DD-WRT Root exploit posted today

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3 ... , 13, 14, 15  Next
Author Message
Donny
DD-WRT Guru


Joined: 13 Nov 2008
Posts: 5266
Location: CENTRAL Midnowhere

PostPosted: Sun Feb 07, 2010 21:34    Post subject: Reply with quote
mono wrote:
It is troubling to me that this exploit existed for as long as it did before I realized it, today.

Is there a mailing list we can get on that exclusively serves to inform of (new) exploits to DD-WRT? If not, might I suggest one be started?


There are 80,000 registered users, most of whom haven't paid anything for the firmware they are happily using. Are you volunteering to create a mailing list and do the data entry for everyone of them? This information has been posted on the main page of the forum for months....

_________________
Warning: I'm "out of my element!"
http://www.youtube.com/watch?v=MjYJ7zZ9BRw&NR=1

Peacock Thread Sticky- Just read it! (Anyone using SP1 will be taken out back and shot)
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=51486
Sponsor
autobot
DD-WRT Guru


Joined: 07 May 2009
Posts: 1596

PostPosted: Sun Feb 07, 2010 22:35    Post subject: Reply with quote
He just asked a simple question Donny. There was a mailing list once I believe but I don't think there is currently.
_________________
Eko Builds

BrainSlayer Builds

DD-WRT Changelog RSS Feed
mono
DD-WRT Novice


Joined: 09 Dec 2006
Posts: 31

PostPosted: Sun Feb 07, 2010 22:42    Post subject: Reply with quote
Well Donny since you put it that way...

- I admin a non-profit org's website, nobody pays there.

- We do have a mailing list, so yes I did volunteer to do this very thing where I have the control to do so.

- I wrote people can sign up, you're pulling some idea of another person having to the data entry out of thin air. Each person signs up, database created from that via computer, database mailing lists are straightforward and ample info for those who don't know how is one Google click away.

- You wrote the info is available on the "main page", yet didn't link it. If by main page you mean the forum root page I look there and saw nothing titled to suggest it contained any info about an exploit mailing list.

I get it, that you're trying to defend something you like, but it serves no useful purpose to do so. If nobody wants to do it then it won't get done - no defense needed... but it sure would be nice to have an exploit mailing list or if there is one, someone to point it out with a sticky, properly titled topic instead of wasting time arguing.
yzy-oui-fi
DD-WRT Guru


Joined: 03 Mar 2009
Posts: 2826
Location: France

PostPosted: Sun Feb 07, 2010 22:51    Post subject: Reply with quote
there is something i do not understand...

Web gui is a nice tool, but when you finished to set your network, why would you like to have a web gui always running? I mean in professional use, we currently unset this feature, because it is don't needed any more. So Why would some like to have some biggest code on it's router to secure more and more the Web Gui? if you look to cpu loads when using SSL and https you could understand that it is an heavy feature, and probably don't needed at all because when your networks perfectly set to your needs, you don't run anymore the dd-wrt web gui.

in my mind the iptables published in the website should be enough because after all i will unset the web gui to win some more room, and so no more web exploit could affect my network.

_________________
DD-WRT WDS MESH + DASHBOARD (fr), DD-WRT network setting tool (tools.yzy-oui-fi.com), Wifi Business and IT guy After hours, My Blog, Free DD-WRT VPN Community(www.wrt-pptp-ww.com), DD-WRT pré-réglés pour réseau outdoor(hotspot.yzy-oui-fi.com), Nouveau Forum DD-WRT francophone
Donny
DD-WRT Guru


Joined: 13 Nov 2008
Posts: 5266
Location: CENTRAL Midnowhere

PostPosted: Sun Feb 07, 2010 23:00    Post subject: Reply with quote
mono wrote:
someone to point it out with a sticky, properly titled topic instead of wasting time arguing.


Peacock announcement.....Top of the forum. Linked in READ THIS SHORT POST BEFORE POSTING announcement. However there is no link to a mailing list because none exists.

There has never been a mailing list for bugfixes/major exploits since I have been here. Someone would still have to set it up. Whether it be minimal effort or extensive, someone has to do it.

The milworm exploit and how to fix it was dealt with extensively in the forums for months, and continues to be dealt with here even in post I have written in the last couple of days. It is also dealt with on the main dd-wrt webpage, and in the announcements at the top of the forum.

My point is simply that when people post "we need this" they have to realize that someone has to do things, and if they need it, they should do it. Not expect others to do everything for them in order to ensure the firmware they paid nothing for has no issues. If people give back by contributing to others on the forum, they also get informed about issues such as this.

So, it won't get done if someone doesn't do it. Either volunteer to do it, or accept that it doesn't exist. Free comes at a price.

_________________
Warning: I'm "out of my element!"
http://www.youtube.com/watch?v=MjYJ7zZ9BRw&NR=1

Peacock Thread Sticky- Just read it! (Anyone using SP1 will be taken out back and shot)
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=51486
yzy-oui-fi
DD-WRT Guru


Joined: 03 Mar 2009
Posts: 2826
Location: France

PostPosted: Sun Feb 07, 2010 23:55    Post subject: Reply with quote
the trouble with mailing list is to have a safe client list.
this could be made easily with a short php code and an mysql list. Another trouble could be that we should be sure that this list will stay safe and will not be use for other subject than DD-WRT subject. I will do it for free but in my country big database are subject to specific disclaiming to a government office, and i don't want to support any law issue for this(guess anyone could understand it).

This client list could be extract from the dd-wrt PHPBB mysql client table, but administrator should agree with this sort of deal and i'm pretty sure they are not ready to deal this with somebody outside from dd-wrt dev's team about this!

_________________
DD-WRT WDS MESH + DASHBOARD (fr), DD-WRT network setting tool (tools.yzy-oui-fi.com), Wifi Business and IT guy After hours, My Blog, Free DD-WRT VPN Community(www.wrt-pptp-ww.com), DD-WRT pré-réglés pour réseau outdoor(hotspot.yzy-oui-fi.com), Nouveau Forum DD-WRT francophone
Mordak
DD-WRT Guru


Joined: 27 Dec 2007
Posts: 933
Location: Lee, Me

PostPosted: Mon Feb 08, 2010 20:34    Post subject: Reply with quote
@mono - By main page Donny meant http://www.dd-wrt.com, which by default, brings you to http://www.dd-wrt.com/site/index bottom right hand side.


dd-wrt-main-page.png
 Description:
 Filesize:  220.2 KB
 Viewed:  18863 Time(s)

dd-wrt-main-page.png



_________________

ASUS AC3200
Linksys WRT32X
Linksys WRT3200 ACM
yzy-oui-fi
DD-WRT Guru


Joined: 03 Mar 2009
Posts: 2826
Location: France

PostPosted: Mon Feb 08, 2010 20:44    Post subject: Reply with quote
For sure, Mono, you must read more and talk less...
Donny is not especialy one of my friends, but he is right. Main Page is the Index page of the Website. Forum is only a part of DD-WRT Site, there is also a Wiki, a bug repport section, and if you don't almost read the Main page how could you judge it.

You would like to have a mailing list, but if people don't read their mailbox you will have same issue....Some dummy will claim they never be noticed !

Anyway, mailing list could be a good idea, if you read it.

_________________
DD-WRT WDS MESH + DASHBOARD (fr), DD-WRT network setting tool (tools.yzy-oui-fi.com), Wifi Business and IT guy After hours, My Blog, Free DD-WRT VPN Community(www.wrt-pptp-ww.com), DD-WRT pré-réglés pour réseau outdoor(hotspot.yzy-oui-fi.com), Nouveau Forum DD-WRT francophone
OB1
DD-WRT Novice


Joined: 22 Jul 2009
Posts: 25

PostPosted: Tue Feb 09, 2010 8:02    Post subject: Reply with quote
yzy-oui-fi wrote:

Anyway, mailing list could be a good idea, if you read it.


A better idea may be having some kind of built-in
mechanism into DD-WRT to check from time to time for
updates; fetch some kind of "update log" from site and then send an "administrative alert" about the
update (then btw there may be some "update priority"
info like "bugfix", "critical" and the like); that
way you won't need to setup a mailing list or play
with email addresses; the DD-WRT box will check for
updates by itself and notify the owner Smile
yzy-oui-fi
DD-WRT Guru


Joined: 03 Mar 2009
Posts: 2826
Location: France

PostPosted: Tue Feb 09, 2010 8:13    Post subject: Reply with quote
OB1 wrote:
yzy-oui-fi wrote:

Anyway, mailing list could be a good idea, if you read it.


A better idea may be having some kind of built-in
mechanism into DD-WRT to check from time to time for
updates; fetch some kind of "update log" from site and then send an "administrative alert" about the
update (then btw there may be some "update priority"
info like "bugfix", "critical" and the like); that
way you won't need to setup a mailing list or play
with email addresses; the DD-WRT box will check for
updates by itself and notify the owner Smile


this what i've done with my special rebuild it could be update directly when release are available. but i don't put any level Wink

_________________
DD-WRT WDS MESH + DASHBOARD (fr), DD-WRT network setting tool (tools.yzy-oui-fi.com), Wifi Business and IT guy After hours, My Blog, Free DD-WRT VPN Community(www.wrt-pptp-ww.com), DD-WRT pré-réglés pour réseau outdoor(hotspot.yzy-oui-fi.com), Nouveau Forum DD-WRT francophone
mono
DD-WRT Novice


Joined: 09 Dec 2006
Posts: 31

PostPosted: Tue Feb 09, 2010 9:49    Post subject: Reply with quote
yzy-oui-fi wrote:
For sure, Mono, you must read more and talk less...
Donny is not especialy one of my friends, but he is right. Main Page is the Index page of the Website. Forum is only a part of DD-WRT Site, there is also a Wiki, a bug repport section, and if you don't almost read the Main page how could you judge it.

You would like to have a mailing list, but if people don't read their mailbox you will have same issue....Some dummy will claim they never be noticed !

Anyway, mailing list could be a good idea, if you read it.


With all due respect, that is a poor attempt at censorship, an unproductive thought pattern. It seems very clear I am the teacher and you the student.

I'd love to "read more" which is exactly what I hoped for with a mailing list of security exploits! Why do you spend time to accomplish nothing? That makes no sense, you should remain silent if you are not writing or speaking to do some productive thing.

I have no interest, nor do most people to keep having to check back in at the website or babysit something instead of direct notification. Think about it, that would fill up entire days checking on all the things in your life just to find nothing until that one day something is uncovered.

I did not ask any one person to make a mailing list, so any one individual need not feel compelled to do it themselves but for some to argue against the message, it is simply madness.

I think we have wasted enough of each others' time. Have a nice day and goodbye... I have productive things to do now.
2disbetter
DD-WRT User


Joined: 26 Jan 2010
Posts: 55
Location: Florida

PostPosted: Tue Feb 09, 2010 10:25    Post subject: Reply with quote
ignorance is not an excuse.

You were not able to just install the dd-wrt firmware without reading any documentation. You had to analyze it, and do some realitively complicated things (compared to just using the stock firmware) to your router to flash the new firmware.

If you were able to do this, one would assume you'd also be able to keep tabs on your new firmware.

What you will notice, is that as soon as the bug was noticed it was fixed (with a set of firewall commands).

While your suggestion of a email notification system makes sense and could easily (I think) be implemented providing we have some folks willing to facilitate it.

Some folks have some short fuses around here, and it is partially understandable. But at the same time, with a beast such as dd-wrt you can't expect someone other than yourself to hold your hand with it.

I mean look at this forum, the wiki, the main page. I think this firmware is extremely well documented and taken care of. (all things considered)

2d

_________________
Asus RT-N16 - Kong 22000++
yzy-oui-fi
DD-WRT Guru


Joined: 03 Mar 2009
Posts: 2826
Location: France

PostPosted: Tue Feb 09, 2010 10:39    Post subject: Reply with quote
mono wrote:


With all due respect, that is a poor attempt at censorship, an unproductive thought pattern. It seems very clear I am the teacher and you the student.

With all due respect, everyone who almost read dd-wrt announcement is aware about this exploit since last summer.
But maybe the teacher was on another planet when it was noticed! Wink
Quote:


I'd love to "read more" which is exactly what I hoped for with a mailing list of security exploits! Why do you spend time to accomplish nothing? That makes no sense, you should remain silent if you are not writing or speaking to do some productive thing.

this typical from Redmond education "Openned mouth waiting for food to come in without doing anything
Quote:

I have no interest, nor do most people to keep having to check back in at the website or babysit something instead of direct notification. Think about it, that would fill up entire days checking on all the things in your life just to find nothing until that one day something is uncovered.

How much do you pay us to be your baby sitter? because i check with my bank ....no paiement from you! Sad
Quote:

I did not ask any one person to make a mailing list, so any one individual need not feel compelled to do it themselves but for some to argue against the message, it is simply madness.

We sometime argue against people who would like to have
every thing without giving a penny, and always claiming that we don't advice them....when it's written...just read it! it should be easy if you are the teacher! Wink
Quote:

I think we have wasted enough of each others' time. Have a nice day and goodbye... I have productive things to do now.

Yes for sure we waste time just because you don't read announcement, and claim because nobody read it for you!

So it seems that some student have more knowledge than some teacher!

last thing: Did you noticed where is the paypal donate link for dd-wrt project, because we need money to solve the problem of people who are not able to read more than 4 lines text!

_________________
DD-WRT WDS MESH + DASHBOARD (fr), DD-WRT network setting tool (tools.yzy-oui-fi.com), Wifi Business and IT guy After hours, My Blog, Free DD-WRT VPN Community(www.wrt-pptp-ww.com), DD-WRT pré-réglés pour réseau outdoor(hotspot.yzy-oui-fi.com), Nouveau Forum DD-WRT francophone
OB1
DD-WRT Novice


Joined: 22 Jul 2009
Posts: 25

PostPosted: Tue Feb 09, 2010 15:49    Post subject: Reply with quote
yzy-oui-fi wrote:
OB1 wrote:
yzy-oui-fi wrote:

Anyway, mailing list could be a good idea, if you read it.


A better idea may be having some kind of built-in
mechanism into DD-WRT to check from time to time for
updates; fetch some kind of "update log" from site and then send an "administrative alert" about the
update (then btw there may be some "update priority"
info like "bugfix", "critical" and the like); that
way you won't need to setup a mailing list or play
with email addresses; the DD-WRT box will check for
updates by itself and notify the owner Smile


this what i've done with my special rebuild it could be update directly when release are available. but i don't put any level Wink


Understood, although my idea was somewhat simpler

The idea is to have some kind of scheduled job on the dd-wrt box
which, from time to time, will check for some file (e.g. using
HTTP or whatever - but even a DNS check like the one used for
ClamAV may fit quite well as long as, in case of available
updates or notices it will pick the "readme" file) and then,
in case there's whatever kind of update or notice, alert the
"owner" (admin, if you prefer)

I wasn't thinking about some "automatic update" mechanism (which
may even be a BAD idea since it may break things); more to an
"automatic alert" one and this one shouldn't be difficult to
setup and, for sure, won't break things Smile
OB1
DD-WRT Novice


Joined: 22 Jul 2009
Posts: 25

PostPosted: Tue Feb 09, 2010 15:53    Post subject: Reply with quote
yzy-oui-fi wrote:

this typical from Redmond education "Openned mouth waiting for food to come in without doing anything


Hm... I may have something to say about that "Redmond education"; I'm not a "fundamentalist"
(whatever it means Wink) so I don't think that
everything coming from Redmond is bad as I don't
think everything coming from other places is good;
on the other hand, I don't think this "flame" (since
that's what it is) adds anything valuable to this
thread, so, please... stop it now

As for the "open mouth", the correct directions as
for the manual should be "open mouth, insert foot"

(no, the "t" isn't an error) Very Happy
Goto page Previous  1, 2, 3 ... , 13, 14, 15  Next Display posts from previous:    Page 14 of 15
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum