DD-WRT Root exploit posted today

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3, 4 ... 13, 14, 15  Next
Author Message
Murrkf
DD-WRT Guru


Joined: 22 Sep 2008
Posts: 12676

PostPosted: Tue Jul 21, 2009 21:14    Post subject: Reply with quote
jrock wrote:

As I type there are probably hundreds of people downloading v24sp1 having no idea of this vulnerability.


It's NOT the only bug they'll find...... Razz

_________________
SIG:
I'm trying to teach you to fish, not give you a fish. If you just want a fish, wait for a fisherman who hands them out. I'm more of a fishing instructor.
LOM: "If you show that you have not bothered to read the forum announcements or to follow the advices in them then the level of help available for you will drop substantially, also known as Murrkf's law.."
Sponsor
jrock
DD-WRT Novice


Joined: 17 Dec 2006
Posts: 33

PostPosted: Tue Jul 21, 2009 21:26    Post subject: Reply with quote
Murrkf wrote:
jrock wrote:

As I type there are probably hundreds of people downloading v24sp1 having no idea of this vulnerability.


It's NOT the only bug they'll find...... Razz


True, point and humor taken. Wink

..buuut it might be the only one capable of taking down or worse compromsing without knowledge thousands if not tens of thousands of LANs.


Last edited by jrock on Wed Jul 22, 2009 3:12; edited 1 time in total
ct
DD-WRT Novice


Joined: 19 Jul 2006
Posts: 12
Location: Belgium

PostPosted: Tue Jul 21, 2009 21:30    Post subject: Reply with quote
Murrkf wrote:
It's NOT the only bug they'll find...... Razz


Hopefully, not every bug will be this critical.
DHC_DarkShadow
DD-WRT Guru


Joined: 22 Jun 2008
Posts: 2440
Location: Am now Dark_Shadow

PostPosted: Tue Jul 21, 2009 21:30    Post subject: Reply with quote
I think t his vulnerability may be misunderstand by a lot of people.

We need to find out if dd-wrt is fine if http isn't open to the internet. Does anyone know?

_________________
The New Me
jrock
DD-WRT Novice


Joined: 17 Dec 2006
Posts: 33

PostPosted: Tue Jul 21, 2009 21:36    Post subject: Reply with quote
DHC_DarkShadow wrote:
I think t his vulnerability may be misunderstand by a lot of people.

We need to find out if dd-wrt is fine if http isn't open to the internet. Does anyone know?


Read the thread..

I believe original post states that it is not directly exploitable via WAN port but it IS with a CSRF spoof. Meaning somebody could embed a bad link on any webpage you view and it will be sent to the router. Even worse is there is no authentication needed as previous CSRF exploits.

Please read the first post again.

I just realized you may have meant something else... srry if you did..

From what I've gathered the only way right now to squash this is to stop the httpd service on the router all together (no web config). Or install the very latest beta build referenced in this thread.


Last edited by jrock on Tue Jul 21, 2009 21:44; edited 2 times in total
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Tue Jul 21, 2009 21:40    Post subject: Reply with quote
DHC_DarkShadow wrote:
We need to find out if dd-wrt is fine if http isn't open to the internet. Does anyone know?

If you run httpd at all, you're vulnerable. The particular 'netcat to get a shell' crafted example link doesn't appear to work when used in a browser (ie. a forum img src) because the backslash gets convert to its URL encoded form, but the command is still ran and other commands can be ran just by posting a crafted link on a web page.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
DHC_DarkShadow
DD-WRT Guru


Joined: 22 Jun 2008
Posts: 2440
Location: Am now Dark_Shadow

PostPosted: Tue Jul 21, 2009 21:43    Post subject: Reply with quote
jrock wrote:
DHC_DarkShadow wrote:
I think t his vulnerability may be misunderstand by a lot of people.

We need to find out if dd-wrt is fine if http isn't open to the internet. Does anyone know?


Read the thread..

I believe original post states that it is not directly exploitable via WAN port but it IS with a CSRF spoof. Meaning somebody could embed a bad link on any webpage you view and it will be sent to the router. Even worse is there is no authentication needed as previous CSRF exploits.

Please read the first post again.

I just realized you may have meant something else... srry if you did..

From what I've gathered the only way right now to squash this is to stop the httpd service on the router all together (no web config).


My bad. Embarassed

_________________
The New Me
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Tue Jul 21, 2009 21:46    Post subject: Reply with quote
Murrkf wrote:
jrock wrote:

As I type there are probably hundreds of people downloading v24sp1 having no idea of this vulnerability.


