DD-WRT firmware could use more hardening!

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Generic Questions
Goto page Previous  1, 2
Author Message
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6388
Location: UK, London, just across the river..

PostPosted: Sat Oct 12, 2019 7:27    Post subject: Reply with quote
well it seems, there will be no prove of concept here....
as well, the link you posted, cannot open in my environment, there is something dodge with it..
or just the restricted GGL stuff who knows..i don't have a time for it know...

I don't know anything about trolling, but i know that you are doing whistle-blowing, without providing a back up prove...
sharing a link does not explain in details what you've found and have good will to share the knowledge with other either forum members or Devs...
Interesting you've spent more time to defend yourself from a ghost, that you created so successfully...
Next time when you decide to spend time typing plz do expose a DDWRT bug and how to fix it, instead of sharing a link..it will be more useful if ppl can see the trick in the forum not on GGL drive..
By the way I'm willing to learn and share the knowledge (so as many guys here
), im not afraid to say i'm stupid...

p.s. someone either lock this one or revised it and delete my posts or the ghost ride... Razz

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,AP Isolation,Ad-Block,Firewall
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 55363 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55363 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Sponsor
blkt
DD-WRT Guru


Joined: 20 Jan 2019
Posts: 5650

PostPosted: Sat Oct 12, 2019 10:59    Post subject: Reply with quote
ironstaff wrote:
You clearly didn't read the article to realize that the IoT device they are referring to is a router, not some 'smart' home devices made by amateurs who think cybersecurity is a cool word engineers use.

A router is considered an IoT by some entities. They are not testing 'smart' devices. The IoT they are referring to is only routers specifically.

The problem is that even though you may have good intentions, or maybe even valid points here and there, by stating that IoT is referring only to routers gives me the impression you don't understand what IoT means. Did you read the conclusion to the article?

ironstaff wrote:
1. Major router firmwares are losing hardening coverage as time goes on.

It seems routers experience the same problems men do over time. But seriously, vendors only care about money. We all know this.

ironstaff wrote:
2. Synology's firmware binaries are in better shape than binaries from other vendors examined by the researchers.

Sure if you have a bunch of cheap poorly designed and/or untrusted easily exploitable devices that you absolutely must have on your network and you refuse to physically isolate them, you can rely on Synology to counter some of your configuration mistakes.

ironstaff wrote:
3. DD-wrt, while hardened with non-executable stacks, is still lacking stack guard protection, fortification, and address space layout randomization entirely.

Okay, provide your evidence and case scenario(s) instead of regurgitating keywords from an article you saw online with a new user account on a DD-WRT user forum with an alarmist title.

ironstaff wrote:
There's nothing to doubt. Even you can download the latest build from the beta suppository and test the binaries yourself: Your results will align with what they produced.



You are using a dataset spanning 15 years across multiple vendors, with a focus on two recent years, to show what?

How does this apply to today's build? What are your results?

This is a user self-support community forum (for Atheros hardware no less); take it to PM or email and maybe try not to insult everyone along the way with your condescension.
ironstaff
DD-WRT User


Joined: 11 Oct 2019
Posts: 157

PostPosted: Sat Oct 12, 2019 12:31    Post subject: Reply with quote
blkt wrote:
ironstaff wrote:
You clearly didn't read the article to realize that the IoT device they are referring to is a router, not some 'smart' home devices made by amateurs who think cybersecurity is a cool word engineers use.

A router is considered an IoT by some entities. They are not testing 'smart' devices. The IoT they are referring to is only routers specifically.

The problem is that even though you may have good intentions, or maybe even valid points here and there, by stating that IoT is referring only to routers gives me the impression you don't understand what IoT means. Did you read the conclusion to the article?

ironstaff wrote:
1. Major router firmwares are losing hardening coverage as time goes on.

It seems routers experience the same problems men do over time. But seriously, vendors only care about money. We all know this.

ironstaff wrote:
2. Synology's firmware binaries are in better shape than binaries from other vendors examined by the researchers.

Sure if you have a bunch of cheap poorly designed and/or untrusted easily exploitable devices that you absolutely must have on your network and you refuse to physically isolate them, you can rely on Synology to counter some of your configuration mistakes.

ironstaff wrote:
3. DD-wrt, while hardened with non-executable stacks, is still lacking stack guard protection, fortification, and address space layout randomization entirely.

Okay, provide your evidence and case scenario(s) instead of regurgitating keywords from an article you saw online with a new user account on a DD-WRT user forum with an alarmist title.

ironstaff wrote:
There's nothing to doubt. Even you can download the latest build from the beta suppository and test the binaries yourself: Your results will align with what they produced.



You are using a dataset spanning 15 years across multiple vendors, with a focus on two recent years, to show what?

How does this apply to today's build? What are your results?

This is a user self-support community forum (for Atheros hardware no less); take it to PM or email and maybe try not to insult everyone along the way with your condescension.


1. The real question is if YOU read the article. Read it again and focus on the mistake @Alozaros made in his first post in response to my first post. He thought they were talking about smart home IoT devices negative effects on router security (He completely missed what the article about since he was too aloof to read it). You seem confused too. Laughing Laughing

2. I agree with you.

3. Synology OS may be well-designed from a hardening perspective but I still don’t trust vendor firmware due to backdoors and telemetry shuttling/phoning home. I’d rather DD-WRT have those hardening features.


Quote:
Sure if you have a bunch of cheap poorly designed and/or untrusted easily exploitable devices that you absolutely must have on your network and you refuse to physically isolate them, you can rely on Synology to counter some of your configuration mistakes.


I also think you’re confused on Synology’s win or the point of the article here. It is ahead in terms of binary hardening i.e. ALSR, stack guards, Relro, non exec stacks. These are all to mitigate buffer overflow attacks on the router’s firmware (not to do what you stated). Please re-read the article.


4. Evidence is in link I provided and dataset. Are you confused? Shocked If you are, contact Cyber ITL for more info. They will respond to you.


5. Re-read the article and see what year dd-wrt was analyzed (2018), then I’m sure you’ll understand where my focus is and that you’re a bit confused here. If those features have been added to dd-wrt by now, show me. Mildly alluding to the fact that today’s build wasn’t analyzed is not proof that dd-wrt binary suddenly gained complete hardening by now.


6. I’ll leave it to you to decide who initiated the condescending statements and insults. Hint: Look at initial responses after my first post. Try not to be so biased. Laughing


Last edited by ironstaff on Sat Oct 12, 2019 12:59; edited 2 times in total
ACwifidude
DD-WRT User


Joined: 18 Mar 2019
Posts: 56

PostPosted: Sat Oct 12, 2019 12:50    Post subject: Reply with quote
If you can point out specific things to improve and drop a ticket for BS we would appreciate it:

https://svn.dd-wrt.com/

_________________
R7800 x 3 hnyman OpenWRT

Inactive: R6250 X 2 BS DD-WRT
ironstaff
DD-WRT User


Joined: 11 Oct 2019
Posts: 157

PostPosted: Sat Oct 12, 2019 12:57    Post subject: Reply with quote
ACwifidude wrote:
If you can point out specific things to improve and drop a ticket for BS we would appreciate it:

https://svn.dd-wrt.com/


Already did few days ago. Also emailed. Thank you.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6388
Location: UK, London, just across the river..

PostPosted: Sat Oct 12, 2019 13:48    Post subject: Reply with quote
ironstaff m8 you keep shouting out loud...and still not a single,line of valuable information....you just came out of the blue, posting a link to an article where there are some statistics/results, tested in god knows what kind of environment...(very unclear)!!
Did they mention something specific, any examples test's....proves??? nope (very unclear)!?

Any specific code/binaries found with bugs...(yep i know they are many, especially buffer stack overflow based)... Most of the binaries are in constant development/patching.. and you tend not to use EOL stuff...Any patches you have in your stash bag???

Since 2018 there are so many updates around...
as the other forum members pointed out SVN line...
you can have a deep look there and if you find something suspicious and can contribute to the Development, plz do so, we are avidly waiting to improve security everyday : PRazz Razz ...
and yep i got confused about IoT , cause you are the first person in my entire life, that called routers IoT... this is a fact...!!!! (dot dot dot) Rolling Eyes


p.s. off topic recently there was a opkg update/upgrade ... Smile nice to see the new stuff there...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,AP Isolation,Ad-Block,Firewall
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 55363 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55363 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
mac913
DD-WRT Guru


Joined: 02 May 2008
Posts: 1847
Location: Canada

PostPosted: Sat Oct 12, 2019 15:06    Post subject: Reply with quote
Any body who finds security issues with DD-WRT and to be CREDIBLE in their findings, they need to post the security issue and provide a FULL configuration/setup causing the security issue and make it repeatable for others to test.

Posting articles after articles is pointless and meaningless.

_________________
Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9

Off Site 1

R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4

Off Site 2

R7000 - Gateway & WiFi - DDWRT r52330 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531


YAMon 3.4.6 | DNSCrypt-Proxy V2
ironstaff
DD-WRT User


Joined: 11 Oct 2019
Posts: 157

PostPosted: Sat Oct 12, 2019 15:59    Post subject: Reply with quote
mac913 wrote:
Any body who finds security issues with DD-WRT and to be CREDIBLE in their findings, they need to post the security issue and provide a FULL configuration/setup causing the security issue and make it repeatable for others to test.

Posting articles after articles is pointless and meaningless.


Flawed reasoning. Article has proof. Just because you choose to ignore it doesn’t mean it wasn’t carried out with results to show for it in a downloadable data-set.

Anyway, I’ve already emailed the dev and also let him know which compiler flags to change based on his tool chain to fix this. Up to him now since it’s his project. End of story.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6388
Location: UK, London, just across the river..

PostPosted: Sun Oct 13, 2019 9:38    Post subject: Reply with quote
ironstaff wrote:
Anyway, I’ve already emailed the dev and also let him know which compiler flags to change based on his tool chain to fix this. Up to him now since it’s his project. End of story.


Thank's in advance !!

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,AP Isolation,Ad-Block,Firewall
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 55363 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55363 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
ironstaff
DD-WRT User


Joined: 11 Oct 2019
Posts: 157

PostPosted: Wed Oct 16, 2019 1:22    Post subject: Reply with quote
Alozaros wrote:
ironstaff wrote:
Anyway, I’ve already emailed the dev and also let him know which compiler flags to change based on his tool chain to fix this. Up to him now since it’s his project. End of story.


Thank's in advance !!


Yes sir. Thank you!
Goto page Previous  1, 2 Display posts from previous:    Page 2 of 2
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Generic Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum