Results 1 to 7 of 7

Thread: dd-wrt Remote Root Vuln

  1. #1
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default dd-wrt Remote Root Vuln

    I know a number of people around here run dd-wrt so I thought I'd point this out just-in-case anyone had missed it:

    Open-source firmware vuln exposes wireless routers - The Register
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  2. #2
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Default

    Only v24sp1 and below are vulnerable. I upgraded a test router to sp2 and the attack did not work. The exploit is already in msf-svn as well. One of our members and a metasploit contributer wrote a excellent article on a pivot attack and using the dd-wrt sploit.

    Security and Networking - Blog - Using Metasploit DD-WRT Exploit Module Thru*Pivot

  3. #3
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Awesome.

    Now if the dd-wrt guys would just release a SP2 final or a revised SP1 (sp1a or something) we'd be set. Index of /dd-wrtv2/downloads/others/eko/BrainSlayer-V24-preSP2/07-21-09-r12533/ is supposed to be a patched version but supported models seem limited (i.e.: only one specific Linksys listed ).

    It should be noted that there is also a iptable rule you can set on your dd-wrt device to block execution from cgi-bin as a stop gap (though it can only be used if HTTPS admin is NOT enabled).
    The exploit also could be stopped, using a firewall rule.

    Go to your router, "Administration", "Commands" and enter the follwing text:

    insmod ipt_webstr
    ln -s /dev/null /tmp/exec.tmp
    iptables -D INPUT -p tcp -m tcp -m webstr --url cgi-bin -j REJECT --reject-with tcp-reset
    iptables -I INPUT -p tcp -m tcp -m webstr --url cgi-bin -j REJECT --reject-with tcp-reset

    and press "Save Firewall", then reboot your router.

    This rule blocks any try to access sth that has "cgi-bin" in the url.

    You can proove, that the rule works by entering: http://192.168.1.1/cgi-bin/;reboot in your browser. That should give a "Connection was reset" (Firefox).

    Important Note: this does not work, if https managment is turned on.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  4. #4
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Also, this obviously won't work on v24 micro editions.
    dd if=/dev/swc666 of=/dev/wyze

  5. #5
    Just burned his ISO
    Join Date
    May 2009
    Posts
    7

    Default

    Quote Originally Posted by pureh@te View Post
    Only v24sp1 and below are vulnerable. I upgraded a test router to sp2 and the attack did not work. The exploit is already in msf-svn as well. One of out members and a metasploit contributer wrote a excellent article on a pivot attack and using the dd-wrt sploit.

    [urn=hxxp://wwwdotdarkoperatordotcom/blog/2009/7/21/using-metasploit-dd-wrt-exploit-module-thru-pivot.html]Security and Networking - Blog - Using Metasploit DD-WRT Exploit Module Thru*Pivot[/url]
    i thought all the builds up until the last one (dd-wrt v24-sp2 build 12548) were affected.

    i was able to duplicate the youtube attack on build 12360 (eko/V24_TNG/svn12360) on my dd-wrt router (openvpn version)

    cat txt.file | nc ip_address 80
    nc ip_address 5555

    i upgraded to Eko build 12548 (openvpn version) last night. it seems to run smoother, probably placebo effect

  6. #6
    My life is this forum Barry's Avatar
    Join Date
    Jan 2010
    Posts
    3,817

    Default

    I think they also have to be directly connected to the net.
    Of course, if you really wanted to have some fun, go to Wal-Mart late at night and ask the greeter if they could help you find trashbags, roll of carpet, rope, quicklime, clorox and a shovel. See if they give you any strange looks. --Streaker69

  7. #7
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    The issue can be leveraged via cross-site request forgery, therefore web admin only has to be enabled internally.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •