DD-WRT Root exploit posted today

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3, 4, 5 ... 13, 14, 15  Next
Author Message
jrock
DD-WRT Novice


Joined: 17 Dec 2006
Posts: 33

PostPosted: Tue Jul 21, 2009 23:05    Post subject: Reply with quote
ct wrote:
jrock wrote:
Yeah I thought of that too, but not everybody uses .1 .


Come to think of it, if you can get to the computer's IP, you can probably also get to the default gateway's.


Not really. If they are on the target machine or have control of it, yes. But otherwise, howso? Explain.

My original post about being less vulnerable while not using the default address had to do with being less vulnerable to drive-by type of csrf attacks which i believe will be the majority of exploits with this bug. (pre-crafted links with the 192.168.1.1 address)

If we are talking about web browswer vulnerabilities ct.. I don't know of any that will send network configuration to the host. As a matter of fact even the machine's private ip would not be visable to the host. Only the public address would be shown.

I'm not saying the address could not be guessed, it just wouldnt be deducted the way you describe.
Sponsor
jrock
DD-WRT Novice


Joined: 17 Dec 2006
Posts: 33

PostPosted: Tue Jul 21, 2009 23:06    Post subject: Reply with quote
crashfly wrote:
ct wrote:
Come to think of it, if you can get to the computer's IP, you can probably also get to the default gateway's.

Not necessarily. *If* you are using the *standard* setup, then a "drive-by" hit and run would be easy. However, if you change your subnet mask (which possibly means a change in default gateway), or if you have a "non-standard" private IP address range, or even changing the gateway to the high end of the range, you would be fairly safe.


Thank you that was my point.
iVitor
DD-WRT User


Joined: 10 Jul 2009
Posts: 106

PostPosted: Tue Jul 21, 2009 23:43    Post subject: Reply with quote
Like it has been said, the remote server shouldn't be able to get your NAT addresses, but don't forget scripts made in JavaScript run locally (in your machine) and not on the server side.
That is, although the remote server doesn't know your computer NAT'ed IP address, a script is well capable of reveling it, automatically craft and query a "command" url.

Still, I am not so sure how to retrieve the proper gateway information with JavaScript, mostly because I have never had to do that in the past...
jrock
DD-WRT Novice


Joined: 17 Dec 2006
Posts: 33

PostPosted: Wed Jul 22, 2009 0:29    Post subject: Reply with quote
iVitor wrote:
Like it has been said, the remote server shouldn't be able to get your NAT addresses, but don't forget scripts made in JavaScript run locally (in your machine) and not on the server side.
That is, although the remote server doesn't know your computer NAT'ed IP address, a script is well capable of reveling it, automatically craft and query a "command" url.

Still, I am not so sure how to retrieve the proper gateway information with JavaScript, mostly because I have never had to do that in the past...


Yes I was going to bold 'web browser alone' in my post. I understand with javascript it could be a different story, or any plug-in for that matter.

I was more worried about an easily distributable embedded csrf than sophisticated malicious java apps. But you are correct.
crashfly
DD-WRT Guru


Joined: 24 Feb 2009
Posts: 2026
Location: Sol System > Earth > USA > Arkansas

PostPosted: Wed Jul 22, 2009 2:14    Post subject: Reply with quote
If you run firefox with the plugin "NoScript", then 'cross-site' exploits will not be possible. Therefore it is reasonable to assume that even if I did not have the latest version, I would be relatively safe from having someone hack my router.
_________________
E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]

Try Dropbox for syncing files - get 2.5gb online for free by signing up.

Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.
Lumenary
DD-WRT Novice


Joined: 22 Jul 2009
Posts: 1

PostPosted: Wed Jul 22, 2009 2:54    Post subject: Re: same Reply with quote
Howdy...


Long time DD-WRT forums reader, first time poster.


uid0 wrote:
I also was able to replicate this on DD-WRT v24-sp1 (07/27/08) std... obviously upgrading tonight.



Anyone know if the VINT builds are affected by this?


I'm running a very old (but hither-to very reliable) WRT54GS v. 1.0, 1.1, or 2.0. (It is so old it does not have a version number on the bottom label near the S/N and MAC address bar codes; I am thinking it's v1.1.)


I tried running v24-sp1, but kept experiencing various weirdnesses, so I replaced it with the v24-std VINTage build:

-- From DD-WRT "Info" front page:
-- Firmware: DD-WRT v24 (05/20/08) std


I've also tried poking at the router using the YT vid as a guide, but to this point I haven't been able to root it. However, this is probably more due to me fat-fingering something and less due to its robustness; I would presume that the VINT builds have the same (or a very, very similar) version of the httpd daemon installed...


Anyone try this exploit on a VINT-installed router to see what happens?


Best Regards,

Lumenary
TZ=EST/EDT
DHC_DarkShadow
DD-WRT Guru


Joined: 22 Jun 2008
Posts: 2440
Location: Am now Dark_Shadow

PostPosted: Wed Jul 22, 2009 2:55    Post subject: Reply with quote
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=55201
_________________
The New Me
barryware
DD-WRT Guru


Joined: 26 Jan 2008
Posts: 13049
Location: Behind The Reset Button

PostPosted: Wed Jul 22, 2009 3:01    Post subject: Reply with quote
The sky is falling...

This is all much to do about nothing.

This is an international community.

65,270 registered members. Right now, there is 129 guests online (guests = not registered) + the registered members.

Who has been hacked?

_________________
[Moderator Deleted] Shocked
jrock
DD-WRT Novice


Joined: 17 Dec 2006
Posts: 33

PostPosted: Wed Jul 22, 2009 3:21    Post subject: Reply with quote
barryware wrote:
The sky is falling...

This is all much to do about nothing.

This is an international community.

65,270 registered members. Right now, there is 129 guests online (guests = not registered) + the registered members.

Who has been hacked?


I see your point and nothing may become of it.

It still sucks knowing it's there.

It's kinda' like finding out the type of locks on your house can be picked very easily.. & the burgler community has been informed.

I'm changing the locks. Laughing
mbellot
DD-WRT User


Joined: 13 Jun 2006
Posts: 64

PostPosted: Wed Jul 22, 2009 5:09    Post subject: Reply with quote
Makes me glad I have a somewhat non-standard setup, my web gui httpd runs on a port other than 80, which is probably enough to limit vulnerability.

Still it will definitely be worth upgrading when I get a chance.

_________________
WRT54GL modded to 32MB DRAM and 16MB Flash. Very Happy
freakalad
DD-WRT Novice


Joined: 03 Feb 2008
Posts: 10

PostPosted: Wed Jul 22, 2009 5:26    Post subject: +10 kudos Reply with quote
Great work, guys!

I always find it astounding the sort of turn-around time on these projects, especially DD

By my count, it's been less than a week since the news hit the wires in any significant way, and already there's an effective fix

I've simply disabled telnet & ssh when not in use, and disabled http(s) access to the device on non-LAN interfaces.
I hope that covers my bases

Keep up the great work!

- J
DarKing1985
DD-WRT Novice


Joined: 22 Jul 2009
Posts: 2

PostPosted: Wed Jul 22, 2009 9:01    Post subject: Reply with quote
barryware wrote:


http://www.dd-wrt.com/dd-wrtv2/down.php?path=downloads%2Fothers%2Feko%2FBrainSlayer-V24-preSP2%2F07-21-09-r12533/


Can someone tell me which file I need to download for the Linksys 150N V1.1 ? This because it's not in the list of routers. :roll:

Edit: nevermind found it already:

http://www.dd-wrt.com/dd-wrtv2/downloads/others/eko/BrainSlayer-V24-preSP2/07-21-09-r12533/broadcom/dd-wrt.v24_std_generic.bin


Last edited by DarKing1985 on Wed Jul 22, 2009 9:25; edited 1 time in total
dexterslab
DD-WRT Novice


Joined: 15 Dec 2006
Posts: 21
Location: Greater Manchester, UK

PostPosted: Wed Jul 22, 2009 9:08    Post subject: Reply with quote
can someone just confirm that this is the correct & fixed download for a WRT-54GL v1.1 ?

Code:
http://www.dd-wrt.com/dd-wrtv2/downloads/others/eko/BrainSlayer-V24-preSP2/07-21-09-r12533/broadcom/dd-wrt.v24_std_generic.bin


thanks
woleium
DD-WRT Novice


Joined: 17 Jun 2008
Posts: 16

PostPosted: Wed Jul 22, 2009 9:14    Post subject: Re: +10 kudos Reply with quote
freakalad wrote:
Great work, guys!
I've simply disabled telnet & ssh when not in use, and disabled http(s) access to the device on non-LAN interfaces.
I hope that covers my bases
- J


No, this is *NOT* enough. You must disable HTTP(S) *completely*, or upgrade the firmware.
autobot
DD-WRT Guru


Joined: 07 May 2009
Posts: 1596

PostPosted: Wed Jul 22, 2009 9:17    Post subject: Reply with quote
dexterslab wrote:
can someone just confirm that this is the correct & fixed download for a WRT-54GL v1.1 ?

Code:
http://www.dd-wrt.com/dd-wrtv2/downloads/others/eko/BrainSlayer-V24-preSP2/07-21-09-r12533/broadcom/dd-wrt.v24_std_generic.bin


thanks


If you can do a normal flash then yes that will work. Not sure if that's the best for your specific router, but it will work.


Last edited by autobot on Wed Jul 22, 2009 9:20; edited 1 time in total
Goto page Previous  1, 2, 3, 4, 5 ... 13, 14, 15  Next Display posts from previous:    Page 4 of 15
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum