dd-wrt Remote Root Vuln
I know a number of people around here run dd-wrt so I thought I'd point this out just-in-case anyone had missed it:
Open-source firmware vuln exposes wireless routers - The Register
I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.
I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.
Only v24sp1 and below are vulnerable. I upgraded a test router to sp2 and the attack did not work. The exploit is already in msf-svn as well. One of our members and a metasploit contributer wrote a excellent article on a pivot attack and using the dd-wrt sploit.
Security and Networking - Blog - Using Metasploit DD-WRT Exploit Module Thru*Pivot
Awesome.
Now if the dd-wrt guys would just release a SP2 final or a revised SP1 (sp1a or something) we'd be set. Index of /dd-wrtv2/downloads/others/eko/BrainSlayer-V24-preSP2/07-21-09-r12533/ is supposed to be a patched version but supported models seem limited (i.e.: only one specific Linksys listed).
It should be noted that there is also a iptable rule you can set on your dd-wrt device to block execution from cgi-bin as a stop gap (though it can only be used if HTTPS admin is NOT enabled).
The exploit also could be stopped, using a firewall rule.
Go to your router, "Administration", "Commands" and enter the follwing text:
insmod ipt_webstr
ln -s /dev/null /tmp/exec.tmp
iptables -D INPUT -p tcp -m tcp -m webstr --url cgi-bin -j REJECT --reject-with tcp-reset
iptables -I INPUT -p tcp -m tcp -m webstr --url cgi-bin -j REJECT --reject-with tcp-reset
and press "Save Firewall", then reboot your router.
This rule blocks any try to access sth that has "cgi-bin" in the url.
You can proove, that the rule works by entering: http://192.168.1.1/cgi-bin/;reboot in your browser. That should give a "Connection was reset" (Firefox).
Important Note: this does not work, if https managment is turned on.
I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.
I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.
Also, this obviously won't work on v24 micro editions.
dd if=/dev/swc666 of=/dev/wyze
i thought all the builds up until the last one (dd-wrt v24-sp2 build 12548) were affected.Originally Posted by pureh@te
i was able to duplicate the youtube attack on build 12360 (eko/V24_TNG/svn12360) on my dd-wrt router (openvpn version)
cat txt.file | nc ip_address 80
nc ip_address 5555
i upgraded to Eko build 12548 (openvpn version) last night. it seems to run smoother, probably placebo effect
I think they also have to be directly connected to the net.
Of course, if you really wanted to have some fun, go to Wal-Mart late at night and ask the greeter if they could help you find trashbags, roll of carpet, rope, quicklime, clorox and a shovel. See if they give you any strange looks. --Streaker69
The issue can be leveraged via cross-site request forgery, therefore web admin only has to be enabled internally.
I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.
I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.
Posting Permissions
