PSA: Broadcom Tomato Routers - Default Credential Bot Attack

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Author Message
dahosepipe
DD-WRT Novice


Joined: 24 Mar 2015
Posts: 26

PostPosted: Wed Jan 22, 2020 1:20    Post subject: PSA: Broadcom Tomato Routers - Default Credential Bot Attack Reply with quote
https://arstechnica.com/information-technology/2020/01/internet-routers-running-tomato-are-under-attack-by-notorious-crime-gang/

Quote:
Internet routers running the Tomato alternative firmware are under active attack by a self-propagating exploit that searches for devices using default credentials. When credentials are found and remote administration has been turned on, the exploit then makes the routers part of a botnet that’s used in a host of online attacks, researchers said on Tuesday.


So, as least for my R7000s upon reset, using Kong and/or BS builds, the default credentials gets pulled from the manufacturer embedded password. Seems the tomato guys are still using admin/admin. I guess we are ahead of the curve here? Thoughts?
Sponsor
jwh7
DD-WRT Guru


Joined: 25 Oct 2013
Posts: 2613
Location: Indy

PostPosted: Wed Jan 22, 2020 1:46    Post subject: Re: PSA: Broadcom Tomato Routers - Default Credential Bot At Reply with quote
dahosepipe wrote:
So, as least for my R7000s upon reset, using Kong and/or BS builds, the default credentials gets pulled from the manufacturer embedded password. Seems the tomato guys are still using admin/admin. I guess we are ahead of the curve here? Thoughts?
"Remote administration is turned off by default in Tomato and DD-WRT, so exploits require this setting to be changed."

One enables remote admin w/o changing the default password...?


This 'exploit' applies to ...any computer install w/ a non-unique default password. This seems like 1996 news. Wink

_________________
# NAT/SFE/CTF: limited speed w/ DD # Repeater issues # DD-WRT info: FAQ, Builds, Types, Modes, Changes, Demo #
x64 OPNsense 20.7.4|FT2020.6: EA6900v1.1@1GHz, F7D8302@532|DD 44758: DIR-810L, WNDR4500v2 & 4000@533,
R6300v1, RT-N66U@663, E1500@353, WRT54G{Lv1.1,Sv6}@250
|OpenWRT 19.7.3: RT-ACRH13, R6220, WNDR3700v4
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 7443
Location: Texas, USA

PostPosted: Wed Jan 22, 2020 4:05    Post subject: Reply with quote
Your R7000, in default, after initial flash of DD or Tomato is at the same point, either way. Usually not vulnerable. You have to enable remote administration first. As far as wireless access to the router, first they have to crack the password. Not sure if all Tomato variants have it, but FT has this feature called, "Random", and it's quite a lengthy password. It also has a feature to block access to the UI that actually works (DD does not, it's been broken for a while, apparently). Not to mention, I disable wireless access to telnet and ssh by default as well. Also, they have to get in via either the main network or via wireless here.
Not happening all that easily. They could probably hijack the main router before they got into anything else. And the derp derp derp award goes to...

_________________
Official Forum Rules, Guidelines, and Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware?
DON'T use Chromium-based browsersRTFM/STFW - TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is?
Please DO NOT PM me with questions; Ask in the forum.

---------------------------------------------------------

Linux User #377467 counter.li.org / linuxcounter.net
RageX
DD-WRT Novice


Joined: 01 Jan 2020
Posts: 36

PostPosted: Wed Jan 22, 2020 8:30    Post subject: Reply with quote
Wow, muhstik also specifically targets DD-WRT routers for a bruteforce exploit?

Please tell me that such an exploit requires remote access enabled...
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 3957
Location: UK, London, just across the river..

PostPosted: Wed Jan 22, 2020 8:58    Post subject: Reply with quote
on reset defaut telnet is off... you must to log in first time...
i guess default will be root/admin but before set up your password telnet is disabled so, the WEB access, as well any WAN as you have to set the WAN details manually...
as far as bruteforce its not bad idea to implement 3 or 10 wrong attempts on GUI ...too...
I know recently was implemented on Wi-Fi side only...
There is a way with iptables but its a hassle to install and set up...external full iptables...

_________________
Atheros
TP-Link WR740Nv1 -----DD-WRT 44538 BS AP,NAT
TP-Link WR740Nv4 -----DD-WRT 44251 BS WAP/Switch
TP-Link WR1043NDv2 ---DD-WRT 44715 BS AP,NAT,AP Isolation,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---DD-WRT 44772 BS AP,NAT,AD Block,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---Gargoyle OS 1.12.0 AP,NAT,QoS,Quotas
Qualcomm/IPQ8065
Netgear R7800 -----DD-WRT 44849 BS AP,NAT,AD-Block,AP&Net Isolation,VLAN's,Firewall,Local DNS,DoT
Broadcom
Netgear R7000 -----DD-WRT 44849 BS AP,Wi-Fi OFF,NAT,AD-Block,Firewall,Local DNS,Forced DNS,DoT,VPN
-----------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 7443
Location: Texas, USA

PostPosted: Wed Jan 22, 2020 15:24    Post subject: Reply with quote
In DD-WRT, blocking wireless access to the webUI, ssh, telnet, etc. has to be done manually via ebtables. Because the mechanisms that are s'posed to work DO NOT WORK on DD-WRT.

You can block wireless access to webUI on FreshTomato fine, but you have to add rules for ssh and telnet OR, disable telnet and switch to key-only authentication for ssh and disable password authentication. It's not that complicated.

_________________
Official Forum Rules, Guidelines, and Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware?
DON'T use Chromium-based browsersRTFM/STFW - TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is?
Please DO NOT PM me with questions; Ask in the forum.

---------------------------------------------------------

Linux User #377467 counter.li.org / linuxcounter.net
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 3957
Location: UK, London, just across the river..

PostPosted: Wed Jan 22, 2020 15:35    Post subject: Reply with quote
y using ebtables to block WEB GUI, ssh, telnet and so on as you can use iptables...either mac or ip related rules ??
as i said default telnet and ssh on ddwrt are blocked on reset...as those services are not blocked only but not present at all...
good call was on baked pass for Netgears on WiFi..
it will be good if BS implements limit/try on WEB GUI too

_________________
Atheros
TP-Link WR740Nv1 -----DD-WRT 44538 BS AP,NAT
TP-Link WR740Nv4 -----DD-WRT 44251 BS WAP/Switch
TP-Link WR1043NDv2 ---DD-WRT 44715 BS AP,NAT,AP Isolation,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---DD-WRT 44772 BS AP,NAT,AD Block,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---Gargoyle OS 1.12.0 AP,NAT,QoS,Quotas
Qualcomm/IPQ8065
Netgear R7800 -----DD-WRT 44849 BS AP,NAT,AD-Block,AP&Net Isolation,VLAN's,Firewall,Local DNS,DoT
Broadcom
Netgear R7000 -----DD-WRT 44849 BS AP,Wi-Fi OFF,NAT,AD-Block,Firewall,Local DNS,Forced DNS,DoT,VPN
-----------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum