Wi-Fi Net News made me aware of a security hole in the Linksys WRT54G wireless router yesterday. They say that the admin website can be accessed remotely even if remote admin is disabled.
Through my personal testing, I have not been able to access the admin page remotely except through the use of an ssh tunnel via a FreeBSD box behind the router. But since there may be something I’m missing here, I decided to go ahead and change my admin password anyway. And besides, default passwords are really stupid anyway. I should have changed it long ago.
An interesting piece of code came into my browser while I was changing my password. This is one that I haven’t seen mentioned elsewhere. It seems that Linksys is using unpublished proprietary javascript code that belongs to another company in their interface. Here’s the license that was included:
<!--
*********************************************************
* Copyright 2003, CyberTAN Inc. All Rights Reserved *
*********************************************************
This is UNPUBLISHED PROPRIETARY SOURCE CODE of CyberTAN Inc.
the contents of this file may not be disclosed to third parties,
copied or duplicated in any form without the prior written
permission of CyberTAN Inc.
This software should be used as a reference only, and it not
intended for production use!
THIS SOFTWARE IS OFFERED "AS IS", AND CYBERTAN GRANTS NO WARRANTIES OF ANY
KIND, EXPRESS OR IMPLIED, BY STATUTE, COMMUNICATION OR OTHERWISE. CYBERTAN
SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A SPECIFIC PURPOSE OR NONINFRINGEMENT CONCERNING THIS SOFTWARE
-->
Now we’ve all heard the stories about Linksys violating the GPL, but they’ve cleared that issue up and released the source. This has led to great projects such as EWRT. But this violation goes way beyond the GPL violation. Not only are they using code that isn’t theirs, but they include the license that says that they don’t have a right to use it. And if that were not bad enough, the license states that the code is not intended for production use.
Now I can’t wait to get EWRT installed on my WRT54G. I’d really rather not run Linksys’s shoddy software any longer.
Update: The remote admin vulnerability on the WRT54G only occurs when the firewall is disabled. By default, the firewall is enabled. This is not a big deal. If somebody disables the firewall on their router, they probably deserve to be exploited.
