DD-WRT Root exploit posted today

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3, ... 13, 14, 15  Next
Author Message
uid0
DD-WRT Novice


Joined: 21 Jul 2009
Posts: 10

PostPosted: Tue Jul 21, 2009 0:23    Post subject: same Reply with quote
I also was able to replicate this on DD-WRT v24-sp1 (07/27/0Cool std... obviously upgrading tonight.
Sponsor
autobot
DD-WRT Guru


Joined: 07 May 2009
Posts: 1596

PostPosted: Tue Jul 21, 2009 0:26    Post subject: Re: same Reply with quote
uid0 wrote:
I also was able to replicate this on DD-WRT v24-sp1 (07/27/0Cool std... obviously upgrading tonight.


Wait for the new builds.
DHC_DarkShadow
DD-WRT Guru


Joined: 22 Jun 2008
Posts: 2440
Location: Am now Dark_Shadow

PostPosted: Tue Jul 21, 2009 0:33    Post subject: Re: same Reply with quote
autobot wrote:
uid0 wrote:
I also was able to replicate this on DD-WRT v24-sp1 (07/27/0Cool std... obviously upgrading tonight.


Wait for the new builds.


Wonder if EKO is working on it too?

_________________
The New Me
autobot
DD-WRT Guru


Joined: 07 May 2009
Posts: 1596

PostPosted: Tue Jul 21, 2009 0:48    Post subject: Re: same Reply with quote
DHC_DarkShadow wrote:
autobot wrote:
uid0 wrote:
I also was able to replicate this on DD-WRT v24-sp1 (07/27/0Cool std... obviously upgrading tonight.


Wait for the new builds.


Wonder if EKO is working on it too?


Yes I'm certain, he works too hard to leave this exploit active.
Mordak
DD-WRT Guru


Joined: 27 Dec 2007
Posts: 932
Location: Orange, MA

PostPosted: Tue Jul 21, 2009 1:01    Post subject: Reply with quote
It's good to know this is known and taken care of already. Who knows how long some the manufacturers would have taken to address and fix this. Long live Linux, DD-WRT, and OSS. Very Happy
_________________

6 X WRT54G-TM
1 X WRT54G V1.0
1 X WRT54G V2.2
1 X WRT54G V5.0
2 X WRT54GS V1.0
2 X WRT54GS V1.1
1 X WRT54GS V2.0
1 X WRT160NL v1.0
1 X WRT320N
2 X WRT350N
1 X WRT600N v1.0
2 X WRT610N v1.0
1 X E1500
phuque99
DD-WRT User


Joined: 20 Oct 2008
Posts: 446

PostPosted: Tue Jul 21, 2009 13:23    Post subject: Reply with quote
Was there a commitment to post a build today to fix the exploit?
barryware
DD-WRT Guru


Joined: 26 Jan 2008
Posts: 13049
Location: Behind The Reset Button

PostPosted: Tue Jul 21, 2009 13:38    Post subject: Reply with quote
I watched the u-tube video and read the linked articles in the post.

Is your router still vulnerable from the wan side if you do not have any remote access enabled? Doesn't look like it but I'm not sure.

_________________
[Moderator Deleted] Shocked
axelm
DD-WRT User


Joined: 03 Oct 2008
Posts: 313

PostPosted: Tue Jul 21, 2009 14:24    Post subject: Reply with quote
Imho, opening httpd on the WAN interface is a lame mistake considering that SSH is available.

I am more worried about getting hacked from inside my trusted office network.
Mordak
DD-WRT Guru


Joined: 27 Dec 2007
Posts: 932
Location: Orange, MA

PostPosted: Tue Jul 21, 2009 14:55    Post subject: Reply with quote
axelm wrote:
Imho, opening httpd on the WAN interface is a lame mistake considering that SSH is available.

I am more worried about getting hacked from inside my trusted office network.

Agreed. I have never used httpd remotely anyway always sshd. Not to say that ssh couldn't be exploited at some point too. I rarely need to administer remotely as a rule.

_________________

6 X WRT54G-TM
1 X WRT54G V1.0
1 X WRT54G V2.2
1 X WRT54G V5.0
2 X WRT54GS V1.0
2 X WRT54GS V1.1
1 X WRT54GS V2.0
1 X WRT160NL v1.0
1 X WRT320N
2 X WRT350N
1 X WRT600N v1.0
2 X WRT610N v1.0
1 X E1500
ct
DD-WRT Novice


Joined: 19 Jul 2006
Posts: 12
Location: Belgium

PostPosted: Tue Jul 21, 2009 20:36    Post subject: Reply with quote
This is more than awkward. Please provide a resolution, as this really is the sort of thing that could give DD-WRT a hackjob image.
barryware
DD-WRT Guru


Joined: 26 Jan 2008
Posts: 13049
Location: Behind The Reset Button

PostPosted: Tue Jul 21, 2009 20:43    Post subject: Reply with quote
ct wrote:
This is more than awkward. Please provide a resolution, as this really is the sort of thing that could give DD-WRT a hackjob image.


BS posted new build(s) this morning.

_________________
[Moderator Deleted] Shocked
ct
DD-WRT Novice


Joined: 19 Jul 2006
Posts: 12
Location: Belgium

PostPosted: Tue Jul 21, 2009 20:50    Post subject: Reply with quote
barryware wrote:
BS posted new build(s) this morning.


Not to the download page, and certainly not to the front page. Nip this thing in the bud, guys. Just trying to offer some constructive criticism.
barryware
DD-WRT Guru


Joined: 26 Jan 2008
Posts: 13049
Location: Behind The Reset Button

PostPosted: Tue Jul 21, 2009 20:57    Post subject: Reply with quote
ct wrote:
barryware wrote:
BS posted new build(s) this morning.


Not to the download page, and certainly not to the front page. Nip this thing in the bud, guys. Just trying to offer some constructive criticism.


Look again daddio... These are not official releases. PRE-SP2 releases.

http://www.dd-wrt.com/dd-wrtv2/down.php?path=downloads%2Fothers%2Feko%2FBrainSlayer-V24-preSP2%2F07-21-09-r12533/

_________________
[Moderator Deleted] Shocked
ct
DD-WRT Novice


Joined: 19 Jul 2006
Posts: 12
Location: Belgium

PostPosted: Tue Jul 21, 2009 21:00    Post subject: Reply with quote
barryware wrote:
Look again daddio... These are not official releases. PRE-SP2 releases.

http://www.dd-wrt.com/dd-wrtv2/down.php?path=downloads%2Fothers%2Feko%2FBrainSlayer-V24-preSP2%2F07-21-09-r12533/


That's exactly what I meant. You shouldn't have to dig for them. Personally, I'd patch the v24 SP1 source code, recompile and issue SP1a or something. Not everybody's going to trust a prerelease version.
jrock
DD-WRT Novice


Joined: 17 Dec 2006
Posts: 33

PostPosted: Tue Jul 21, 2009 21:11    Post subject: Reply with quote
ct wrote:
barryware wrote:
Look again daddio... These are not official releases. PRE-SP2 releases.

http://www.dd-wrt.com/dd-wrtv2/down.php?path=downloads%2Fothers%2Feko%2FBrainSlayer-V24-preSP2%2F07-21-09-r12533/


That's exactly what I meant. You shouldn't have to dig for them. Personally, I'd patch the v24 SP1 source code, recompile and issue SP1a or something. Not everybody's going to trust a prerelease version.


Reading over this thread, I agree.

The latest advertised downloads need to be updated or patched.

As I type there are probably hundreds of people downloading v24sp1 having no idea of this vulnerability.
Goto page Previous  1, 2, 3, ... 13, 14, 15  Next Display posts from previous:    Page 2 of 15
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum