

1 Like
17

What are the vendors known to make such customization? Or to not do it?
GL.iNet, for example?

18

As far as I can see they don't touch luci. Instead they have their own ui running on lighttpd web server (last time I looked).

19

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.