and press "Save Firewall", then reboot your router.
This rule blocks any try to access sth that has "cgi-bin" in the url.
You can proove, that the rule works by entering: http://192.168.1.1/cgi-bin/;reboot in your browser. That should give a "Connection was reset" (Firefox).
Important Note: this does not work, if https managment is turned on.
You need to turn off https managment. If you don't want to do that, PLEASE UPDATE. _________________ NewMedia-NET GmbH
Christian Scheele (CEO)
http://www.dd-wrt.com
Last edited by chris on Thu Jul 23, 2009 13:24; edited 5 times in total
........................
Two issues there:
1) No metacharacters handling
2) Command gets executed even without successful authentication.
You are not going to see any output if not authenticated though.
.......................
Now let's sum up (1), (2) and (3). Any unauthenticated attacker that can
connect to the management web interface can get easily root on the device via
his browser with an URL like:
There is a catch though: whitespaces break it. Anyway, they can be easily
replaced with shell variable like $IFS. So, getting root shell at 5555/tcp
becomes as easy as typing this in your browser's url bar:
Fortunately, httpd by default does not listen on the outbound interface.
However, this vulnerability can be exploited via a CSRF attack (the dd-wrt
device's owner does not even need to have an authenticated session on the web
UI which is bad, bad). However, a base authentication dialog will appear. In
IE even this can be supressed, see this one:
Unlike the already documented CSRF vulnerability (
http://www.securityfocus.com/bid/32703 ) this DOES NOT need an authenticated
session. This means someone can even post some crafted [img] link on a forum
and a dd-wrt router owner visiting the forum will get owned
A weird vulnerability you're unlikely to see in 2009 Quite embarrassing I
would say
I reproduced this on Eko's broadcom 12476 build. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
I am at a loss for words really, this is horrible. A patch will be out soon, but for all those who won't know this its a HUGE issue. Think of the number of affected devices, this is a mini code red.
I made it sound worse than it is I believe, this only applies if you have enabled gui access over wan right?
Well, as I understand it, yes. Then again, assuming I understand correctly, a malicious web page on the Internet could use a cross-site request forgery (CSRF) to get the user's browser load the page at 192.168.1.1 with a crafted URL to open up WAN access, at which point you're in trouble.
An authentication message may pop up, but the article points out that it can be suppressed in IE so the user would have no way of knowing they've been owned.