republican-creole
site Search:


Home Reviews Tools Forums FAQs Find Service ISP News Maps About  
 
    All Forums Hot Topics Gallery






how-to block ads

  
Forums >

Broadband Tech > Security > Security > Open-source firmware flaw exposes wireless routers - DD-WRT

Search Topic:
 Share Topic
Posting?
Post a:
Post a:
Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal
AuthorAll Replies

Ravenheart

join:2006-02-10
Berkeley, CA
2 edits

reply to therube

Re: Open-source firmware flaw exposes wireless routers - DD-WRT

I have one PC where the user customarily uses Opera rather than Firefox plus NoScript.

I thought a quick fix might be to make a top-level firewall rule on that machine to block outgoing port 80* to the router IP. Do you (or anybody) think that would cover it?

I have an nice, stable build of DD-WRT and don't want to rush into another one that might introduce other problems.

(Small edits for completeness.)

*Edit: And port 443. That'll fix it.
to forum · permalink · 2009-07-22 12:32:51 ·

thrymr

join:2009-07-23
West Orange, NJ

said by Ravenheart:

I thought a quick fix might be to make a top-level firewall rule on that machine to block outgoing port 80* to the router IP. Do you (or anybody) think that would cover it?

I have an nice, stable build of DD-WRT and don't want to rush into another one that might introduce other problems.
There is a firewall rule to fix the vulnerability, posted to the DD-WRT home page:
insmod ipt_webstr
ln -s /dev/null /tmp/exec.tmp
iptables -D INPUT -p tcp -m tcp -m webstr --url cgi-bin -j REJECT --reject-with tcp-reset
iptables -I INPUT -p tcp -m tcp -m webstr --url cgi-bin -j REJECT --reject-with tcp-reset
Also, just to be clear, the vulnerability exists if you have httpd enabled at all, even if WAN access to HTTP management is disabled. Browser limitations on cross-site scripting offer some protection, as I understand it. A DD-WRT forum thread exists on the topic.
to forum · permalink · 2009-07-24 11:22:38 ·


sivran
Back to Opera again
Premium
join:2003-09-15
Arlington, TX
kudos:1
Reviews:
·RoadRunner Cable
1 edit

Eh, simply disabling the access does work. For example disable http access and enable https, an http link won't work but an https one will.

Disabling both (nvram set http_enable 0; nvram set httpsd_enable 0; nvram commit (if you want it to survive a reboot)) results in the router shutting down the httpd process altogether (sensibly enough), eliminating any chance of exploitation.
Er, I looked again, and it didn't shutdown the httpd. Don't mind me, I'm blind. It was right there on the ps listing after all. Still, it's not listening or responding to anything.

Switching to https-only though causes the browser to pop a certificate dialog, which is fair enough mitigation as long as you remember never to accept it permanently.

Anyway, I'd rather look into Tomato. DD-WRT's usage meter tends to die and stop recording at seemingly random intervals. This vuln is just one more (better) reason to do so.
--
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon profitable cause...

to forum · permalink · 2009-07-24 19:07:34 ·
Forums > Broadband Tech > Security > Security

Saturday, 02-Jun 19:20:32 Terms of Use & Privacy | feedback | contact | Hosting by nac.net - DSL,Hosting & Co-lo
over 12.5 years online © 1999-2012 dslreports.com.
Most commented news this week
Hot Topics