

D-Link patch doesn’t address all bugs listed in their own security advisory - PaulSec
http://www.devttys0.com/2015/04/what-the-ridiculous-fuck-d-link/

======
TheCowboy
I inherited an office with a D-Link router being used that kept misbehaving. I
tried upgrading the firmware as a last resort, since DDWRT and the others
don't work on it.

Digging around I found a thread where customers were wondering what happened
to bridge mode and why it had been removed. An obdurate admin informs everyone
that D-Link decided it wasn't needed as a feature, so they removed it. The
admin is very coarse and ends up locking the thread.

It seems ridiculous that, for a hardware product, a company would decide to
remove features in a firmware upgrade. There is a work around, but even if it
is a legitimate thing to do, it seems like a terrible product and engineering
culture to be this condescending to customers.

Relevant thread:
[http://forums.dlink.com/index.php?topic=4542.0](http://forums.dlink.com/index.php?topic=4542.0)

End of story: The router ended up going in the trash after other issues, along
with two different D-Link models.

It's not the best idea to use consumer grade gear in an office, but then I
replaced it (as a temporary fix) with an even older Linksys WRT54GL flashed
with DDWRT with no problems.

~~~
pXMzR2A
> an even older Linksys WRT54GL

That thing has been working for almost ten years (granted it is not an office
environment), once with openwrt and now with tomato, while rebooting its
little and adorable self every night at 3am automatically so that I don't have
to.

It's an amazing piece of hardware that makes one say "back in the day".

~~~
UnoriginalGuy
It was good for its time, but has limited onboard RAM, limited storage, and
pretty slow WiFi by modern standards (there are even faster G-band, let alone
N). Wouldn't recommend it today, and certainly wouldn't recommend touching
Linksys with a ten foot pole.

As to stability, I'd describe it has a mixed bag. I owned one for just under
five years and had to do fortnightly restarts (which I eventually automated),
and we also owned one at work which needed nightly reboots (DD-WRT provided
that).

PS - In fairness to the work one, the building was insanely congested. It was
one of these buildings which are shared by three dozens small businesses, and
each had 1-2 WiFi networks, plus the local homes also. When you spun up a WiFi
analyzer it could not find an empty piece of spectrum, and a lot of routes/APs
would crash if you left the "find best frequency" option checked (as they
would hop continuously and never find anything).

~~~
jessewmc
Do you have any particular recommendations for new(ish) consumer routers?

~~~
UnoriginalGuy
I buy Asus stuff then flash third party ROMs. Here's a massive list:
[http://www.dd-wrt.com/wiki/index.php/Supported_Devices](http://www.dd-
wrt.com/wiki/index.php/Supported_Devices)

If I was buying something today, it might be the Asus RT-AC66U (since it is a
"compromise" between price/performance).

------
deanstag
I was in a dev team for a network security appliance. It is really sad they
way they treat vulnerabilities and security advisories. There were very few
people who know what the actual vulnerability was.The vulnerability would be
listed as one of the last items in a release checklist. Gets assigned to a guy
who has no clue whatsoever. The guy fixing the issue would google a patch.
apply it. has no way of testing it comprehensively. He will run a basic test
case. He will make up a report with a lot of security jargon for the managers
and advisory team. And the next release would list the vulnerability as fixed.

------
Havoc
I've just accepted that residential routers are full of assorted orifices
(security holes, backdoors & holes in functionality).

Then again I'm not hiding anything dubious - if I was I'd install a firewall
box asap. (And yes I know the "nothing to hide" slippery slope etc argument)

~~~
wlesieutre
I'm guessing that Apple's are better than average, since they have two
versions (the built in HD on a time capsule doesn't make it appreciably
different) and maintain them for long periods between upgrades.

Asus/Netgear/D-Link/etc follow the "If we don't release an 802.11ac router
every week, we won't get enough press releases out!" model, and their firmware
suffers as a result.

I'm not touching those unless I can wipe the stock firmware and replace it
with Tomato or DD-WRT.

~~~
ariendj
Some OpenWRT routers like the TL 1043ND I have suffer from VLAN leakage.
Basically the router separates WAN from LAN via a VLAN config as the CPU has
only one LAN port. At the router's bootup, devices on my lan would randomly
get a public IP adress assigned by the DHCP server on the modem. Scared the
crap out of me. From now on the thing is an access point, not a router.

------
fnordfnordfnord
Things like this make me so happy to have things like DDWRT, OpenWRT, et al.

~~~
scott_karana
Why would you still be comfortable using an incompetent company's _hardware_ ,
even if you fixed the software issue?

Does anyone do meticulous teardowns of routers, much less documenting what
silicon is present?

~~~
rpcope1
Yes, typically home routers tend to use pretty industry standard chips like
Broadcom chips (like the BCM5357 in my home router). D-Link, Linksys, and crew
don't usually roll their own SoCs, but just seem to throw off the shelf stuff
in there. These chips tend to be SoCs, and while I can't be totally sure that
there isn't a weirdo NSA backdoor on it (probably just as likely as any other
router, residential or commercial), most of the meat lives in the chip, and
with good open source firmware (DD-WRT et al.) it's probably just about as
reasonable as anything else coming and going. I certainly have far more faith
in a regular off-the-shelf SoC + open source firmware tuned to my own needs
(and believe or not thisn't hard at all) than anything with propriety
firmware, including (and especially, to me) Apple. Maybe the next best thing
to do is to build your own WiFi router from totally off the shelf parts (not
so hard to get into a small form factor any more).

As to inspecting the SoC itself, that would be certainly interesting. Most of
them are just ARM SoCs; this might make for an interesting blog post looking
at the silicon.

~~~
Osiris
ARM? I thought most routers used MIPS. At least several of the ones I've used
are.

~~~
wtallis
ARM is taking over from MIPS in the 802.11ac supporting products. MIPS is
still around, but is now in the second tier of popularity alongside PPC. The
single-core MIPS 24K and 74K that have been so popular just aren't fast enough
for doing smart things at DOCSIS 3 speeds. They've also largely switched from
NOR flash to NAND flash.

------
jheriko
this guy clearly has a passion for security.

d-link could do well by firing whatever uncaring 9-to-5 programmers they have
and hiring him.

part of the problem is that people with this kind of passion and skill are few
and far between... is very rare that good people want to work for a company
like d-link on something like drivers or router software.

~~~
marcosdumay
> d-link could do well by firing whatever uncaring 9-to-5 programmers they
> have and hiring him.

That's a great experiment to discover how long somebody can can stay
passionate inside an uncaring corporation.

I give him 2 years to become an uncaring 9-to-5 programmer.

~~~
jheriko
good point...

i do think it is pretty hard to stop caring though, what happens generally is
that if you start to get that demoralised you will leave and find something
else. :)

------
shmerl
It's better to stick with OpenWRT or DD-WRT.

~~~
click170
Care to share your opinion of why that is? Have you compared Tomato? What
problems or deficiencies did you identify? More detail would be helpful.

~~~
tdicola
Isn't Tomato way out of date? Wikipedia shows the last stable release was
almost 5 years ago, and the website shows no dates on its releases (not a good
sign). I ran Tomato for a long time and loved it, but I just got too nervous
running such old software as the gateway to my network. Ended up upgrading to
a cheap TP-Link router, switching to the latest and greatest OpenWRT release,
and haven't had any complaints at all.

~~~
ramidarigaz
There are forks of Tomato that have been updated much more recently. I'm
running the "Toastman" build of Tomato.

~~~
tdicola
Ah, I wonder why doesn't the original project just fold up and point people at
the currently maintained version. I'd still be very nervous about trusting my
network to a random fork of mostly unmaintained software. At least with
OpenWRT there's a very clear view into the (quite active) development,
roadmaps to next releases, etc:
[https://dev.openwrt.org/roadmap](https://dev.openwrt.org/roadmap)

------
sdrinf
Mirror for Database Error'd:
[https://archive.today/D33zV](https://archive.today/D33zV)

------
carey
I guess this is a reminder that writing secure C is actually really, really
hard.

~~~
comex
Writing completely secure C _is_ hard, but this code is littered with
extremely basic bugs like unchecked sprintf and not sanitizing arguments to
system. Like, it's a basic rule that you should use snprintf instead of
sprintf, _possibly_ with exceptions for cases where you're absolutely sure the
result fits in the provided buffer, and in this case there is sprintf
everywhere and no checks on the input size whatsoever.

~~~
userbinator
I wonder where this "length blindness" comes from, since it certainly leads to
a lot of vulnerabilities. Are these programmers who started with a higher-
level language than C, one with dynamically sized strings that automatically
expand? Do they even know how big the buffer is, or how long the input string
could conceivably be? Did they ever consider the case where the input is very,
_very_ long?

A funny analogy I've heard is "programmers who don't know the size of their
buffers are like drivers who don't know the size of their cars."

~~~
bentcorner
Just to hazard a guess, there's probably little organizational incentive to
prevent security issues in the first place.

------
aioprisan
I can't believe how laughably bad router security still is. It's fascinating
how these exploits came to light. Where do you even start to map to the
related system calls?

------
ariendj
pfsense on a thin client = 40$ OpenWRT on a home router as AP = 30$ Not
getting pwned = priceless

~~~
joejoebob
What are you running pfSense on for $40?

~~~
un1xl0ser
I think that he means per month in electricity costs. ;)

~~~
joejoebob
Seems a little high to me, but it does make more sense.

------
kkl
Interesting. The D-Link security advisory
([http://securityadvisories.dlink.com/security/publication.asp...](http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10054))
states that the issue was only partially resolved. What was changed (aside
from adding an additional buffer overflow) in the patch that attempted to
alleviate these issues?

~~~
Buge
Like the article says, they make sure the command to system is one of their
php files before running the system command.

------
Osiris
Factory firmware on SOHO routers is notoriously terrible. You'd think that
this would be a good place for a startup to disrupt. The hardware is basically
off-the-shelf components. It would be an easy sell to experts, but maybe
harder to get traction with most people.

------
yuhong
I wonder which vendors have the best firmware.

~~~
zurn
Are there any left that are owned by semi-reputable big companies? Back when
Cisco had Linksys there was some hope that they'd at least look after the
vulnerability handling and patching process in a grown up way.

~~~
otterley
The Apple Airport Express is reasonably cheap, has a great range, is easy to
configure, and doesn't have a reputation for being insecure.

------
eyeareque
Cheap SOHO routers: Sadly, you get what you pay for.

~~~
wtallis
Paying more gets you better radios and more GigE ports. It doesn't get you
less-stupid software. "Friends don't let friends run factory firmware" applies
regardless of the price.

