RE: Serious flaw in Linksys wireless AP password security

From: Robert Thompson Jr. (rthompson_at_columbiabank.com)
Date: 08/16/05

  • Next message: Sune Kloppenborg Jeppesen: "[ GLSA 200508-07 ] AWStats: Arbitrary code execution using malicious Referrer information" 
    Date: Mon, 15 Aug 2005 15:42:03 -0700
To: "Steve Scherf" <bugtraq@moonsoft.com>, <bugtraq@securityfocus.com>

    When upgrading my WRT54GS (v 1.0) router to the 4.50.6 and 4.70.6
    firmwares, I experienced no such authentication problems.

    If the router was set wide open, I could connect without authentication.

    As soon as I specified WPA-PSK on the router, in order for me to connect
    via the NIC I absolutely had to have the WZC configured for WPA-PSK
    (TKIP or AES accordingly) and HAD to have the correct password
    configured as well. (And the SSID of course...)

    If the proper settings were not configured into the WZC after enabling
    WPA-PSK, I was not able to connect to the router.

    I am certain of these details as I was trying to get the WPA2 feature to
    work on my NIC that didn't have WPA2 certified drivers at the time. I
    ended up trying every damned near possible configuration before
    realizing that it was my drivers that weren't working on my NIC before
    having to settle with just WPA until Linksys updated their drivers on
    their website...

    Though, since we are on the subject of the WRT54GS router. The 4.50.6
    and 4.70.6 firmwares enable the WPA2 feature. AND Linksys was kind
    enough to finally release WPA2 certified drivers for the WPC54GS NIC's
    (and I am assuming the WPC54G) as well. So if you haven't updated, you
    may want to condsider doing so for the increased security.

    Rob.

    -----Original Message-----
    From: Steve Scherf [mailto:bugtraq@moonsoft.com]
    Sent: Sunday, August 14, 2005 12:53 AM
    To: bugtraq@securityfocus.com
    Subject: Serious flaw in Linksys wireless AP password security

    It appears that firmware version 4.50.6 for the Linksys WRT54GS
    (hardware version 1) wireless router allows wireless clients to connect
    and use the network without actually authenticating. With WPA
    Personal/TKIP authentication enabled, the unit allows both clients using
    encryption with the correct settings and key, and clients not using any
    encryption. It disallows clients attempting to use encryption with the
    wrong settings and/or key.

    In other words, even if you think you've secured your wireless network
    from unauthorized access, anyone can access it. It actually shows up as
    having no password security on a Macstumbler scan, which is how I
    noticed the problem.
    I verified that anyone can access the network without needing to know
    the key.

    I did not check security modes other than WPA/TKIP. Other modes may have
    different behavior. Changing the "Authentication Type" setting had no
    effect on this problem. I believe it should be set to "Shared Key", but
    the setting used does not appear to matter.

    I only verified the problem on firmware 4.50.6. It is unknown if other
    firmware versions exhibit the problem. However, at least one older
    firmware does not exhibit the problem, as my router functioned correctly
    until I updated to 4.50.6.

    The problem appears to be fixed in version 4.70.6. No expli*** notice
    of this problem or the fix appears in the release notes for version
    4.70.6.
    Strangely, the "Authentication Type" must be set to "Auto" for the unit
    to function properly. Should it be set to "Shared Key", which one might
    expect to be the correct value, the wireless functionality appears to be
    entirely disabled.

    It is unknown if this problem is seen with other hardware versions, or
    with other models. I suspect it may, given the similarity between many
    of the Linksys models and their firmware. 

    --
Steve Scherf
bugtraq@moonsoft.com
  • Next message: Sune Kloppenborg Jeppesen: "[ GLSA 200508-07 ] AWStats: Arbitrary code execution using malicious Referrer information"