Backdoor firewall entries in Mega?

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3, 4  Next
Author Message
marvin
DD-WRT Novice


Joined: 02 Aug 2008
Posts: 2

PostPosted: Sun Aug 03, 2008 13:25    Post subject: Reply with quote
Except that both IPs have full IP access to the router and all running services which bind to 0.0.0.0.

"rather harmless" is one point of view, but not mine. Very Happy
Sponsor
nemesisdb
DD-WRT User


Joined: 10 Oct 2006
Posts: 197

PostPosted: Sun Aug 03, 2008 15:45    Post subject: Reply with quote
Is there a VPN build that fixes this yet?
ABeakyboy
DD-WRT Novice


Joined: 03 Aug 2008
Posts: 2

PostPosted: Sun Aug 03, 2008 21:40    Post subject: Reply with quote
I too am a little concerned about this. Unsetting the value using the

# nvram unset ral
# nvram commit

commands does not seem to work. Upon reboot, the command

# nvram get ral

still returns the following:
212.65.2.116 194.231.229.20


Something must be re-setting the value upon bootup...that's all I can think of.


Of course, I'm sure this is not intentional, but it still should be corrected.
olmari
DD-WRT Guru


Joined: 24 Oct 2006
Posts: 1447
Location: Finland

PostPosted: Sun Aug 03, 2008 22:16    Post subject: Reply with quote
Actually fixed already in the code...

See changesets 10071 and 10072

Now on this "ral" stuff is only there if "GGEW" is used, whatever any of those means...

ADD: BTW it seems brainslayer already said too that he fixed this at the first page of this thread =)
ABeakyboy
DD-WRT Novice


Joined: 03 Aug 2008
Posts: 2

PostPosted: Sun Aug 03, 2008 22:48    Post subject: Reply with quote
Many thanks for the info.


Now, is there a way of fixing this in the meantime until the next release? Other than the cron method? I'm not too familiar with this, but my limited understanding tells me that the filesystem is read only, so I can't simply modify a startup script, or something like that. Unless, perhaps, I created a startup script on jffs?

If not, it's not a big deal. I just like to be sure I have minimized any attack vectors.
soulstace
DD-WRT Guru


Joined: 04 Aug 2007
Posts: 6427

PostPosted: Sun Aug 03, 2008 22:58    Post subject: Reply with quote
ABeakyboy wrote:

Now, is there a way of fixing this in the meantime until the next release? Other than the cron method?


Try my solution on page 1.

Save those iptables rules as firewall script (Administration -> Commands).
SEA
DD-WRT Novice


Joined: 22 Sep 2007
Posts: 20

PostPosted: Mon Aug 04, 2008 16:08    Post subject: Reply with quote
Or, you can always remove rule from iptables INPUT chain by rule number from terminal session.
Assuming that both those lines appear always on top of list (check with iptables -L -n), enter:

iptables -D INPUT 1

Do it twice to remove one line a time.

I would not put these commands in script because there is no garantee that they would appear on first place in INPUT chain always (or they would?).
So you'll have to do it manually after each reboot.
Eko
DD-WRT Developer/Maintainer


Joined: 07 Jun 2006
Posts: 5771

PostPosted: Mon Aug 04, 2008 16:31    Post subject: Reply with quote
10086 is building now....
vpnus3r
DD-WRT Novice


Joined: 15 Aug 2008
Posts: 14

PostPosted: Fri Aug 15, 2008 18:55    Post subject: Where can I download a build that doesnt have this? Reply with quote
DD-WRT v24-sp1 (07/27/0Cool vpn - build 10011 and I see these rules. This is the only version that I see available under the download.

Also the dev team needs to do a better job at versioning code, this should not be included in production and assuming stable releases.
ze11er
DD-WRT Novice


Joined: 15 Aug 2008
Posts: 9

PostPosted: Fri Aug 15, 2008 18:57    Post subject: Reply with quote
olmari wrote:
Actually fixed already in the code...

See changesets 10071 and 10072

Now on this "ral" stuff is only there if "GGEW" is used, whatever any of those means...

ADD: BTW it seems brainslayer already said too that he fixed this at the first page of this thread =)


Um... brainslayer checked in this stuff more than a years ago (04/18/2007 05:45:25 AM, revision: 6627, Log message: some refactoring for better editing and structuring) -- with these hardcoded IPs...
http://svn.dd-wrt.com:8000/dd-wrt/browser/src/router/services/sysinit/defaults.c?rev=6627#L1750
olmari
DD-WRT Guru


Joined: 24 Oct 2006
Posts: 1447
Location: Finland

PostPosted: Fri Aug 15, 2008 19:19    Post subject: Reply with quote
ze11er wrote:
Um... brainslayer checked in this stuff more than a years ago (04/18/2007 05:45:25 AM, revision: 6627, Log message: some refactoring for better editing and structuring) -- with these hardcoded IPs...
http://svn.dd-wrt.com:8000/dd-wrt/browser/src/router/services/sysinit/defaults.c?rev=6627#L1750


Just READ what brainslayer said on the first page... http://www.dd-wrt.com/phpBB2/viewtopic.php?p=197466#197466

"even i see no reason for this. these ip addresses arent valid anymore. it seems that chris implemented this for a customer. i removed it now"
ze11er
DD-WRT Novice


Joined: 15 Aug 2008
Posts: 9

PostPosted: Fri Aug 15, 2008 19:29    Post subject: Reply with quote
olmari wrote:
ze11er wrote:
Um... brainslayer checked in this stuff more than a years ago (04/18/2007 05:45:25 AM, revision: 6627, Log message: some refactoring for better editing and structuring) -- with these hardcoded IPs...
http://svn.dd-wrt.com:8000/dd-wrt/browser/src/router/services/sysinit/defaults.c?rev=6627#L1750


Just READ what brainslayer said on the first page... http://www.dd-wrt.com/phpBB2/viewtopic.php?p=197466#197466

"even i see no reason for this. these ip addresses arent valid anymore. it seems that chris implemented this for a customer. i removed it now"


Of course, Chris implemented Smile but brainslayer checked in... -- more than a years ago... Non-removable rule for a customer...


Last edited by ze11er on Fri Aug 15, 2008 20:01; edited 1 time in total
olmari
DD-WRT Guru


Joined: 24 Oct 2006
Posts: 1447
Location: Finland

PostPosted: Fri Aug 15, 2008 19:36    Post subject: Reply with quote
We can't know who did what back then and with whose credentials... All the same it is taken off already, so what's the fuzz anymore?
vpnus3r
DD-WRT Novice


Joined: 15 Aug 2008
Posts: 14

PostPosted: Fri Aug 15, 2008 19:43    Post subject: Reply with quote
[quote="olmari"]We can't know who did what back then and with whose credentials... All the same it is [i]taken off[/i] already, so what's the fuzz anymore?[/quote]

The fuzz is because this is in the v24-sp1 (07/27/0Cool vpn build on the website, I just flashed with it and i saw the rules.

Unless they were left over in the nvram from a previous build I had installed.

I'll save the current settings and i'll re-set the router to see if they show up again. I had the v24 vpn build before, could have been i didnt notice them, but i doubt it.
ze11er
DD-WRT Novice


Joined: 15 Aug 2008
Posts: 9

PostPosted: Fri Aug 15, 2008 20:23    Post subject: Reply with quote
olmari wrote:
We can't know who did what back then and with whose credentials... All the same it is taken off already, so what's the fuzz anymore?


Fuzz? So... Hardcoded IPs first seen in the TRAC at 18/04/2007. "for a customer..." Question: Who need a non-removable, hardcodded rule? If It's real, how and why can be found this (customer-specific) modification in the main codebase? No comment lines around the rules...
Goto page Previous  1, 2, 3, 4  Next Display posts from previous:    Page 2 of 4
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum