Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Source says they also did some input sanitizing along with blocking curl, and they had to make a new PoC to get around that. If I'm reading that right then this isn't really an issue, nothing wrong with defense in depth.

Edit:

>The update adds several filters to handle single quotes in user input. However, these filters can be evaded by specially crafted inputs. By providing the following string for the certificate's common name, a "ping" command can be injected:

Title is misleading, implying the only patch was blacklisting curl.



Speaking of filtering, the diff between the two exploits is:

    -"common_name=a'\$(ping -c 4 192.168.1.2)'b"
    +"common_name='a\$(ping -c 4 192.168.1.2)'b"
and POST instead of GET (and kurl as the UA, of course).

Does their fix specifically check for injection starting with `a'` ? And only works for GET requests? Mind-boggling...

Edit: The new exploit also targets https instead of http. I would've said that surely that would not make a difference, but given what's already happened I'm not sure.


"As a user, when I send a request like below I want it to not pwn the router."


The equivalent of a "pls dont hack" sign is not defense in depth.

Good to know they at least half fixed the problem, I guess. But that's not enough, and they should be capable of testing this.


I would expect them to check for any RFC3514 bits as well. Defense in Depth.


The real defense is the attacker needs to access and authenticate with the router's web interface. A more honest patch would be to legitimize the bug as a new feature since it must be too amateur-hour over there to actually address any webshit security issues. "Dear Admin, here's a textarea to run arbitrary commands as root, don't hurt yourself!"


Can anything without a "please don't hack" sign considered defense in depth?

Probably not, hence an appropriate first patch.


Yes it can. If you see a product that claims to be secure, with multiple layers of security, certain exceptionally-fragile measures should decrease how much you believe that claim. Layers of security have to at least be mildly effective to count as layers.

If you're fighting an active attack you can stall by filtering on some arbitrary parameter unrelated to the actual problem. For anything that's supposed to last more than an hour, it's worse than useless. It makes your system more complex for no security benefit. An idea like that should never make it into a product release.


I agree, it's just good sense. It's even encapsulated in the bit of folk wisdom about throwing the baby out with the bathwater.


Your humor is too sophisticated for us...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: