[Fork] Asuswrt-Merlin 374.43 LTS releases (Archive)

[john9527]

Your the man John. Any time frame for the final ?

I'm in the developer's quandary right now....

ASUS just released a new code with some security items listed, but they haven't released the source code yet.
Do I wait, or do I go?

 

[RMerlin]

I'm in the developer's quandary right now....

ASUS just released a new code with some security items listed, but they haven't released the source code yet.
Do I wait, or do I go?

CVE-201301813 is related to Busybox, that's one that doesn't seem major within a router's context, but I still need to track down the details - it's probably fixed on Busybox's repo.

The XSS vuln can possibly be resolved by diffing the firmware's version of that page with the previous one, unless the fix is within httpd.

4376 doesn't address CVE-2015-0240 yet, but this does.

 

[john9527]

CVE-201301813 is related to Busybox, that's one that doesn't seem major within a router's context, but I still need to track down the details - it's probably fixed on Busybox's repo.

The XSS vuln can possibly be resolved by diffing the firmware's version of that page with the previous one, unless the fix is within httpd.

4376 doesn't address CVE-2015-0240 yet, but this does.

The BusyBox CVE I tracked down and added already in the beta (needed a few tweaks to port it) . I remembered you said ASUS modified Busybox so didn't want to try and grab the latest. I'll leave that for you to check at some point and then backport it.

And I already cherry-picked your AICloud/Samba CVE fix.

For the XSS vuln, I haven't updated my CFE yet, so can't easily load the new code to take a look. Is there another way to extract it from the image? Maybe I'll ask someone to send me a copy of the .asp

I was wondering about the following
- OpenSSL to 1.0.0q (sorry, but's it easier to wait for you and cherry-pick it)....and according to the OpenSSL web site it's not a security fix, but a bug fix release.
- the CSRF issue (thinking that maybe this is related to automatic code updates and not applicable)
- and why remove the FTP link in network map?????

 

[RMerlin]

The BusyBox CVE I tracked down and added already in the beta (needed a few tweaks to port it) . I remembered you said ASUS modified Busybox so didn't want to try and grab the latest. I'll leave that for you to check at some point and then backport it.

I upgraded Busybox to 1.20 about two years ago, and it was a PITA. I had to downgrade the awk code because Asus's scripts were relying on a bug that was present in 1.17 but fixed in 1.20. I haven't checked if since then Asus fixed their scripts.

For the XSS vuln, I haven't updated my CFE yet, so can't easily load the new code to take a look. Is there another way to extract it from the image? Maybe I'll ask someone to send me a copy of the .asp

I use FMK (Firmware Mod Kit) to extract the content of binary firmwares whenever I want to take a peek at their content.

I was wondering about the following
- OpenSSL to 1.0.0q (sorry, but's it easier to wait for you and cherry-pick it)....and according to the OpenSSL web site it's not a security fix, but a bug fix release.

I'm already running the latest secure release. I will eventually upgrade to 1.0.0q if I haven't already done so (I don't remember which specific version I'm at).

- and why remove the FTP link in network map?????

Not sure what you mean by this one.

 

[john9527]

@RMerlin

Thanks for the reminder on FMK...someone else pointed me to it a while back, but never got to it.

Right now we're both sync'ed on OpenSSL at 1.0.0p....so going to hang tight for a while.

The 'remove FTP link in Network Map', was part of ASUS 4376 release notes under security. Don't understand it. Maybe there's a comment in the code (can always hope for a miracle )

 

[RMerlin]

The Busybox CVE fix was already included in Asus's 4129, so my 378.50 code already had that fix included.

diff --git a/release/src/router/busybox/testsuite/mdev.tests b/release/src/router/busybox/testsuite/mdev.tests
index 7320e17..48d3dcc 100755
--- a/release/src/router/busybox/testsuite/mdev.tests
+++ b/release/src/router/busybox/testsuite/mdev.tests
@@ -11,7 +11,7 @@ FILTER_LS="grep -v '^total ' | sed -e 's/,  */,/g' -e 's/  */ /g' | cut -d' ' -f
# cut: remove size+date
FILTER_LS2="grep -v '^total ' | sed -e 's/,  */,/g' -e 's/  */ /g' | cut -d' ' -f 1-4,9-"

-# testing "test name" "options" "expected result" "file input" "stdin"
+# testing "test name" "commands" "expected result" "file input" "stdin"

rm -rf mdev.testdir
mkdir mdev.testdir
@@ -128,6 +128,26 @@ SKIP=

# continuing to use directory structure from prev test
rm -rf mdev.testdir/dev/*
+echo "sda 0:0 444 =disk/sd/a" >mdev.testdir/etc/mdev.conf
+optional STATIC FEATURE_MDEV_CONF FEATURE_MDEV_RENAME FEATURE_LS_RECURSIVE FEATURE_LS_TIMESTAMPS FEATURE_LS_USERNAME
+testing "mdev move rule '=bar/baz/fname'" \
+       "env - PATH=$PATH ACTION=add DEVPATH=/block/sda chroot mdev.testdir /mdev 2>&1;
+       ls -lnR mdev.testdir/dev | $FILTER_LS2" \
+"\
+mdev.testdir/dev:
+drwxr-xr-x 3 0 0 disk
+
+mdev.testdir/dev/disk:
+drwxr-xr-x 2 0 0 sd
+
+mdev.testdir/dev/disk/sd:
+br--r--r-- 1 0 0 a
+" \
+       "" ""
+SKIP=
+
+# continuing to use directory structure from prev test
+rm -rf mdev.testdir/dev/*
# here we complicate things by having non-matching group 1 and using %0
echo "s([0-9])*d([a-z]+) 0:0 644 >sd/%2_%0" >mdev.testdir/etc/mdev.conf
optional STATIC FEATURE_MDEV_CONF FEATURE_MDEV_RENAME FEATURE_MDEV_RENAME_REGEXP FEATURE_LS_RECURSIVE FEATURE_LS_TIMESTAMPS FEATURE_LS_USERNAME FEATURE_LS_SORTF
diff --git a/release/src/router/busybox/util-linux/mdev.c b/release/src/router/busybox/util-linux/mdev.c
index c4829a5..d7b7d80 100644
--- a/release/src/router/busybox/util-linux/mdev.c
+++ b/release/src/router/busybox/util-linux/mdev.c
@@ -336,6 +336,18 @@ static const struct rule *next_rule(void)

#endif

+static void mkdir_recursive(char *name)
+{
+       /* if name has many levels ("dir1/dir2"),
+        * bb_make_directory() will create dir1 according to umask,
+        * not according to its "mode" parameter.
+        * Since we run with umask=0, need to temporarily switch it.
+        */
+       umask(022); /* "dir1" (if any) will be 0755 too */
+       bb_make_directory(name, 0755, FILEUTILS_RECUR);
+       umask(0);
+}
+
/* Builds an alias path.
  * This function potentionally reallocates the alias parameter.
  * Only used for ENABLE_FEATURE_MDEV_RENAME
@@ -349,7 +361,7 @@ static char *build_alias(char *alias, const char *device_name)
        dest = strrchr(alias, '/');
        if (dest) { /* ">bar/[baz]" ? */
                *dest = '\0'; /* mkdir bar */
-               bb_make_directory(alias, 0755, FILEUTILS_RECUR);
+               mkdir_recursive(alias);
                *dest = '/';
                if (dest[1] == '\0') { /* ">bar/" => ">bar/device_name" */
                        dest = alias;

As for OpenSSL, I had already downloaded 1.0.0q, but hadn't generated a diff for it as there was no real reason to do so (it's just a bugfix for Win32 compiling). Since I expect people to blindly ask me "why is your OpenSSL older than Asus's?!", I went ahead and merged it.

Main_Analysis page: the only change I see in 4376 is that ping count is now limited to a maximum of 9 instead of 99, and they added an onblur="" attribute to the ping count field. So any actual fix is probably in httpd.

 

[john9527]

The Busybox CVE fix was already included in Asus's 4129, so my 378.50 code already had that fix included.

Matches what I mapped from the Busybox commit for the CVE....

As for OpenSSL, I had already downloaded 1.0.0q, but hadn't generated a diff for it as there was no real reason to do so (it's just a bugfix for Win32 compiling). Since I expect people to blindly ask me "why is your OpenSSL older than Asus's?!", I went ahead and merged it.

Thanks.....picked it up.

Main_Analysis page: the only change I see in 4376 is that ping count is now limited to a maximum of 9 instead of 99, and they added an onblur="" attribute to the ping count field. So any actual fix is probably in httpd.

Think you got the comparison backward (up working too late? )....I think they raised the limit to 99 and eliminated the null onblur......I suppose the null onblur could be exploited. I don't think they would have directly referenced that page without the fix being on that page.

 

[mobileman88]

According to the Entware-ARM thread, it's either/or.....Entware can't coexist with Optware.



Yes, correct. I've removed the Download Master code from the firmware like Merlin's builds. It will be downloaded when you install it. It would be updated immediately anyway, and also frees up a little more jffs space for the MIPS routers.

John, thanks for the clearing the air on this. How can I switch from Optware to Entware? Do I neeed to delete all the Optware stuff which I have right now in my router or can I simply run the Entware script? I know that this is not the Entware thread but it'd give us who use Optware on AC68 and AC87 better understanding on what to do. Good that the DownloadMaster code has been removed as many of us really do not use it

 

[john9527]

John, thanks for the clearing the air on this. How can I switch from Optware to Entware? Do I neeed to delete all the Optware stuff which I have right now in my router or can I simply run the Entware script? I know that this is not the Entware thread but it'd give us who use Optware on AC68 and AC87 better understanding on what to do. Good that the DownloadMaster code has been removed as many of us really do not use it

Sorry, but I haven't installed Optware/Entware and don't really know the steps to uninstall. Based on his guides, it looks like @TeHashX is a 'guru' on the 'wares and I've sent him a Conversation (PM) to see if he can help.

BTW....I've also learned (maybe everyone else already knew) that Download Master installs Optware, so also must be removed prior to installing Entware.

 

[Builder71]

I played a bit with my OpenVPN settings and noticed a small issue.
When I click on the "VPN Server" tab, it always says "Starting the server..." and errors out.
My OpenVPN server (and router) is running for months, why try to start it while it's already running?

OpenVPN is working without problems, just a small GUI bug?

 

[john9527]

I played a bit with my OpenVPN settings and noticed a small issue.
When I click on the "VPN Server" tab, it always says "Starting the server..." and errors out.
My OpenVPN server (and router) is running for months, why try to start it while it's already running?

OpenVPN is working without problems, just a small GUI bug?

Just checked and can't recreate it here......

Maybe try....
Select Server2 and make sure it's off
Turn Server1 off, switch to the details page....re-apply the settings for Server1, then turn Server1 back on

 

[john9527]

Update-08BETA Refresh
One last refresh on the Beta
I've refreshed the 08BETA download to
08BAj9527 for the N66U and AC68U. http://1drv.ms/1sDtB1V
Changes in the refresh

• Backported the Custom DDNS scripting support from Merlin - see the instructions from the Merlin code README to set it up (need some testing here)
• Added the modules required for webmon iptables rules
  This allows you to track visited websites by url. See the following post on how to set it up.
  http://www.snbforums.com/threads/monitoring-web-usage-with-asuswrt-merlin.15558/page-2#post-169886
  I've been able to confirm it works on AC68. I believe I also have it enabled for the MIPS routers....Can someone try it on the N66?
• Upgraded OpenSSL to 1.0.0q This is mainly a maintainance update to keep in sync with ASUS/Merlin. There are no specific security vulnerabilities.
• Applied a fix for an XSS vulnerability in Main_Analysis_Content.asp (the Network Tools page)
• Added uniq and dos2unix Busybox utilities

Thanks again to everyone that's trying the beta....about 50 users. Please take a moment to report back if you've had any problems (or if you haven't ).

 

[wiz]

I played a bit with my OpenVPN settings and noticed a small issue.
When I click on the "VPN Server" tab, it always says "Starting the server..." and errors out.
My OpenVPN server (and router) is running for months, why try to start it while it's already running?

OpenVPN is working without problems, just a small GUI bug?

Just had a look at mine, does exactly the same.

I did what John suggested, made sure vpn server 2 is off, switched off the vpn server 1 reapplied the settings started it and tried again and now it works as designed.

 

[TeHashX]

John, thanks for the clearing the air on this. How can I switch from Optware to Entware? Do I neeed to delete all the Optware stuff which I have right now in my router or can I simply run the Entware script? I know that this is not the Entware thread but it'd give us who use Optware on AC68 and AC87 better understanding on what to do. Good that the DownloadMaster code has been removed as many of us really do not use it

Switching from optware to entware it's easy, for arm routers:
1. save optware.arm folder if you want to go back later

mv /mnt/sda1/optware.arm /mnt/sda1/optware.arm-backup

2. install entware (starting with firmware 378.51-beta1 script is included) or for older versions https://www.asuswrt.eu/how-to-install-entware-arm/

entware-setup.sh

3. install desired packages with opkg command instead ipkg
4. restore some conf files from optware.arm-backup to entware.arm directory, ex. lighttpd.conf, pyload.conf...

If you want to switch back to optware, rename entware.arm folder to entware.arm-backup, delete post-mount script, rename back optware.arm-backup to optware.arm and reboot router.

Warning!!! If you installed chrooted debian inside optware or entware, be sure ext_dir is not mounted to avoid deletion of media files.

I recommand ENTWARE

 

[Builder71]

Just checked and can't recreate it here......

Maybe try....
Select Server2 and make sure it's off
Turn Server1 off, switch to the details page....re-apply the settings for Server1, then turn Server1 back on

My Server2 is always off, switching between Server1 and 2 didn't solve it.
I didn't try re-apply settings. (I didn't change anything, I was just browsing my settings.)

When I switched Server1 off and switched it on again, problem solved.
After this it shows the Export button like expected.

 

[Builder71]

Just had a look at mine, does exactly the same.

I did what John suggested, made sure vpn server 2 is off, switched off the vpn server 1 reapplied the settings started it and tried again and now it works as designed.

Not sure what triggers it, seems like a small bug to me.
Thx for checking.

 

[john9527]

Not sure what triggers it, seems like a small bug to me.
Thx for checking.

and @wiz
I almost hate to mention it.....but there was a difference in the way that Merlin code and ASUS OEM handled the nvram variable defining the status of the VPN Servers. For most, this meant that when moving from OEM to Merlin, the OpenVPN server would attempt to start even if it wasn't being used. It wouldn't happen if you did a reset to factory defaults when doing the firmware change.

So.....this may mean you missed doing a factory reset at some point when one was required. You may want to put a todo on your list to reset and reconfigure at some point (or use my NVRAM utility to ease the pain).

 

[wiz]

and @wiz
I almost hate to mention it.....but there was a difference in the way that Merlin code and ASUS OEM handled the nvram variable defining the status of the VPN Servers. For most, this meant that when moving from OEM to Merlin, the OpenVPN server would attempt to start even if it wasn't being used. It wouldn't happen if you did a reset to factory defaults when doing the firmware change.

So.....this may mean you missed doing a factory reset at some point when one was required. You may want to put a todo on your list to reset and reconfigure at some point (or use my NVRAM utility to ease the pain).

Well, when I moved to your fork I was on a completely different firmware level, so on a rainy sunday afternoon I did update to your fork, and went to factory default, rebooted the router and put everything back by hand.

I know I had some issues with the certificates, so maybe that is what caused it. If it is working correctly apart from when you click on it it wants to start the open vpn server I won't change it, so far it runs flawlessly, apart from this.

Just checked, it still works as designed.

 

[Deleted member 22229]

Other then a few VPN issues i dont see any complaints with the newest beta. Looking forward to the final release.

 

[john9527]

Other then a few VPN issues i dont see any complaints with the newest beta. Looking forward to the final release.

Right now planning on the beginning of next week (give folks one last weekend to play with it).

As far as Beta specific feedback.....(insert sound of crickets here ) I suppose that could be considered a good thing