DD-WRT firmware could use more hardening!

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Generic Questions
Goto page 1, 2  Next
Author Message
ironstaff
DD-WRT User


Joined: 11 Oct 2019
Posts: 157

PostPosted: Fri Oct 11, 2019 4:44    Post subject: DD-WRT firmware could use more hardening! Reply with quote
Based on CITL short read:

https://cyber-itl.org/2019/08/26/iot-data-writeup.html

Per link, nonexec stack is nigh fully implemented across all binaries in dd-wrt firmware package (perhaps even more so now). How nontrivial would it be to proliferate aslr, stack guard, and relro hardening features across said binaries?

Depending on threat model, will such additions yield marginal or significant improvement to overall router security?

FYI: The researchers claim that Open-WRT, Synology OS, QNAP firmware, developers do a better job of binary hardening based on their results.


Last edited by ironstaff on Sat Oct 12, 2019 16:34; edited 4 times in total
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6388
Location: UK, London, just across the river..

PostPosted: Fri Oct 11, 2019 5:26    Post subject: Reply with quote
could you be more specific and elaborate what you meant,
posting that link and advertising this stupid article???
This article smells like a fake news...generated from a script...
Where is the relation between DD-WRT and IoT...???

Personally i don't trust any of IoT, so i as many others do,
isolate them on managed switch using a VLAN on my main router, so any of IoT devices will not communicate with the rest of the network, at all...
In fact IoT devices are problematic and a lot of crap comes out from them...so not to blame the router vendors at the first place...
All those findings are not proving compromised security at all....but if you have something valuable to say and show us how do you do it...please do so... !!!

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,AP Isolation,Ad-Block,Firewall
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 55363 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55363 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
blkt
DD-WRT Guru


Joined: 20 Jan 2019
Posts: 5650

PostPosted: Fri Oct 11, 2019 11:19    Post subject: Reply with quote


Well, OP's username checks out.
ACwifidude
DD-WRT User


Joined: 18 Mar 2019
Posts: 56

PostPosted: Fri Oct 11, 2019 13:24    Post subject: Reply with quote
So it is not not hardened? Laughing
_________________
R7800 x 3 hnyman OpenWRT

Inactive: R6250 X 2 BS DD-WRT
ironstaff
DD-WRT User


Joined: 11 Oct 2019
Posts: 157

PostPosted: Fri Oct 11, 2019 18:54    Post subject: Reply with quote
@Alozaros

What, are you part of the Trump administration and sinking to calling anything you can't agree with fake news or are you too confused to read the article in its entirety? You clearly didn't read the article to realize that the IoT device they are referring to is a router, not some 'smart' home devices made by amateurs who think cybersecurity is a cool word engineers use.


A router is considered an IoT by some entities. They are not testing 'smart' devices. The IoT they are referring to is only routers specifically. Regardless of the terminology they use, you should actually read the article and see that they examined the binaries for router firmware and came out with come interesting conclusions:

1. Major router firmwares are losing hardening coverage as time goes on.

2. Synology's firmware binaries are in better shape than binaries from other vendors examined by the researchers.

3. DD-wrt, while hardened with non-executable stacks, is still lacking stack guard protection, fortification, and address space layout randomization entirely.

There's nothing to doubt. Even you can download the latest build from the beta suppository and test the binaries yourself: Your results will align with what they produced.

While I feel that binary hardening, which has been present in convention X86 Linux distros for over a decade is important, I'm not saying that it is the only measure of security out there. Hardening provides a way to minimize damage if someone manages to penetrate the edge router's stateful firewall defenses so it is still useful and is worth looking into by DD-wrt devs since many people (myself included) will benefit.


Last edited by ironstaff on Fri Oct 11, 2019 23:11; edited 1 time in total
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6388
Location: UK, London, just across the river..

PostPosted: Fri Oct 11, 2019 20:21    Post subject: Reply with quote
now young jedi, you have to admit, you are stepping in to the deep waters...if we accept your claim and this article claim, than you have to show us a real prove... Twisted Evil
Tell us, witch binaries exactly are not hardened, and show us a prove of concept...otherwise, its just another fart in the wind...!!!
Well...Binaries are used everywhere, and some companies are ready to pay big bounties for a zero day, and that's why, Devs are updating the shit constantly...and its not an easy thing to do..... than point us a single router vendor that has any better firmware...than any 3rd party firmware on the market...
if you have a internet paranoia i feel sry 4 you, but sadly in that state you cant get a sleep...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,AP Isolation,Ad-Block,Firewall
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 55363 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55363 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
tatsuya46
DD-WRT Guru


Joined: 03 Jan 2010
Posts: 7568
Location: YWG, Canada

PostPosted: Fri Oct 11, 2019 21:35    Post subject: Reply with quote
the only way to get the best internet security is to unplug the modem
_________________
LATEST FIRMWARE(S)

BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers

[x86_64] Haswell i3-4150/QCA9984/QCA9882 ------> r55416 std
[QUALCOMM] DIR-862L --------------------------------> r55416 std
▲ ACTIVE / INACTIVE ▼
[QUALCOMM] WNDR4300 v1 --------------------------> r50485 std
[BROADCOM] DIR-860L A1 ----------------------------> r50485 std


Sigh.. why do i exist anyway.. | I love you Anthony.. never forget that.. my other 99% that ill never see again..

mac913
DD-WRT Guru


Joined: 02 May 2008
Posts: 1847
Location: Canada

PostPosted: Fri Oct 11, 2019 21:41    Post subject: Reply with quote
If you have a DD-WRT router with a strong password and disable options that are are a security issue like UPnP. How is DD-WRT less secure?

Look at OEM and ISP Routers with backdoor access. DD-WRT does not. I see Brainslyer constantly updating Kernels and fixing any security holes.

Because users on the LAN side may have devices with security issues I go further and having an ADMIN VLAN that has access to the router's configuration web page, telnet & ssh; all other vlans that users connect too do not have access.

_________________
Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9

Off Site 1

R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4

Off Site 2

R7000 - Gateway & WiFi - DDWRT r52330 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531


YAMon 3.4.6 | DNSCrypt-Proxy V2
ironstaff
DD-WRT User


Joined: 11 Oct 2019
Posts: 157

PostPosted: Fri Oct 11, 2019 23:09    Post subject: Reply with quote
@Alozaros

Being in the cybersecurity industry, I’ll be the first to admit that you're right about zero-days. I’ll also admit that there is no better router firmware than DD-WRT. If there was, I wouldn’t bother to use it on my router fleet.

BrainSlayer is so far ahead of the curve in keeping up with patches and version increments compared to manufacturer firmwares, that it’s not even a competition anymore.

However, there is a difference between exploiting zero-days, which take advantage of bugs in software vs exploiting lack of hardening. Hardening helps if someone where to execute commands to wreak havok once they gain LAN entry. ASLR, for example, randomizes runtime code so there is no way to rearrange existing code to carry out a malicious function.


Again, if you were not too busy writing before reading, you would notice that the researchers included proof and raw data. Since you don’t seem too adept at parsing through articles effectively, I implore you to revisit the article again (go to “The Data” section) or download the ‘proof’ data at this link by the researchers (~372 MB):

https://drive.google.com/file/d/1aThJ_OZXB_TX4TyiL_2WRzQmyMMETAt7/view

It’s very important to examine what you're arguing about before typing. If not, you end up looking unintelligent.

By the way, there is no claim for you to accept since you are merely a forum member. You are not a developer of the firmware in question so your stance on it is amusing but ultimately useless.



@mac913

1. You’re right that disabling those options is a huge boost to security; but not everyone can disable uPnP, telnet (WAN-facing), ssh (WAN-facing), for example, if they’re actively using them in an enterprise environment with high volume utilization.

2. I agree that port 32764 vulnerability on vendor firmware is a disaster and is basically a huge backdoor for surveillance agencies at the behest of surveillance agencies.

There is no need for you to vehemently defend dd-wrt as that is all I install on all routers I personally use and deploy. While dd-wrt is clearly better in the security and features department that anything else I have used in both personal and enterprise environments, I think its perfectly fine to still consider striving for even higher benchmarks for security.

Just because router manufacturers are not even trying and DD-WRT so far ahead doesn’t mean that the dev (BrainSlayer) can’t consider further hardening. After all, isn’t it the mindset of constant improvements the made dd-wrt so far ahead in the security and updates departments in first place?

I’m never going to use Cisco, Netgear, ASUS, D-Link etc. firmware when I can use DD-WRT that actually stays ahead on patches/updates, uses TLS 1.3 for https web management access, etc.

By the way, logical isolation aka VLAN is easily bypassed these days. Just thought you should know. Read more at about the bypass here:

https://www.eweek.com/security/eap-tls-detailed-as-wifi-security-best-practice-at-sector

The password method is great as long as there are WAN/LAN-facing rate limits (including firmware-enforced rate limits built into dd-wrt) and your password is up to the 63 password character limit that DD-WRT enforces on web management gui. Same goes for your WiFi. If you can’t use WPA3 due to client device driver limitations, far exceed 24 complex characters to make your 4-way handshake vulnerability extract useless against Amazon EC2 computations and rainbow tables.
rickmav3
DD-WRT User


Joined: 08 Sep 2014
Posts: 145

PostPosted: Sat Oct 12, 2019 1:09    Post subject: Re: DD-WRT firmware could use more hardening! Reply with quote
ironstaff wrote:
Based on CITL short read:

https://cyber-itl.org/2019/08/26/iot-data-writeup.html



…Also Win10 is the most secure OS with the highest code writing practices but least complexity(only its updates breaks havoc on millions of computers having MS in total control), and Edge browser has perfect 100 score on safety features…

It kinda smells.

If you fantom yourself running your devices perfectly secure on consumer hardware and software, even 3rd party developed, you’re in for one of the biggest surprises of your existence.
ironstaff
DD-WRT User


Joined: 11 Oct 2019
Posts: 157

PostPosted: Sat Oct 12, 2019 1:39    Post subject: Reply with quote
@rickmav3

Your statement is flawed since you use the words “Most secure”. The article scored each OS based on the following criteria:

1. Safety features: Windows won
2. Code Hygiene: Windows won
3. Code Complexity: Linux won (very important)
4. Security Aids: Linux won by default

With each criteria weighted as they saw fit i.e. not most secure.

Code complexity and source code size is extremely important for security since fewer lines of code reduces attack surface/fewer bugs resulting from poor coding and depreciated/risky function use. The researchers rate/review sources/binaries, not security. Although there is a correlation between the two, security is also impacted by user base (Windows user base is much higher so zero-days are plentiful and is much sought after by both vulnerability brokers and buyers), supported applications, linked APIs, and level of continued support for legacy/insecure add-ons (compatibility reasons) etc.


Maybe you should read the article properly before replying again lest you look as confused and rudimentary as @Alozaros


Surely, not everyone in here is as impulsive as these two...


Besides, Windows is a cesspool of sloppily written third party applications and bad user account privileges that the excellence of the underlying code doesn’t help much. Plus, it greatly helps that Linux is mostly used by pros who know how to configure the system to be much harder to compromise compared to out of the box configurations. It also helps to remember that Ubuntu is a Linux newbie OS. I’d be more interested in seeing how hardened distros like Qubes and Tails are rated.

Regardless of how you feel about it, their data on router firmware binary hardening evaluation is not wrong. The questions are:

1. How trivial is it to implement these features into dd-wrt. Cost/benefit
2. How much benefit would it bring to overall security of dd-wrt based on past attack patterns and vectors.

Only the dev can answer those two questions with a high degree of accuracy.
tatsuya46
DD-WRT Guru


Joined: 03 Jan 2010
Posts: 7568
Location: YWG, Canada

PostPosted: Sat Oct 12, 2019 2:22    Post subject: Reply with quote
ironstaff wrote:
Only the dev can answer those two questions with a high degree of accuracy.


email and ask him then?

_________________
LATEST FIRMWARE(S)

BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers

[x86_64] Haswell i3-4150/QCA9984/QCA9882 ------> r55416 std
[QUALCOMM] DIR-862L --------------------------------> r55416 std
▲ ACTIVE / INACTIVE ▼
[QUALCOMM] WNDR4300 v1 --------------------------> r50485 std
[BROADCOM] DIR-860L A1 ----------------------------> r50485 std


Sigh.. why do i exist anyway.. | I love you Anthony.. never forget that.. my other 99% that ill never see again..

ironstaff
DD-WRT User


Joined: 11 Oct 2019
Posts: 157

PostPosted: Sat Oct 12, 2019 2:26    Post subject: Reply with quote
tatsuya46 wrote:
ironstaff wrote:
Only the dev can answer those two questions with a high degree of accuracy.


email and ask him then?


Already did. Thank you.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6388
Location: UK, London, just across the river..

PostPosted: Sat Oct 12, 2019 5:29    Post subject: Reply with quote
well, ironstaff been in this sector for many years...to start such a thread you must have a back up otherwise to use, an unproven article and fishing links plz click here'n read it all...smells fishy...
If you have an idea how to harden something plz share...if you are aware for a security holes plz do it too.

I'l not mention how to get into Win 10 with a tons of open stuff by default and the effort to harden it that last an hours...I'll not explain to you how to do a VLAN hoping as im not the one to use it that often...
There are a tons of articles how to crack WPA2 and even WPA3 nowadays...
There are tons of not that useful hacking courses, as well a proper forums,
how to do a nasty stuff even for free...but if you give a LAN access to a wrong guy
in not limited environment, than you are screwed...in fact there is not impenetrable
network...otherwise NASA would ve use DDWRT Razz Razz Razz
at the end there is nothing secure regarding internet just pull tha'cable and don't use a WIN 10 !!!

p.s. to me unintelligent sounds like whistle-blowing without backup...
if you have a something in your stash, now its the time to show it ...
those articles are just a fart in the wind...we need the code man show us the trick...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,AP Isolation,Ad-Block,Firewall
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 55363 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55363 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
ironstaff
DD-WRT User


Joined: 11 Oct 2019
Posts: 157

PostPosted: Sat Oct 12, 2019 6:20    Post subject: Reply with quote
Alozaros wrote:
well, ironstaff been in this sector for many years...to start such a thread you must have a back up otherwise to use, an unproven article and fishing links plz click here'n read it all...smells fishy...
If you have an idea how to harden something plz share...if you are aware for a security holes plz do it too.

I'l not mention how to get into Win 10 with a tons of open stuff by default and the effort to harden it that last an hours...I'll not explain to you how to do a VLAN hoping as im not the one to use it that often...
There are a tons of articles how to crack WPA2 and even WPA3 nowadays...
There are tons of not that useful hacking courses, as well a proper forums,
how to do a nasty stuff even for free...but if you give a LAN access to a wrong guy
in not limited environment, than you are screwed...in fact there is not impenetrable
network...otherwise NASA would ve use DDWRT Razz Razz Razz
at the end there is nothing secure regarding internet just pull tha'cable and don't use a WIN 10 !!!

p.s. to me unintelligent sounds like whistle-blowing without backup...
if you have a something in your stash, now its the time to show it ...
those articles are just a fart in the wind...we need the code man show us the trick...


@Alozaros

What sector have you been in for years? Forum trolling? I can tell.

You can explain how to VLAN hop to yourself. Everyone here should know how to already as that information is freely available online along with instructions for Kali Linux. Dragonblood vulnerability instructions and files are also available online as the researchers who conducted it posted it along with mitigation steps to be implemented by Wifi Alliance.


WPA2 cracking is even done by young teens these days. Following a researcher’s instructions on how to execute a vulnerability is trivial and requires no cybersecurity experience. You can even get on Youtube right now to learn how to crack your neighbor’s Wifi (WPA2 or WEP) in less than 5 mins using EC2 time and rainbow tables. It’s all easy when someone else did the hard work of discovering and exploiting sloppy coding.


No need to mention how to get into Win10. Everybody and their mother already knows how to. It’s a hole bucket and has been exploited like an old rag for years.


I’ve already shared a link of the ‘proof’ so if you’re still too dim to understand my prior posts or download the data as proof, then there in no further need to respond to you. For anyone else who is intelligent enough to read/understand the simple article and download the associated datasets and proof, do so.


DD-WRT dev should look into this and decide for himself. I’m hoping he’s smarter than these professional forum posters on here with years of experience posting on DD-WRT forum as the stalwart of their resumé so I’m sure he’ll come to the best decision that suits his project and time.

To the dev of dd-wrt, if you ever read this, not sure what tool chains you’re using or if your object file format supports NX. If it does, it should be as simple as setting a compiler flag for NX enabled (I’m sure its not that trivial for your compiler or it would have already been done). Its all to prevent buffer overflows anyway so its up to you. Laughing Laughing
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Generic Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum