sigh - just started using dd-wrt and got my problem fixed and put DD-WRT v24-sp2 (07/10/09) std
(SVN revision 12476M NEWD Eko) on it, 3 days uptime and time to upgrade
Joined: 04 Jan 2007 Posts: 11564 Location: Wherever the wind blows- North America
Posted: Wed Jul 22, 2009 13:42 Post subject:
Wizzer wrote:
sigh - just started using dd-wrt and got my problem fixed and put DD-WRT v24-sp2 (07/10/09) std
(SVN revision 12476M NEWD Eko) on it, 3 days uptime and time to upgrade
Ah...the Blues Song of the dd-wrt tester! :lol:
Welcome to the club.
redhawk _________________ The only stupid question....is the unasked one.
a quick fix would be changing the WEB admin gui port (aka the httpd port) from 80 to some other arbitrary one, this way the straight link won't work and to use the exploit an attacker would need to know the port used for the admin GUI
a quick fix would be changing the WEB admin gui port (aka the httpd port) from 80 to some other arbitrary one, this way the straight link won't work and to use the exploit an attacker would need to know the port used for the admin GUI
HTH
I wouldn't really call that a "fix" as a scan with nmap would reveal the httpd. The quicker fix would be update to latest firmware as this is fixed.
a quick fix would be changing the WEB admin gui port (aka the httpd port) from 80 to some other arbitrary one, this way the straight link won't work and to use the exploit an attacker would need to know the port used for the admin GUI
HTH
I wouldn't really call that a "fix" as a scan with nmap would reveal the httpd. The quicker fix would be update to latest firmware as this is fixed.
a scan from the INTERNAL NETWORK remember, the hack works straight from the LAN interface, there's no need to have the admin GUI opened to the WAN to let it work ... got it ?
saw it, but it's totally WRONG, tried it by myself, with WAN httpd disabled and it WORKS, I suspect Eko didn't fully understand the issue; also, it would be a good idea posting an alert on the site front page urging the users to update to the latest firmware before someone will start using DD-WRT boxes as bots
[edit]
If you want to try it by yourself do the following
setup a web page somewhere on the internet; on the
page add an IMG tag like the following one (add angular brackets as needed)
IMG SRC="http://192.168.1.1/cgi-bin/;init$IFS6"
or something like that; then using a vulnerable version of DD-WRT, and a machine sitting behind the DD-WRT router, open that page
the browser will see the IMG reference and attempt to fetch it, but the URL points to the LAN IP of the router, so the result will be triggering the exploit and executing the command; in the above case you'll be sending an "init 6" but you may use whatever other command you want, including "nc" or whatever else
saw it, but it's totally WRONG, tried it by myself, with WAN httpd disabled and it WORKS, I suspect Eko didn't fully understand the issue; also, it would be a good idea posting an alert on the site front page urging the users to update to the latest firmware before someone will start using DD-WRT boxes as bots
So...if eko didn't understand the issue, is the issue fixed? Otherwise, there is no point in getting everyone to update. _________________ SIG:
I'm trying to teach you to fish, not give you a fish. If you just want a fish, wait for a fisherman who hands them out. I'm more of a fishing instructor.
LOM: "If you show that you have not bothered to read the forum announcements or to follow the advices in them then the level of help available for you will drop substantially, also known as Murrkf's law.."
saw it, but it's totally WRONG, tried it by myself, with WAN httpd disabled and it WORKS, I suspect Eko didn't fully understand the issue; also, it would be a good idea posting an alert on the site front page urging the users to update to the latest firmware before someone will start using DD-WRT boxes as bots
Eko's statement is incorrect. As I stated back on page 3, the example link to get a shell doesn't work by just putting it as an <img> source because the backslash gets converted to its URL encoded form, but other commands can be ran and there's likely other ways (javascript/flash) to get the link opened for a shell. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
So...if eko didn't understand the issue, is the issue fixed? Otherwise, there is no point in getting everyone to update.
BS wrote the fix not eko. I'm loading up the new build to test that it's fixed right now. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
saw it, but it's totally WRONG, tried it by myself, with WAN httpd disabled and it WORKS, I suspect Eko didn't fully understand the issue; also, it would be a good idea posting an alert on the site front page urging the users to update to the latest firmware before someone will start using DD-WRT boxes as bots
Eko's statement is incorrect. As I stated back on page 3, the example link to get a shell doesn't work by just putting it as an <img> source because the backslash gets converted to its URL encoded form, but other commands can be ran and there's likely other ways (javascript/flash) to get the link opened for a shell.
Yes, m1lw0rm used the classic "kiddie protection" to avoid some lame folk using the exploit w/o understanding it, but aside from that, the exploit works, and it works without any need to have the web admin GUI opened on the WAN interface
Just imagine someone spreading a bunch of those URL pointing to "192.168.1.1" on a number of blogs, forums, social networks and so on; it's easy to see that the attacker may quickly own quite a bunch of unpatched DD-WRT boxes; I'm not going to detail the full idea here, but I think you may put together a PoC quite quickly