DD-WRT Root exploit posted today

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3, 4, 5, 6 ... 13, 14, 15  Next
Author Message
DarKing1985
DD-WRT Novice


Joined: 22 Jul 2009
Posts: 2

PostPosted: Wed Jul 22, 2009 9:17    Post subject: Reply with quote
dexterslab wrote:
can someone just confirm that this is the correct & fixed download for a WRT-54GL v1.1 ?

Code:
http://www.dd-wrt.com/dd-wrtv2/downloads/others/eko/BrainSlayer-V24-preSP2/07-21-09-r12533/broadcom/dd-wrt.v24_std_generic.bin


thanks


It's the right firmware that will fix this issue.
Sponsor
dexterslab
DD-WRT Novice


Joined: 15 Dec 2006
Posts: 21
Location: Greater Manchester, UK

PostPosted: Wed Jul 22, 2009 9:38    Post subject: Reply with quote
thanks guys, pretty sure i was using the std_generic build before and it works ok
ct
DD-WRT Novice


Joined: 19 Jul 2006
Posts: 12
Location: Belgium

PostPosted: Wed Jul 22, 2009 11:41    Post subject: Reply with quote
jrock wrote:
ct wrote:
Come to think of it, if you can get to the computer's IP, you can probably also get to the default gateway's.


Not really. If they are on the target machine or have control of it, yes. But otherwise, howso? Explain.


Never mind, I don't know what I was smoking when I wrote that bit.
Wizzer
DD-WRT Novice


Joined: 16 Jul 2009
Posts: 23

PostPosted: Wed Jul 22, 2009 13:30    Post subject: Reply with quote
sigh - just started using dd-wrt and got my problem fixed and put DD-WRT v24-sp2 (07/10/09) std
(SVN revision 12476M NEWD Eko) on it, 3 days uptime and time to upgrade
redhawk0
DD-WRT Guru


Joined: 04 Jan 2007
Posts: 11563
Location: Wherever the wind blows- North America

PostPosted: Wed Jul 22, 2009 13:42    Post subject: Reply with quote
Wizzer wrote:
sigh - just started using dd-wrt and got my problem fixed and put DD-WRT v24-sp2 (07/10/09) std
(SVN revision 12476M NEWD Eko) on it, 3 days uptime and time to upgrade


Ah...the Blues Song of the dd-wrt tester! :lol:

Welcome to the club.

redhawk

_________________
The only stupid question....is the unasked one.
OB1
DD-WRT Novice


Joined: 22 Jul 2009
Posts: 25

PostPosted: Wed Jul 22, 2009 15:41    Post subject: Re: DD-WRT Root exploit posted today Reply with quote
sidewaysstarion wrote:

...
source http://milw0rm.org/exploits/9209
...


a quick fix would be changing the WEB admin gui port (aka the httpd port) from 80 to some other arbitrary one, this way the straight link won't work and to use the exploit an attacker would need to know the port used for the admin GUI

HTH
OB1
DD-WRT Novice


Joined: 22 Jul 2009
Posts: 25

PostPosted: Wed Jul 22, 2009 15:44    Post subject: Reply with quote
autobot wrote:
I made it sound worse than it is I believe, this only applies if you have enabled gui access over wan right?


wrong, something like this

IMG SRC="http://192.168.1.1/cgi-bin/;exploit-command"

once opened by a browser sitting behind a DD-WRT box will cause the browser to request the URL to the LAN IP of the router and trigger the exploit
autobot
DD-WRT Guru


Joined: 07 May 2009
Posts: 1596

PostPosted: Wed Jul 22, 2009 15:45    Post subject: Re: DD-WRT Root exploit posted today Reply with quote
OB1 wrote:
sidewaysstarion wrote:

...
source http://milw0rm.org/exploits/9209
...


a quick fix would be changing the WEB admin gui port (aka the httpd port) from 80 to some other arbitrary one, this way the straight link won't work and to use the exploit an attacker would need to know the port used for the admin GUI

HTH


I wouldn't really call that a "fix" as a scan with nmap would reveal the httpd. The quicker fix would be update to latest firmware as this is fixed.
OB1
DD-WRT Novice


Joined: 22 Jul 2009
Posts: 25

PostPosted: Wed Jul 22, 2009 15:48    Post subject: Re: DD-WRT Root exploit posted today Reply with quote
autobot wrote:
OB1 wrote:
sidewaysstarion wrote:

...
source http://milw0rm.org/exploits/9209
...


a quick fix would be changing the WEB admin gui port (aka the httpd port) from 80 to some other arbitrary one, this way the straight link won't work and to use the exploit an attacker would need to know the port used for the admin GUI

HTH


I wouldn't really call that a "fix" as a scan with nmap would reveal the httpd. The quicker fix would be update to latest firmware as this is fixed.


a scan from the INTERNAL NETWORK Smile remember, the hack works straight from the LAN interface, there's no need to have the admin GUI opened to the WAN to let it work ... got it ?
autobot
DD-WRT Guru


Joined: 07 May 2009
Posts: 1596

PostPosted: Wed Jul 22, 2009 15:48    Post subject: Reply with quote
OB1 wrote:
autobot wrote:
I made it sound worse than it is I believe, this only applies if you have enabled gui access over wan right?


wrong, something like this

IMG SRC="http://192.168.1.1/cgi-bin/;exploit-command"

once opened by a browser sitting behind a DD-WRT box will cause the browser to request the URL to the LAN IP of the router and trigger the exploit


That was my understanding also, but that's not what Eko said here http://www.dd-wrt.com/phpBB2/viewtopic.php?p=326222#326222
OB1
DD-WRT Novice


Joined: 22 Jul 2009
Posts: 25

PostPosted: Wed Jul 22, 2009 15:53    Post subject: Reply with quote
autobot wrote:
OB1 wrote:
autobot wrote:
I made it sound worse than it is I believe, this only applies if you have enabled gui access over wan right?


wrong, something like this

IMG SRC="http://192.168.1.1/cgi-bin/;exploit-command"

once opened by a browser sitting behind a DD-WRT box will cause the browser to request the URL to the LAN IP of the router and trigger the exploit


That was my understanding also, but that's not what Eko said here http://www.dd-wrt.com/phpBB2/viewtopic.php?p=326222#326222


saw it, but it's totally WRONG, tried it by myself, with WAN httpd disabled and it WORKS, I suspect Eko didn't fully understand the issue; also, it would be a good idea posting an alert on the site front page urging the users to update to the latest firmware before someone will start using DD-WRT boxes as bots

[edit]

If you want to try it by yourself do the following

setup a web page somewhere on the internet; on the
page add an IMG tag like the following one (add angular brackets as needed)

IMG SRC="http://192.168.1.1/cgi-bin/;init$IFS6"

or something like that; then using a vulnerable version of DD-WRT, and a machine sitting behind the DD-WRT router, open that page

the browser will see the IMG reference and attempt to fetch it, but the URL points to the LAN IP of the router, so the result will be triggering the exploit and executing the command; in the above case you'll be sending an "init 6" but you may use whatever other command you want, including "nc" or whatever else
Murrkf
DD-WRT Guru


Joined: 22 Sep 2008
Posts: 12675

PostPosted: Wed Jul 22, 2009 16:25    Post subject: Reply with quote
OB1 wrote:
saw it, but it's totally WRONG, tried it by myself, with WAN httpd disabled and it WORKS, I suspect Eko didn't fully understand the issue; also, it would be a good idea posting an alert on the site front page urging the users to update to the latest firmware before someone will start using DD-WRT boxes as bots


So...if eko didn't understand the issue, is the issue fixed? Otherwise, there is no point in getting everyone to update.

_________________
SIG:
I'm trying to teach you to fish, not give you a fish. If you just want a fish, wait for a fisherman who hands them out. I'm more of a fishing instructor.
LOM: "If you show that you have not bothered to read the forum announcements or to follow the advices in them then the level of help available for you will drop substantially, also known as Murrkf's law.."
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Wed Jul 22, 2009 16:27    Post subject: Reply with quote
OB1 wrote:
autobot wrote:
OB1 wrote:
wrong, something like this

IMG SRC="http://192.168.1.1/cgi-bin/;exploit-command"

once opened by a browser sitting behind a DD-WRT box will cause the browser to request the URL to the LAN IP of the router and trigger the exploit


That was my understanding also, but that's not what Eko said here http://www.dd-wrt.com/phpBB2/viewtopic.php?p=326222#326222


saw it, but it's totally WRONG, tried it by myself, with WAN httpd disabled and it WORKS, I suspect Eko didn't fully understand the issue; also, it would be a good idea posting an alert on the site front page urging the users to update to the latest firmware before someone will start using DD-WRT boxes as bots

Eko's statement is incorrect. As I stated back on page 3, the example link to get a shell doesn't work by just putting it as an <img> source because the backslash gets converted to its URL encoded form, but other commands can be ran and there's likely other ways (javascript/flash) to get the link opened for a shell.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Wed Jul 22, 2009 16:29    Post subject: Reply with quote
Murrkf wrote:
So...if eko didn't understand the issue, is the issue fixed? Otherwise, there is no point in getting everyone to update.

BS wrote the fix not eko. I'm loading up the new build to test that it's fixed right now.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
OB1
DD-WRT Novice


Joined: 22 Jul 2009
Posts: 25

PostPosted: Wed Jul 22, 2009 16:34    Post subject: Reply with quote
phuzi0n wrote:
OB1 wrote:
autobot wrote:
OB1 wrote:
wrong, something like this

IMG SRC="http://192.168.1.1/cgi-bin/;exploit-command"

once opened by a browser sitting behind a DD-WRT box will cause the browser to request the URL to the LAN IP of the router and trigger the exploit


That was my understanding also, but that's not what Eko said here http://www.dd-wrt.com/phpBB2/viewtopic.php?p=326222#326222


saw it, but it's totally WRONG, tried it by myself, with WAN httpd disabled and it WORKS, I suspect Eko didn't fully understand the issue; also, it would be a good idea posting an alert on the site front page urging the users to update to the latest firmware before someone will start using DD-WRT boxes as bots

Eko's statement is incorrect. As I stated back on page 3, the example link to get a shell doesn't work by just putting it as an <img> source because the backslash gets converted to its URL encoded form, but other commands can be ran and there's likely other ways (javascript/flash) to get the link opened for a shell.


Yes, m1lw0rm used the classic "kiddie protection" to avoid some lame folk using the exploit w/o understanding it, but aside from that, the exploit works, and it works without any need to have the web admin GUI opened on the WAN interface

Just imagine someone spreading a bunch of those URL pointing to "192.168.1.1" on a number of blogs, forums, social networks and so on; it's easy to see that the attacker may quickly own quite a bunch of unpatched DD-WRT boxes; I'm not going to detail the full idea here, but I think you may put together a PoC quite quickly Wink
Goto page Previous  1, 2, 3, 4, 5, 6 ... 13, 14, 15  Next Display posts from previous:    Page 5 of 15
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum