Joined: 05 Dec 2009 Posts: 377 Location: Toronto, Canada
Posted: Tue Dec 28, 2010 1:27 Post subject: New DD-WRT vulnerability
A vulnerability discovered in DD-WRT can allow an attacker to determine the MAC addresses of the wireless interface(s) of a DD-WRT router, which can then be fed into Google Location Services which could pump out fairly accurate GPS coordinates.
Joined: 06 Jun 2006 Posts: 3763 Location: I'm the one on the plate.
Posted: Tue Dec 28, 2010 2:35 Post subject: Re: New DD-WRT vulnerability
got_milk wrote:
..the MAC addresses of the wireless interface(s) of a DD-WRT router, which can then be fed into Google Location Services which could pump out fairly accurate GPS coordinates.
Easy solution. Never register yer MAC address with Google Location Services and they will have no clue where the fuck you are at. _________________ http://69.175.13.131:8015 Streaming Week-End Disco. Station Ripper V 1.1 will do.
The rebinding exploit has been fixed in the default configuration for ~1/2 year. It appears that they were testing rebinding from within their own LAN (URL was http://rebind/) which is allowed to rebind. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
I ll be damned ,i can see WAN adress ,WAN MAC ,router ip ,Wireless MAC ,clients name.It s interesting that clients mac are not fully visible.And the info site is off
So theoretically someone that can control my browser has access to some nice info :)
LE:It doesnt matter if you use HTTPS you get the same leak.
Joined: 06 Jun 2006 Posts: 3763 Location: I'm the one on the plate.
Posted: Wed Dec 29, 2010 0:55 Post subject: Re: New DD-WRT vulnerability
whoisrich wrote:
Apologies if you are just being sarcastic, but the Google street view vans collect WiFi MAC addresses as they drive around.
I wasn't being sarcastic, and I did not realize that Google street view was mapping MAC addresses. Thanks for pointing it out. This issue is now a horse of a different color to my understanding. _________________ http://69.175.13.131:8015 Streaming Week-End Disco. Station Ripper V 1.1 will do.
Read and reread the link and even tried the google location services http://samy.pl/mapxss/but turned no meaningful results. However, should I be concerned about this?
[phuzi0n] removed for breaking the forum and being useless info anyways _________________ Aceex NR22 running DD-WRT v24-sp2 (03/19/12) std - build 18777 as WAP
Multiple BSSIDs
RT-N16 Tomato Firmware 1.28.0905 MIPSR2-065V K26 USB AIO as gateway
Samba
Media/DLNA Server
SNMP/odmon
Like I said rebinding has been blocked in the default configuration for many months, since r14838 07/19/2010 to be exact, and it appears that their demonstration of rebinding only worked because they were trying it from within their own LAN which is allowed to rebind. If you try to rebind from the WAN (upstream DNS server) using a recent build with default settings then it should fail.
Navigating to /Info.live.htm from within your LAN does not matter on its own, nor does rebinding from within your own LAN. It only matters if an external site can rebind which should not be possible with the current default configuration and the report does not give sufficient information whether this occurred.
If you enable HTTP or HTTPS remote access then you should configure the info page to require a password. IMO disabling the info page should be changed to require a password on /Info.live.htm or stop serving it altogether (unsure if other pages need it).
As always I recommend using SSH tunneling to access the router's GUI remotely instead of exposing the web server to the world. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
I use NoScript, so I highly doubt I would have that problem.
For the paranoid, maybe someone can write a script to randomize the MAC addresses at certain times? _________________ I want my router to perform well and look attractive. My best friend Tiffany Yep is a model and a digital communications engineer. Inspiration from nature?
I ll be damned ,i can see WAN adress ,WAN MAC ,router ip ,Wireless MAC ,clients name.It s interesting that clients mac are not fully visible.And the info site is off
So theoretically someone that can control my browser has access to some nice info :)
LE:It doesnt matter if you use HTTPS you get the same leak.
same for me. I can see full mac addresses even with "info site mac masking: enabled" on dir-600. I think, there is some bug also. And for the http/https, it works too, when you use https://192.168.1.1/Info.live.htm
LE:It doesnt matter if you use HTTPS you get the same leak.
Then i guess its just me, cause i dont see anything on http or https, just blank white page.
If i set up HTTP for admin and use http live blabla i see the info ,if i set up https and use https blabla i see the info.I m using Opera browser and latest 15962.If asterixes that block LAN PC mac would appear blocking the other info it would be no problem.
It s a vulnerability even if the scenario of someone accesing that info depends on your overall settings.Maybe you re not using 192.168.1.1 for your router adress.
Joined: 06 Jun 2006 Posts: 3763 Location: I'm the one on the plate.
Posted: Wed Dec 29, 2010 10:51 Post subject:
If you are visiting a nefarious website and allowing it to run scripts in your browser, the hackers are going to install a rootkit on yer computer. They don't give a goddamn what the MAC address of your router is. _________________ http://69.175.13.131:8015 Streaming Week-End Disco. Station Ripper V 1.1 will do.