It's NOT the only bug they'll find...... Razz

This is worse than bricking routers imo. We may start seeing router based botnets because of this. I have no idea what criteria BS uses in deciding to release new official builds but I sure hope this pushes him to finally release a SP2 final.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
iVitor
DD-WRT User


Joined: 10 Jul 2009
Posts: 94

PostPosted: Tue Jul 21, 2009 21:47    Post subject: Reply with quote
DHC_DarkShadow wrote:
We need to find out if dd-wrt is fine if http isn't open to the internet. Does anyone know?
The thing is, any site can have content hosted under another ip or a script that internally loads an url, in this case something to retrieve from an url along the lines of http://192.168.1.1/cgi-bin/;some_command .

Do note that while your browser fetches the non-existent content at that url, it will be unknowingly parsing a command to your router at that ip. (example: if an image tag contains http://192.168.1.1/cgi-bin/;some_command, the browser will attempt to retrieve an image from that location, but will actually be giving a command to your router)

As long as you have the webif available you are exploitable, regardless of how you set the remote access -- it will be your local computer parsing the exploited url, not a remote one.

Still, blacklisting your router ip in your browser may be an effective temporary fix. (just remember to "un-blacklist" it to access the webif)

Edit: I see I took too much time writing this and there are already some replies..
jrock
DD-WRT Novice


Joined: 17 Dec 2006
Posts: 33

PostPosted: Tue Jul 21, 2009 21:59    Post subject: Reply with quote
I'm thinking people who choose to NOT use the standard address of 192.168.1.1 will be less effected by most exploits also.

Am I correct in assuming this?
ct
DD-WRT Novice


Joined: 19 Jul 2006
Posts: 12
Location: Belgium

PostPosted: Tue Jul 21, 2009 22:06    Post subject: Reply with quote
jrock wrote:
I'm thinking people who choose to NOT use the standard address of 192.168.1.1 will be less effected by most exploits also.

Am I correct in assuming this?


It's not too hard to get the computer's IP and replace the last number with 1, but yes, it might help.
jrock
DD-WRT Novice


Joined: 17 Dec 2006
Posts: 33

PostPosted: Tue Jul 21, 2009 22:16    Post subject: Reply with quote
ct wrote:
jrock wrote:
I'm thinking people who choose to NOT use the standard address of 192.168.1.1 will be less effected by most exploits also.

Am I correct in assuming this?


It's not too hard to get the computer's IP and replace the last number with 1, but yes, it might help.


Yeah I thought of that too, but not everybody uses .1 . And with the nature of this problem I imagine 99.99% of exploits will be drive-by website hits with pre-crafted URLs.

Thanks for the feedback.
ct
DD-WRT Novice


Joined: 19 Jul 2006
Posts: 12
Location: Belgium

PostPosted: Tue Jul 21, 2009 22:20    Post subject: Reply with quote
jrock wrote:
Yeah I thought of that too, but not everybody uses .1 .


Come to think of it, if you can get to the computer's IP, you can probably also get to the default gateway's.
crashfly
DD-WRT Guru


Joined: 24 Feb 2009
Posts: 2026
Location: Sol System > Earth > USA > Arkansas

PostPosted: Tue Jul 21, 2009 22:27    Post subject: Reply with quote
ct wrote:
Come to think of it, if you can get to the computer's IP, you can probably also get to the default gateway's.

Not necessarily. *If* you are using the *standard* setup, then a "drive-by" hit and run would be easy. However, if you change your subnet mask (which possibly means a change in default gateway), or if you have a "non-standard" private IP address range, or even changing the gateway to the high end of the range, you would be fairly safe.

_________________
E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]

Try Dropbox for syncing files - get 2.5gb online for free by signing up.

Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.
saso
DD-WRT Novice


Joined: 15 Jan 2008
Posts: 10

PostPosted: Tue Jul 21, 2009 22:32    Post subject: Reply with quote
i vote for more secure default settings (some of this are already set by default as preferred, but not all):

1. wan access to router off by default
2. wireless access to router off by default
3. https only access to router by default
4. must to set an personal password on first use
5. captcha like test on every login to break malware/attacks automation
6. having proper protection for this one would also be nice http://www.securityfocus.com/bid/32703/info


PS can someone test if the use of https only blocks this attack?


Last edited by saso on Wed Jul 22, 2009 7:35; edited 1 time in total
Goto page Previous  1, 2, 3, 4 ... 13, 14, 15  Next Display posts from previous:    Page 3 of 15
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum