Backdoor firewall entries in Mega?

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3, 4  Next
Author Message
soulstace
DD-WRT Guru


Joined: 04 Aug 2007
Posts: 6427

PostPosted: Fri Aug 15, 2008 20:26    Post subject: Reply with quote
problem was already fixed by BrainSlayer.. use the latest TNG build compiled by Eko.

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=36037


Last edited by soulstace on Tue Aug 19, 2008 8:41; edited 1 time in total
Sponsor
ze11er
DD-WRT Novice


Joined: 15 Aug 2008
Posts: 9

PostPosted: Fri Aug 15, 2008 21:35    Post subject: Reply with quote
http://svn.dd-wrt.com:8000/dd-wrt/browser/src/router/shared/defaults.c?rev=1#L1170

3 years ago...
olmari
DD-WRT Guru


Joined: 24 Oct 2006
Posts: 1447
Location: Finland

PostPosted: Fri Aug 15, 2008 21:52    Post subject: Reply with quote
ze11er, what is your point exactly?

So the line seems to have been there from revision 1, do you think brainslayer have had possibility to read every single line there is?

Please explaing yourself or be done Smile
ze11er
DD-WRT Novice


Joined: 15 Aug 2008
Posts: 9

PostPosted: Sat Aug 16, 2008 10:15    Post subject: Reply with quote
olmari wrote:
ze11er, what is your point exactly?

So the line seems to have been there from revision 1, do you think brainslayer have had possibility to read every single line there is?

Please explaing yourself or be done Smile


He (main developer) must read the code. I think...
olmari
DD-WRT Guru


Joined: 24 Oct 2006
Posts: 1447
Location: Finland

PostPosted: Sat Aug 16, 2008 14:02    Post subject: Reply with quote
ze11er wrote:
He (main developer) must read the code. I think...


Why? Ofcourse main developer knows most throughoutly the code, but again main developers hasn't written all of the code and for specific occasions he can use code that is already done, why invent wheel again etc... That also means there CAN be stupidities like this, but open source means also that anyone CAN spot the problem and report or fix it himself...
ze11er
DD-WRT Novice


Joined: 15 Aug 2008
Posts: 9

PostPosted: Sat Aug 16, 2008 14:41    Post subject: Reply with quote
olmari wrote:
ze11er wrote:
He (main developer) must read the code. I think...


Why? Ofcourse main developer knows most throughoutly the code, but again main developers hasn't written all of the code and for specific occasions he can use code that is already done, why invent wheel again etc... That also means there CAN be stupidities like this, but open source means also that anyone CAN spot the problem and report or fix it himself...


First version (three years ago: http://svn.dd-wrt.com:8000/dd-wrt/browser/src/router/shared/defaults.c?rev=1 ) contains these IPs.
Last year, after "some refactoring for better editing and structuring" the "new" code contains IPs too, firewall.c (last lines in start_firewall() function) insert these rules -- since 04.18.2007 (rev. 6627).

Testing/customer-requested modifications could NOT include into the mainstream source, or must exactly comment, use specific ifdef statement, etc. And what kind of "customer" need an unremovable firewall rule?
olmari
DD-WRT Guru


Joined: 24 Oct 2006
Posts: 1447
Location: Finland

PostPosted: Sat Aug 16, 2008 14:54    Post subject: Reply with quote
How can we know that? And again, the god damn stuff is fixed, no point to shout endlessly about it now...
ze11er
DD-WRT Novice


Joined: 15 Aug 2008
Posts: 9

PostPosted: Sat Aug 16, 2008 16:00    Post subject: Reply with quote
olmari wrote:
How can we know that? And again, the god damn stuff is fixed, no point to shout endlessly about it now...


If the correct fix (start_firewall() and stop_firewall() in firewall.c, and -of course- defaults.c) will be in latest release (e.g. 24-sp2), then will be fixed, not before.
olmari
DD-WRT Guru


Joined: 24 Oct 2006
Posts: 1447
Location: Finland

PostPosted: Sat Aug 16, 2008 16:01    Post subject: Reply with quote
ze11er wrote:
olmari wrote:
How can we know that? And again, the god damn stuff is fixed, no point to shout endlessly about it now...


If the correct fix (start_firewall() and stop_firewall() in firewall.c, and -of course- defaults.c) will be in latest release (e.g. 24-sp2), then will be fixed, not before.


You can use "DD-WRT v24-sp1 (08/05/0Cool std - build 10108M TNG Eko" right now...
ze11er
DD-WRT Novice


Joined: 15 Aug 2008
Posts: 9

PostPosted: Sat Aug 16, 2008 22:49    Post subject: Reply with quote
olmari wrote:
ze11er wrote:
olmari wrote:
How can we know that? And again, the god damn stuff is fixed, no point to shout endlessly about it now...


If the correct fix (start_firewall() and stop_firewall() in firewall.c, and -of course- defaults.c) will be in latest release (e.g. 24-sp2), then will be fixed, not before.


You can use "DD-WRT v24-sp1 (08/05/0Cool std - build 10108M TNG Eko" right now...


The vpn build contains this backdoor.

In the release directory only the old, backdoor version found:
http://www.dd-wrt.com/dd-wrtv2/downloads/stable/dd-wrt.v24 SP1/Broadcom/Linksys/WRT54GL_1.1/

So... when will dd-wrt team release a new, fixed vpn-build?
soulstace
DD-WRT Guru


Joined: 04 Aug 2007
Posts: 6427

PostPosted: Sat Aug 16, 2008 22:56    Post subject: Reply with quote
for the mean time use Eko's vpn build 10108. Take it or leave it...
ze11er
DD-WRT Novice


Joined: 15 Aug 2008
Posts: 9

PostPosted: Sun Aug 17, 2008 9:46    Post subject: Reply with quote
soulstace wrote:
for the mean time use Eko's vpn build 10108. Take it or leave it...


Leave it. Untrusted stuff, current vpn _release_ have a backdoor. I'll take back after an correctly published security advisory.
dazono
DD-WRT Novice


Joined: 27 Jul 2008
Posts: 12

PostPosted: Sun Aug 17, 2008 9:58    Post subject: Reply with quote
+1

This is the right way to do it. Post a security advisory! I would expect the dd-wrt organisation should be this much professional.
Mibz
DD-WRT Novice


Joined: 02 Jul 2008
Posts: 35

PostPosted: Mon Aug 18, 2008 14:49    Post subject: Reply with quote
dazono wrote:
+1

This is the right way to do it. Post a security advisory! I would expect the dd-wrt organisation should be this much professional.
Organization? This is a community, not a company. Sure we can expect some level of professionalism out of the developers but I think you guys are taking this a little too seriously. If you don't want to use the TNG release then add a couple rules to your firewall dropping those IPs and be on your way.

Next you'll be asking for your money back.
dazono
DD-WRT Novice


Joined: 27 Jul 2008
Posts: 12

PostPosted: Mon Aug 18, 2008 17:54    Post subject: Reply with quote
Mibz wrote:
Organization? This is a community, not a company. Sure we can expect some level of professionalism out of the developers but I think you guys are taking this a little too seriously. If you don't want to use the TNG release then add a couple rules to your firewall dropping those IPs and be on your way.

Next you'll be asking for your money back.


http://www.dd-wrt.com/shop/catalog/product_info.php?cPath=22&products_id=31

I have problem to see that this is a pure community project. Another thing is that I've seen somebody here refer to customer specific adjustments in the code. I have never ever heard of a pure community project having both customers, customer specific adjustments nor a web shop where you also can buy the same or a similar version of the product.

How I see it, this is a combined project, with one part being community based and one part being commercial focused. Behind a commercial approach, it usually is an organisation of a kind. And the community work would most probably be implemented in the commercial version, and I would expect, with added quality control.

Anyway, I would never ask for money back when I haven't paid for it, so please save your sarcasm for better moments.
Goto page Previous  1, 2, 3, 4  Next Display posts from previous:    Page 3 of 4
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum