
Misfortune Cookie - sinak
http://mis.fortunecook.ie/
======
jlebar
I for one welcome our new convention of giving security vulnerabilities cute
logos and names. It elevates their importance in the public eye, which -- I
hope -- will elevate the importance of finding, fixing, and avoiding security
vulnerabilities among the technoscenti.

I'll go out on a limb and say that if this pattern continues, it may be the
most significant legacy of heartbleed.

~~~
thrownaway2424
I, for one, do not welcome the trend of information-free wankerism
masquerading as security research. I would like proof-of-concept code,
formatted in 80-column plain text, dropped on mailing lists. Not this
unreadable javascript-laden junk that doesn't even tell me anything worth
knowing.

~~~
hamburglar
Note how they drop the CVE number at the beginning of the article, even though
it's not actually a published CVE yet. Is there any legitimate reason to do
that other than to lend your news release a false air of authority to those
who won't bother to go read the CVE?

------
elipsey
In addition to favoring the fashion of charismatic naming and artwork for
exploits, I am utterly delighted by the notion of "misfortune cookies".

Imagine:

"You have good reason for self-doubt." "Avoid heavy machinery today." "You
will be eaten by pumas." "Learn from your mistakes; wear a condom."

~~~
IvyMike
Twilight Zone from 1986: The Misfortune Cookie, starring Elliot Gould

[http://youtu.be/7FlyNU9FpK0](http://youtu.be/7FlyNU9FpK0)

~~~
elipsey
Thanks, I guess there's nothing new under the sun.

I've always been afraid I would get the fortune I deserve...

------
deanclatworthy
Great, a huge vulnerability potentially affecting millions of routers around
the world, and no information on how to check if your router is vulnerable.

Complete marketing cruft.

------
dredmorbius
For those trying to read this page but unable to deal with the broken JS, text
dump to Pastebin: [http://pastebin.com/munLi0Cy](http://pastebin.com/munLi0Cy)

 _Misfortune Cookie is a critical vulnerability that allows an intruder to
remotely take over an Internet router and use it to attack home and business
networks._

------
yourad_io
The verbosity of this vs. actual information makes my flag-finger itch. It
also, apparently, keeps getting killer on /r/netsec[1].

<TLDR>"The affected software is the embedded web server RomPager from
AllegroSoft."

"AllegroSoft issued a fixed version to address the Misfortune Cookie
vulnerability in 2005 [...]" but it's complicated.

TR-069 is mentioned because it makes it sound cooler, and also uses the
RomPager in certain implementations.</TLDR>

Yeah, Home Gateway security is almost as nonexistent as their release/update
cycle. TR-069 is a blasphemy and an anathema in the first place[2].

This is an attempt to 'heartbleed'-ize a much broader issue. It is one of
many, and they are known, and they never get patched.

Maybe make this into a crowd-type-movement to take back our routers, intending
to put pressure on manufacturers to be more responsible with security and the
intermediates for pushing the updates (since they've provided themselves the
functionality to do that/TR-069/The Irony), but do not try to heartbleed-ize
it, kinda comes off cheap.

In the meantime, for those that can (Hello Friends!), we already know the
available patches:

* OpenWRT

* DD-WRT

* Tomato

It's tricky though, because you may have to spend $20/$60 for a new router.

EDIT: Also, dupe.
[https://news.ycombinator.com/item?id=8767193](https://news.ycombinator.com/item?id=8767193)
Hrm.

[1]
[https://www.reddit.com/r/netsec/comments/2poyp6/misfortune_c...](https://www.reddit.com/r/netsec/comments/2poyp6/misfortune_cookie_cve20149222_12_million_routers/)
[https://www.reddit.com/r/netsec/comments/2polm6/the_misfortu...](https://www.reddit.com/r/netsec/comments/2polm6/the_misfortune_cookie_vulnerability/)

[2] "So my ISP can just flash my router with a new firmware, remotely, and
then flash back the original, at any time? Or anyone with my ISP's private
keys/credentials* , for that matter, but let's not open that can of worms. And
you say that, despite this being active (and sometimes partly hidden and un-
killable _cough_ BTHomeHub _cough_ ) our routers are still running archaic
software that hasn't received a 9-year-old patch? Then... ugh.. what is this
used for, exactly? Why is it there?"

* Oh God I hope it is at least private keys and not 'admin:P@ssword1' :S

~~~
mijoharas
I've been assuming DD-WRT is clear, but is it confirmed[0]? I can see no
reason why DD-WRT would use the RomPager SDK, but I haven't checked the actual
internals.

[0] [http://www.dd-
wrt.com/phpBB2/viewtopic.php?t=277217&sid=e88f...](http://www.dd-
wrt.com/phpBB2/viewtopic.php?t=277217&sid=e88f15058e5909f23f1acb0a60da99db)

------
eps
What a bullshit puff piece.

Checkpoint marketing is experimenting with new marketing techniques. No way
this peacock-style creation could've come directly from engineering. They
really want some of the CNN coverage that Heartbleed enjoyed, except now it
will have a discreet "Checkpoint" logo in the corner. Ain't that clever.

~~~
cornewut
Some might actually think that the vulnerability affects only Checkpoint
devices.

------
dsr_
Two months ago I decided that I didn't want to be in the position of waiting
for a vendor to release an upgraded firmware OS for my house firewalls.

If Ubiquiti's EdgeRouter Lite ran an actual Debian release rather than a
derivative with no obvious toolchain, I would have bought that. (If they
change to that, I would recommend them.) I worked my way through the
capabilities list of the PCengines mini-ITX devices (ALIX: underpowered; APU:
a little expensive) and settled on AMD's successor to the APU, now called
Athlon 5150/5350.

It's deployed and making me really happy now.

~~~
Lammy
I built mine on an Avoton Intel Atom C2750. It's the first amd64 Atom, the
first to support ECC memory, and has 20W TDP. It runs FreeBSD 10.1 and I'm
very happy with it. Before Avoton you had to go for a Pentium D or a Xeon for
ECC support on the Intel side.

------
Splendor
Scrolling on that site is very frustrating.

~~~
dredmorbius
My solution is to use w3m. The site fails to open for me at all in Chrome.

Sadly yet another case of overly rococo Web design getting in the way of basic
readability.

~~~
username223
> My solution is to use w3m.

It's amazing how much nicer the web can be without images and javascript.
These tool-bags really want to "promote their brand," but they might consider
creating a website that looks less like malware.

------
Mizza
No PoC? This is a marketing brochure.

------
cyphunk
From what I understand this gives the attacker administrative access via a
routers Web UI configuration interface. So they could change the configuration
of the router, which could be concerning in some scenarios but irrelevant most
others. Assuming it is something like this, you can help protect yourself by
disabling remote Web UI management. This is the default already for most
routers. Though I guess we will know when Lior Oppenheim presents the issue at
the 31C3 in a week or so.

------
hannob
If anyone finds this helpful, I hacked together a quick test tool to check for
vulnerable rompager versions:
[https://rompager.hboeck.de/](https://rompager.hboeck.de/)

Still uncertain if this is to be taken seriously, because detailed information
is lacking.

------
SlashmanX
The biggest question I have about this is how they managed to register the
fortunecook.ie domain knowing the hoops you have to jump through to get an IE
domain in the first place

------
Gys
How about adding a simple test to check if my router is vulnerable, instead of
all the text ?

Their website has a special security check section but that link is
(conveniently ?) broken...

------
tempodox
Is it April Fools' Day already?

------
throw7
javascript only site

