Backdoor firewall entries in Mega?

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3, 4
Author Message
redhawk0
DD-WRT Guru


Joined: 04 Jan 2007
Posts: 10948
Location: Wherever the wind blows- North America

PostPosted: Mon Aug 18, 2008 18:06    Post subject: Reply with quote
While it is true that Brainslayer has some business ties to customers with the "custom" firmware, what you have downloaded is the "free" GPL code version. No one has forced you to install it on your router....nor has anyone required that you keep it on there. If you don't like the updated TNG version provided...either add firewall drop rules...or reload your unit with OEM firmware.

IMHO...it was an honest mistake that the code was left in....BrainSlayer responded to this original Thread within 2 minutes after I notified him of the problem....and this 2 minutes includes having the code fixed in the source....he then provided a follow up as to how to disable it.

The 10108 build in the TNG directory includes all SP1 code with approx. an additional 100 bug fixes. I see the trac is now up over 10144....so we will probably see another release shortly either another TNG or an SP2.

redhawk

_________________
I currently test dd-wrt on Asus, Buffalo, Linksys, and Netgear. Too many to list.

Looking for more test units (newer models) for the project...got a brick?...PM me to make a hardware donation. (USA) A donation is not a debricking service....it is a way to "Give back" to the dd-wrt project.

I do NOT provide personal assistance through chat or phone....so please don't ask.
Sponsor
dazono
DD-WRT Novice


Joined: 27 Jul 2008
Posts: 12

PostPosted: Mon Aug 18, 2008 20:01    Post subject: Reply with quote
redhawk0 wrote:
While it is true that Brainslayer has some business ties to customers with the "custom" firmware, what you have downloaded is the "free" GPL code version. No one has forced you to install it on your router....nor has anyone required that you keep it on there. If you don't like the updated TNG version provided...either add firewall drop rules...or reload your unit with OEM firmware.


This I can agree too, but it is still not my main point. It is the attitude to go out public and say "Hey, we've found something not good in our firmware, please be aware of it!" This has not happened! But, yes, I am seriously considering now to scrap dd-wrt just because of these issues. I really am.

redhawk0 wrote:
IMHO...it was an honest mistake that the code was left in....BrainSlayer responded to this original Thread within 2 minutes after I notified him of the problem....and this 2 minutes includes having the code fixed in the source....he then provided a follow up as to how to disable it.

The 10108 build in the TNG directory includes all SP1 code with approx. an additional 100 bug fixes. I see the trac is now up over 10144....so we will probably see another release shortly either another TNG or an SP2.


Fine, but where is the public notification? ... I cannot see it on the front page, it is no notification anywhere for people downloading "the latest version". It is ONLY in this forum. This can so easily be understood as hiding this security issue. Even at the download pages you STILL can download the "latest" version, which contains this security issue.

If it hadn't been people awake, logging in via ssh (or telnet, for those who don't care about security at all) and checking iptables manually, this would not have been discovered this easily.

And it do not help that Brainslayer responded to this thread 2 minutes after it was reported in this thread. This thread was started July 31. I reported this issue in the DEVELOPER forum July 27, and another person raised this issue July 23, in the same forum. And I see no response here before one "DD-WRT User" points a link to this thread August 14. The thread started July 27 still have not received any attention at all from the developers, before I got aware of this thread ... if the developers are not interested in the developers forum, why do they have it?

To sum it up: this is not security focus at all. This is a way to neglect it's users concerns.

If it is Brainslayers or somebody else fault or not, I simply do not care. It is the core mentality regarding security issues which is completely wrong here. If Brainslayer or any other developer cannot keep attention to what's happening in the forums, it should at least be the moderators tasks to make the developers aware of such threads.

But my faith and trust in dd-wrt has dropped incredibly much lately. It's a nice product, but I do not share it's values when it comes to what gets priority. I have a Linux based router, because I am security concerned. And it's even one reason many recommends dd-wrt. I will not do that any more before I see that the dd-wrt crew/organisation/people take security issues for real. This was a small mistake. What would be the case if dd-wrt by accident gets a root kit into the busybox application? How would they handle this situation?

As a friend of mine said: "You see how big things can be handled through how they handle the small things. If you wander if a restaurant is concerned about hygiene, check their bathroom and you will see how their kitchen might look like" ... unfortunately, he has a point.
Mibz
DD-WRT Novice


Joined: 02 Jul 2008
Posts: 35

PostPosted: Mon Aug 18, 2008 20:55    Post subject: Reply with quote
dazono, I just want you to know that I misunderstood the issue you had and I'm sorry for the previous post.

It does seem quite strange that a known gaping security hole wouldn't warrant a front page announcement and updated build being released.
BrainSlayer
Site Admin


Joined: 06 Jun 2006
Posts: 6113
Location: Dresden, Germany

PostPosted: Mon Aug 18, 2008 21:41    Post subject: Reply with quote
there is no security hole. both ip's are not active anymore and obsolete since a long time.

just as update a better variant (reboot safe) to disable it

nvram set ral=" "
nvram commit


this will prevent the recover by default of this nvram variable on next reboot.

this value will completelly removed in next release, but do not force me todo now a hurry release with no check, just of a firewall rule for a non existing ip

_________________
one cigarette costs 2 minutes of your life.
one bottle of beer costs 4 minutes of your life.
one working day costs 8 hours of your life.

DD-WRT supported Concerts @ Bunker Dresden
03.10.2014 - Front 242 / Haujobb / Planet Myer Day
dazono
DD-WRT Novice


Joined: 27 Jul 2008
Posts: 12

PostPosted: Tue Aug 19, 2008 5:28    Post subject: Reply with quote
BrainSlayer wrote:
there is no security hole. both ip's are not active anymore and obsolete since a long time.


It is a security hole. Those IP addresses are known, and can therefore more easily be exposed by IP spoofing.

BrainSlayer wrote:

just as update a better variant (reboot safe) to disable it

nvram set ral=" "
nvram commit


this will prevent the recover by default of this nvram variable on next reboot.

this value will completelly removed in next release, but do not force me todo now a hurry release with no check, just of a firewall rule for a non existing ip


Fine! But why is this not announced to those users unaware of it because they might not have logged in via ssh/telnet, who have not checked iptables manually? Why not tell that recently an issue was found and this is how you avoid it temporarily. I do not want a rushed release with poorer QA testing. I just want a security advisory!

An advisory before the software is being downloaded, with recommendations how to avoid the issue is in its place. And even better if there is an ETA for the next release (not pushing a release too much) would be good as well. This is how you build trust, not by not saying anything and let the storm just go on in the forums.

It took quite some time from the last v2.3 SP version until v2.4 came out. Such a delay is simply not tolerable.
soulstace
DD-WRT Guru


Joined: 04 Aug 2007
Posts: 6427

PostPosted: Tue Aug 19, 2008 8:11    Post subject: Reply with quote
ze11er wrote:
soulstace wrote:
problem was already fixed by BrainSlayer.. use the latest TNG build compiled by Eko.

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=36037

for the mean time use Eko's vpn build 10108. Take it or leave it...


Leave it. Untrusted stuff


Then by all means, leave. If you don't trust Eko's compilations, you might as well not trust anything else developed here.

Goodbye and good riddance.
BrainSlayer
Site Admin


Joined: 06 Jun 2006
Posts: 6113
Location: Dresden, Germany

PostPosted: Tue Aug 19, 2008 12:01    Post subject: Reply with quote
dazono wrote:
BrainSlayer wrote:
there is no security hole. both ip's are not active anymore and obsolete since a long time.


It is a security hole. Those IP addresses are known, and can therefore more easily be exposed by IP spoofing.

BrainSlayer wrote:

just as update a better variant (reboot safe) to disable it

nvram set ral=" "
nvram commit


this will prevent the recover by default of this nvram variable on next reboot.

this value will completelly removed in next release, but do not force me todo now a hurry release with no check, just of a firewall rule for a non existing ip


Fine! But why is this not announced to those users unaware of it because they might not have logged in via ssh/telnet, who have not checked iptables manually? Why not tell that recently an issue was found and this is how you avoid it temporarily. I do not want a rushed release with poorer QA testing. I just want a security advisory!

An advisory before the software is being downloaded, with recommendations how to avoid the issue is in its place. And even better if there is an ETA for the next release (not pushing a release too much) would be good as well. This is how you build trust, not by not saying anything and let the storm just go on in the forums.

It took quite some time from the last v2.3 SP version until v2.4 came out. Such a delay is simply not tolerable.


you miss that this issue was not even known at this time. it was just found here in this thread and i reviewed the source and found the misstake

_________________
one cigarette costs 2 minutes of your life.
one bottle of beer costs 4 minutes of your life.
one working day costs 8 hours of your life.

DD-WRT supported Concerts @ Bunker Dresden
03.10.2014 - Front 242 / Haujobb / Planet Myer Day
vpnus3r
DD-WRT Novice


Joined: 15 Aug 2008
Posts: 14

PostPosted: Tue Aug 19, 2008 17:24    Post subject: Reply with quote
I didn't think bringing up the issue again would generate such a discussion :D

Although such things should be avoided as much as possible I don't see this as being a hugely critical mistake, unless i read the rules wrong without forward rules these rules are pretty much useless.

By the way reason they showed up in my nvram was they were left over from the previous install, I did not reset the router settings after installing the firmware.
dazono
DD-WRT Novice


Joined: 27 Jul 2008
Posts: 12

PostPosted: Tue Aug 19, 2008 22:30    Post subject: Reply with quote
soulstace wrote:
ze11er wrote:
soulstace wrote:
problem was already fixed by BrainSlayer.. use the latest TNG build compiled by Eko.

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=36037

for the mean time use Eko's vpn build 10108. Take it or leave it...


Leave it. Untrusted stuff


Then by all means, leave. If you don't trust Eko's compilations, you might as well not trust anything else developed here.

Goodbye and good riddance.


And this is what I'll be doing after my holiday next week. dd-wrt router will be shutdown before I go, and will only be used to download the next firmware. It seems like "security by obscurity" seems to be the mantra here. I do not accept that.

Farewell!
BrainSlayer
Site Admin


Joined: 06 Jun 2006
Posts: 6113
Location: Dresden, Germany

PostPosted: Tue Aug 19, 2008 22:57    Post subject: Reply with quote
dazono wrote:
soulstace wrote:
ze11er wrote:
soulstace wrote:
problem was already fixed by BrainSlayer.. use the latest TNG build compiled by Eko.

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=36037

for the mean time use Eko's vpn build 10108. Take it or leave it...


Leave it. Untrusted stuff


Then by all means, leave. If you don't trust Eko's compilations, you might as well not trust anything else developed here.

Goodbye and good riddance.


And this is what I'll be doing after my holiday next week. dd-wrt router will be shutdown before I go, and will only be used to download the next firmware. It seems like "security by obscurity" seems to be the mantra here. I do not accept that.

Farewell!


its up to you to change your firmware to anything you want. i'm really tired of such discussion. consider that i'm working now 4 years on this project as main developer and shit happens sometimes. i can just do my best to fix it. and i fixed it immediatly in my sourcetree

i will lock this thread now. a new release is scheduled soon (within this or next week), but you cannot force me to release buggy code based on the current internal tree.

thats my last statement on this topic

_________________
one cigarette costs 2 minutes of your life.
one bottle of beer costs 4 minutes of your life.
one working day costs 8 hours of your life.

DD-WRT supported Concerts @ Bunker Dresden
03.10.2014 - Front 242 / Haujobb / Planet Myer Day
Goto page Previous  1, 2, 3, 4 Display posts from previous:    Page 4 of 4
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum