DD-WRT Root exploit posted today

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3 ... 12, 13, 14, 15  Next
Author Message
VValdo
DD-WRT Novice


Joined: 13 Apr 2009
Posts: 24

PostPosted: Tue Jul 28, 2009 5:20    Post subject: Reply with quote
OB1 wrote:
As for changing the IP; yes, that may help too, but in some cases it may not be a viable option;


Agreed. It's a half-measure workaround

OB1 wrote:
; referring to the remaining CSRF issue, an idea to help preventing it (aside from changing the admin port) would be modifying the web gui to require another authentication for "write" operation; I mean something like this:

you log on the gui; from that moment on you can browse the settings and so on

if you change one or more settings, as soon as you hit the "write" button, the GUI will popup an auth request and you'll have to reenter the credentials

this way, even if someone tries to play CSRF on an open admin page, the request will be blocked by the auth request; sure, such an approach may be annoying, but at least it may be a butt-saver <g>


I think a better way might be to have a session token passed by a cookie that must be included as part of the URL for any subsequent communication with the Web UI. It could be generated upon authorization and good for a limited period. So you'd just add something like the following to the URL whenever you talk back to the Web UI:

http://SERVER_IP/normalstuff&SESSION=66a934bbf3dfd9ff4316b443590872

Alternatively, the token could be passed back via GET rather than POST so that its not viewable in the URL at all.

A new token could be passed for every UI page and then verified. It could expire after 5 minutes of no activity (configurable) or whatever. It would take a pretty serious bug in the browser to expose that cookie/form element, and as far as I could tell would make CSRF much harder.

(Note-- I'm not a security expert or anything, so maybe someone could point out a flaw, but seems like it would work.)

W
Sponsor
OB1
DD-WRT Novice


Joined: 22 Jul 2009
Posts: 25

PostPosted: Tue Jul 28, 2009 8:17    Post subject: Reply with quote
VValdo wrote:

I think a better way might be to have a session token passed by a cookie that must be included as part of the URL for any subsequent communication

http://SERVER_IP/normalstuff&SESSION=66a934bbf3dfd9ff4316b443590872

Alternatively, the token could be passed back via GET rather than POST so that its not viewable in the URL at all.


that may be a viable solution; although, given the fact that the use of port 80 should be deprecated the URL should be something like

Code:

http://SERVER_IP:port/normalstuff&SESSION=66a934bbf3dfd9ff4316b443590872


now let's try to sum up things which should be added to the admin GUI

* the ability to change the admin port from GUI and something to ENFORCE such a change after the installation

* a security token embedded into the admin URLs

* a check when recalling pages which perform "commit" of changes to ensure the token is present/valid and that the page has been called using the "POST" verb and not the "GET" one

now, if someone would only turn the above into a "request for improvements" and submit it to the developers... Smile
Murrkf
DD-WRT Guru


Joined: 22 Sep 2008
Posts: 12675

PostPosted: Tue Jul 28, 2009 14:22    Post subject: Reply with quote
OB1 wrote:
now, if someone would only turn the above into a "request for improvements" and submit it to the developers... Smile


EKO and BS both have PM, if ONE person who understands this (not me)wanted to send them each a message. EKO is also by the forum fairly regularly and might have already seen this. However, a better way to approach it is to submit it as an enhancement in trac. It will get dealt with, one way or another, through trac.

_________________
SIG:
I'm trying to teach you to fish, not give you a fish. If you just want a fish, wait for a fisherman who hands them out. I'm more of a fishing instructor.
LOM: "If you show that you have not bothered to read the forum announcements or to follow the advices in them then the level of help available for you will drop substantially, also known as Murrkf's law.."
VValdo
DD-WRT Novice


Joined: 13 Apr 2009
Posts: 24

PostPosted: Wed Jul 29, 2009 2:46    Post subject: Reply with quote
Murrkf wrote:
OB1 wrote:
now, if someone would only turn the above into a "request for improvements" and submit it to the developers... Smile


EKO and BS both have PM, if ONE person who understands this (not me)wanted to send them each a message. EKO is also by the forum fairly regularly and might have already seen this. However, a better way to approach it is to submit it as an enhancement in trac. It will get dealt with, one way or another, through trac.


Murrkf, go for it. Here's basically the description:

ISSUE:

DD-WRT needs a form of session tracking to help fight CSRF attacks. This could work as follows:

1. Upon successful HTTP authentication, DD-WRT generates a session ID (md5 hash of a salted string generated from the authentication datestamp, for example). The session ID is returned to the browser as a cookie with a built-in expiration period. (which could be altered via the Security tab).

2. ALSO-- following successful authorization, all forms could include a HIDDEN form element containing the session ID (ie, POST), or it could be included in the URL as &SESSIONID=WHATEVER (ie, GET). Or just use the cookie. The goal is to track the session across connections.

3. Any "trusted" interaction with the Web Interface should verify the session ID was passed back to the server. The server should ask for authorization to any connection that does not provide the Session ID.

4. The server should invalidate/no longer accept the Session ID token after the expiration period.

That's it. Hope it makes sense.

W
Murrkf
DD-WRT Guru


Joined: 22 Sep 2008
Posts: 12675

PostPosted: Wed Jul 29, 2009 3:35    Post subject: Reply with quote
VValdo wrote:

Murrkf, go for it. Here's basically the description:



No way! You think I understand this stuff!!! I'm just a HO with a posting problem!

YOU do it. Anyone can open a trac account. Cool

_________________
SIG:
I'm trying to teach you to fish, not give you a fish. If you just want a fish, wait for a fisherman who hands them out. I'm more of a fishing instructor.
LOM: "If you show that you have not bothered to read the forum announcements or to follow the advices in them then the level of help available for you will drop substantially, also known as Murrkf's law.."
VValdo
DD-WRT Novice


Joined: 13 Apr 2009
Posts: 24

PostPosted: Wed Jul 29, 2009 4:46    Post subject: Reply with quote
Murrkf wrote:
VValdo wrote:

Murrkf, go for it. Here's basically the description:



No way! You think I understand this stuff!!! I'm just a HO with a posting problem!

YOU do it. Anyone can open a trac account. Cool


But- but- you're a GURU! I'm a novice!

Speaking of security holes, anyone notice the main server is down? DDoS? Someone trying to prevent people from finding the new firmware?

Or is it something benign? Anyway... I noticed that there haven't been any advisories from CERT regarding this flaw as of yet.

W
Murrkf
DD-WRT Guru


Joined: 22 Sep 2008
Posts: 12675

PostPosted: Wed Jul 29, 2009 13:05    Post subject: Reply with quote
VValdo wrote:
Murrkf wrote:

No way! You think I understand this stuff!!! I'm just a HO with a posting problem!

YOU do it. Anyone can open a trac account. Cool


But- but- you're a GURU! I'm a novice!


"Guru" doesn't mean nothing. Do it.

_________________
SIG:
I'm trying to teach you to fish, not give you a fish. If you just want a fish, wait for a fisherman who hands them out. I'm more of a fishing instructor.
LOM: "If you show that you have not bothered to read the forum announcements or to follow the advices in them then the level of help available for you will drop substantially, also known as Murrkf's law.."
VValdo
DD-WRT Novice


Joined: 13 Apr 2009
Posts: 24

PostPosted: Sat Aug 01, 2009 0:10    Post subject: Reply with quote
Done.

http://svn.dd-wrt.com:8000/dd-wrt/ticket/1186

W
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Sat Aug 01, 2009 7:19    Post subject: Reply with quote
Besides fixing the exploit Brainslayer could run the server as a different user with less privileges.

I successfully reconfigured my reverse proxy which is running on the router and is in fact the one listening to the Internet for http-requests. If someone is able to hack it he would still be limited in the damage he's able to cause.

The http-server (unlike my proxy) still needs some privileges to do the configuration changes which may take a lot of work to find out.

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=37958&start=30

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
adx
DD-WRT User


Joined: 08 Apr 2007
Posts: 123

PostPosted: Sat Aug 01, 2009 7:45    Post subject: Reply with quote
Sigh..this create a lot of works not to mention downtime. I've many router, just few days before this all flash to stable build suggested in peacock thread because according to the thread sp1 is not stable enough.

Then I found this! Do I need to upgrade the routers behind the main one (gateway) or just enough with main router only. I wish I can use the firewall rules but then that render chillispot's cgi-bin useless. How about router which I use as wds node only? Need to upgrade also?

Please advice.

_________________
- adx -
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Sat Aug 01, 2009 7:58    Post subject: Reply with quote
Just upgrade the ones that are listening to the Internet (either directly or through a portforward).
_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
Xymox
DD-WRT User


Joined: 02 Mar 2009
Posts: 144
Location: Phoenix, Az

PostPosted: Sun Aug 02, 2009 22:02    Post subject: Reply with quote
Maybe this was already covered.

At the very least, time out the access.

Currently once you authenticate if you leave the browser window open for days browsing other sites and come back it does not ask you for authentication again. This allows anyone to later access the router if the window has not been closed.

At least just time it out. Im sure thats easy to do.

_________________
Mikrotik RB450G / 750G / 800 / WRT54G-TM / Ubiquity Bullet2HP / Ubiquity Bullet M5
crashfly
DD-WRT Guru


Joined: 24 Feb 2009
Posts: 2026
Location: Sol System > Earth > USA > Arkansas

PostPosted: Sun Aug 02, 2009 22:20    Post subject: Reply with quote
That is actually not a bad idea Xymox. Possibly a user configured timeout of no more than 5 minutes. If a person cannot get it done in that amount of time, then a re-authenticate the user.
_________________
E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]

Try Dropbox for syncing files - get 2.5gb online for free by signing up.

Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.
Xymox
DD-WRT User


Joined: 02 Mar 2009
Posts: 144
Location: Phoenix, Az

PostPosted: Sun Aug 02, 2009 23:14    Post subject: Reply with quote
It does not solve the issue of course, but this could be implemented right away to at least minimize exposure to the time out period. I think. But im no expert.

No matter what,,, it should time out at some interval. I would think this would be very easy to implement by BS or Eko.

_________________
Mikrotik RB450G / 750G / 800 / WRT54G-TM / Ubiquity Bullet2HP / Ubiquity Bullet M5
mono
DD-WRT Novice


Joined: 09 Dec 2006
Posts: 31

PostPosted: Sun Feb 07, 2010 21:28    Post subject: Reply with quote
It is troubling to me that this exploit existed for as long as it did before I realized it, today.

Is there a mailing list we can get on that exclusively serves to inform of (new) exploits to DD-WRT? If not, might I suggest one be started?
Goto page Previous  1, 2, 3 ... 12, 13, 14, 15  Next Display posts from previous:    Page 13 of 15
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum