Stem Bolt
Premium
join:2002-11-08
Cleveland, OH
1 edit | Open-source firmware flaw exposes wireless routers - DD-WRT
»www.theregister.co.uk/2009/07/21···er_vuln/
quote:
A hacker has discovered a critical vulnerability in open-source firmware available for wireless routers made my Linksys and other manufacturers that allows attackers to remotely penetrate the device and take full control of it.
The remote root vulnerability affects the most recent version of DD-WRT, a piece of firmware many router users install to give their device capabilities not available by default. The bug allows unauthenticated users to remotely gain root access simply by luring someone on the local network to a malicious website.
"This means someone can even post some crafted [img] link on a forum and a dd-wrt router owner visiting the forum will get owned," a user named Leka Vecher "gat3way" wrote in this posting to Milw0rm. "A weird vulnerability you're unlikely to see in 2009  Quite embarrassing I would say."
Messages sent through the DD-WRT website to the software designers weren't returned by time of publication, but comments posted to this user forum thread said the vulnerability affected the most recent builds, prompting a user by the name of autobot to declare the vulnerability a "mini code red."
The bug resides in DD-WRT's hyper text transfer protocol daemon, which runs as root. Because the httpd doesn't sanitize user-supplied input, it's vulnerable to remote command injection. While the httpd doesn't listen on the outbound interface, attackers can easily access it using CSRF (cross-site request forgery) techniques.
What's more, exploits need not be part of an authenticated session, making them easy to carry out. Examples of URLs that allow remote takeover include:
»routerIP/cgi-bin/;command_to_execute
or even:
DD-WRT is open-source firmware that runs more than 200 different models of wireless routers and embedded devices, including those made Linksys, D-Link, Buffalo, and Netgear. If you don't know whether your device uses it, chances are it does not. Penetration testers using the Metasploit project can download this module to audit whether a particular piece of hardware is vulnerable.
Additional details about the bug are here and here. ®
Update
DD-WRT developer Sebastian Gottschall just emailed to say an interim fix is available here. "Consider that this exploit was released without any Report to us," he added.
--
MS Security Essentials + Online Armor Free + Router/SPI |
|
SUMware
Premium
join:2002-05-21
1 edit | Update from The Register
quote:
DD-WRT developer Sebastian Gottschall just emailed to say an interim fix is available here. "Consider that this exploit was released without any Report to us," he added.
DD-WRT Web Management Interface Remote Arbitrary Shell Command Injection Vulnerability
quote:
DD-WRT is prone to a remote command-injection vulnerability because it fails to adequately sanitize user-supplied input data.
Remote attackers can exploit this issue to execute arbitrary shell commands with superuser privileges, which may facilitate a complete compromise of the affected device.
DD-WRT v24-sp1 is affected; other versions may also be vulnerable.
Bugtraq ID: 35742
Class: Input Validation Error
CVE:
Remote: Yes
Local: No
Published: Jul 20 2009 12:00AM
Updated: Jul 20 2009 09:56PM
Credit: gat3way
Vulnerable: DD-WRT DD-WRT v24.sp1
DD-WRT DD-WRT v24-sp1
DD-WRT DD-WRT v24
|
|
JohnInSJ
Premium
join:2003-09-22
San Jose, CA
 ·Comcast
| reply to Stem Bolt
Is it me, or would the attacker need to know the ip address of the router and use that in their CSRF attack?
so, er, you could guess that it would be 10.x.x.x, but that's a lot of potentials to slog through isn't it?
I know I'm weird, but my router (which isn't a DD-WRT) isn't running on something silly like 10.0.0.1.
These posts are like the daily "elevated threat level orange" message from DHS. Yes, the first three or four hundred times you got my attention, but I'm not buying the "OMG and THE WHOLE WORLD IS pwn3d" punchline these days.
Or did I misunderstand the "attack vector"?
--
My place : »www.schettino.us |
|
jdong
Eat A Beaver, Save A Tree.
Premium
join:2002-07-09
Rochester, MI
clubs:   | reply to Stem Bolt
Shockingly embarassing vulnerability... |
|
KodiacZiller
join:2008-09-04
73368 | Even though it affects DD-WRT, this exploit is not applicable to Tomato. Just in case anyone was wondering as I did. |
|
Millenniumle
join:2007-11-11
Fredonia, NY | reply to Stem Bolt
I just started using DD-WRT. Having had to use the micro version I wont see any update either. I'll have to hit their forums and see if i can find out if the micro version has the same vulnerability. |
|
tempnexus
Premium
join:1999-08-11
Boston, MA | reply to Stem Bolt
Is any version prior to 24 vulnerable? |
|
Millenniumle
join:2007-11-11
Fredonia, NY | reply to Stem Bolt
I've been looking around DD-WRT's website and haven't found anything from the publishers. There is apparently a new patched version available, but I couldn't find any word on previous versions. |
|
jdong
Eat A Beaver, Save A Tree.
Premium
join:2002-07-09
Rochester, MI
clubs: | reply to Stem Bolt
Simplest way to test is to navigate to »router.ip/cgi-bin/;reboot
If you are vulnerable your router will reboot.
--
Ubuntu MOTU Developer and Forums Council |
|
therube
join:2004-11-11
Randallstown, MD
| reply to Stem Bolt
Just to point out, you may have already, unknowingly thwarted the exploit.
quote:
I briefly read about this yesterday, but didn't look into it.
And so, I was under the wrong impression that this was something that can happen from the outside, hacking directly into the router, simply by coming across a vulnerable router.
But that is not the case.
It needs a facilitator. And that facilitator is your browser.
So the exploit has to come across the web & into your browser. Then your browser has to allow the action. So if the action is blocked by the browser (& a NoScript/ABE enabled browser, does - you say), then the exploit is thwarted.
And just how does NoScript/ABE stop this attack?
And I guess that is what does it. But just what does that mean, in simple terms?
quote:
In simple terms it means that, just like any site can link any other site and even navigate automatically (e.g. when a web site loads a 3rd party image or iframe), a malicious site can let your browser navigate automatically (and invisibly, e.g. using an invisible iframe or a 0 sized image) to your router's web UI (or any web application inside your LAN).
If said router or intranet application lacks of sufficient authorization checks (e.g. because it's confident about hosts in the LAN being trusted by IP) or if you're just already logged in or you're using the default password or, like in this case, it is just vulnerable because of a bug, the malicious web page can interact with the "private" resource just like it was you.
What ABE does with the SYSTEM "LocalRodeo-like" rule is preventing any external (internet) web site/application from initiating requests towards internal (LAN) resources.
ABE just in time it seems |
|
therube
join:2004-11-11
Randallstown, MD
| reply to JohnInSJ
quote:
would the attacker need to know the ip address of the router and use that in their CSRF attack?
They don't need to know your IP (ahead of time).
You simply need to access a malicious site that exposes the exploit. So you visit the site. At that point they know your IP. With that, they simply try. If it works, they're successful. If it doesn't work, they simply ignore & wait for the next fish. |
|
JohnInSJ
Premium
join:2003-09-22
San Jose, CA
·Comcast
| They know YOUR NATed IP. The router IP isn't your IP. Ever.
So they have a 1 in 254 chance of guessing right? As pointed out above that's assuming you've visited HaxRUs.ru with scripting enabled, as well.
I think this is one of those "ohhh sounds scary on paper" exploits.
--
My place : »www.schettino.us |
|
Ravenheart
join:2006-02-10
Berkeley, CA
2 edits | reply to therube
I have one PC where the user customarily uses Opera rather than Firefox plus NoScript.
I thought a quick fix might be to make a top-level firewall rule on that machine to block outgoing port 80* to the router IP. Do you (or anybody) think that would cover it?
I have an nice, stable build of DD-WRT and don't want to rush into another one that might introduce other problems.
(Small edits for completeness.)
*Edit: And port 443. That'll fix it. |
|
Fickey
Terrorists target your resolve
join:2004-05-31
1 edit | reply to KodiacZiller
said by KodiacZiller  :Even though it affects DD-WRT, this exploit is not applicable to Tomato. Just in case anyone was wondering as I did. Can you substantiate/elaborate on Tomato's immunity to this exploit? Is it just that HyperWRT isn't vulnerable?
--
Nationalized healthcare? Name one government entity that isn't rife with bureaucratic waste & inefficiency! |
|
SirMeowmix_III
@windstream.net
| reply to Stem Bolt
The issue is in http.c, see the milw0rm exploit which explains the issue in detail:
»www.milw0rm.com/exploits/9209
To further clarify:
quote:
Unlike the already documented CSRF vulnerability ( »www.securityfocus.com/bid/32703 ) this DOES NOT need an authenticated session. This means someone can even post some crafted [img] link on a forum and a dd-wrt router owner visiting the forum will get owned
The IP address of the router would need to be known as well as the local IPv4 addressing scheme if using RFC1918. |
|
Missedit
@sbcglobal.net | reply to Stem Bolt
Polarcloud appears to have pulled Tomato, so I'm not confident that Tomato isn't also effected. Anyone heard any response from them? |
|
sivran
Long Live The Suite
Premium
join:2003-09-15
Arlington, TX
clubs:
·RoadRunner Cable
| reply to Stem Bolt
Some mitigation:
Switching to the https interface will cause the browser to throw up an alert about the certificate.
Using ssh to set http_enable to 0 will disable the web interface entirely:
nvram set http_enable=0
It can be turned back on by setting it to 1.
--
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon profitable cause... |
|
KodiacZiller
join:2008-09-04
73368
2 edits | reply to Fickey
said by Fickey :said by KodiacZiller :Even though it affects DD-WRT, this exploit is not applicable to Tomato. Just in case anyone was wondering as I did. Can you substantiate/elaborate on Tomato's immunity to this exploit? Is it just that HyperWRT isn't vulnerable? The Tomato forums has a thread about this, and both responses said Tomato is not affected. Apparently there were xss protections implemented in Tomato 1.14.
»www.linksysinfo.org/forums/showt···st349423
Polarcloud appears to have pulled Tomato, so I'm not confident that Tomato isn't also effected. Anyone heard any response from them What do you mean they "pulled it?" I am on the page right now and I see both v 1.24 and 1.25 for download.
EDIT: Hmm, it seems you're right. I went to the source forge page to update my old v1.23 and it seems I am getting an error when attempting to download v1.25. However, this doesn't mean it has been "pulled." Could be a server error or what not. |
|
KoRnGtL15
Premium
join:2007-01-04
Grants Pass, OR | When you go to dl a firmware file it will not work. That's why he said it might have been pulled as a safe guard until more information was known. |
|
KodiacZiller
join:2008-09-04
73368
| According to the DD-WRT website:
quote:
Note: The exploit can only be used from outside your network over the internet if you have enabled remote Web GUI management in the Administration tab. As immediate action please disable the remote Web GUI management.
From this one can surmise that if you do not use remote web GUI management on Tomato, then Tomato would also be "immune." |
|
