Critical Flaw Discovered In DD-WRT 225
MagicM writes "A critical flaw has been discovered in DD-WRT, a Linux based alternative open source firmware for WLAN routers such as the fan-favorite Linksys WRT54GL. The flaw can give an attacker instant root access to the router merely by embedding an image with a specially crafted URL in a Web page (CSRF attack)." The linked page notes that a fix is being rolled out (build 12533) and gives firewall rules to thwart the attack if the fix is not available yet for a particular device.
Worse than that (Score:4, Informative)
It's worse than a specially crafted image - there's a code injection flaw in the httpd server so merely accessing a URL that looks like "http://routerIP/cgi-bin/;command_to_execute" will do the trick. That URL can be put in a malicious tag on an HTML page and the user most likely won't even notice it.
See the Register article [theregister.co.uk] on it from a couple of days ago.
Re:Standard Practices (Score:5, Informative)
Maybe I'm misunderstanding, but if the exploit is "injected from inside the browser" then won't the management of the device be coming from the local interface, not the internet side?
Re:Standard Practices (Score:5, Informative)
Basically, I would NEVER allow remote web management of a device if it's on the internet.
Good idea, but this is a critical exploit because hackers can make an img tag load the malformed URL. If they can trick you into viewing that image, then your router will be compromised from your computer on the network. Disabling the external management will prevent internet users from compromising your router, but it is still vulnerable to local threats, as executed through the CSRF method.
it sucks...but (Score:1, Informative)
Bravo to them for owning up to it and also posting the fix on the same page.
The interesting thing I've read a lot here is how vulnerable and worthless Microsoft is when it comes to security...but it seems the people that think this automatically point to Linux as being secure.
Linux is somewhat secure, but a LOT of the security of linux is due to a limited (unfortunately) market share. If Linux owned 30% or more of the market space for end-user goods, we'd see a HUGE influx of hacks, malware, adware, etc.
It flabbergasts me that people don't see this. The greatest thing Linux has going for it is the collaboration and freedom of the code. With that freedom comes the ability to exploit it. Wait til market share gets larger, it'll start to happen a lot more than the rare article here and there. The good news, though, is again, they identified the problem AND THE FIX on the same page. (Something MS has to be drug kicking and screaming along in order to do that)
Re:Standard Practices (Score:3, Informative)
The easy way is to go directly in through the remote Web GUI.
slightly harder to go in through the browser running inside the network.
Re:This is a common stack in wifi APs (Score:5, Informative)
It's hardly an issue with every wireless router. For example, the Tomato firmware is not vulnerable to this. Furthermore, most routers with DD-WRT are custom flashed, they don't come stock with it.
Re:wtf is a DD-WRT? (Score:5, Informative)
DD-WRT !GPL Compliant (or open source) (Score:5, Informative)
DD-WRT just isn't compliant with the GPL on so many levels.calling it an "open source" firmware is a lie and a disgrace to the open source community.
The open source parts are OpenWRT.
Re:This is a common stack in wifi APs (Score:5, Informative)
3. Homogeny? Huh?! Do you mean the homogeny that's defined has "a significant portion of huge nerds (though certainly not even close to a majority) uses this software" ? How many routers are being used in homes and small businesses around the world? You think enough of them are running DD-WRT to call it a homogeny? Name a router that you think has more instances of DD-WRT installed than the factory firmware.
WRT54GL
http://www.linksysbycisco.com/US/en/products/WRT54GL
Re:wtf is a DD-WRT? (Score:1, Informative)
If you don't know what is dd-wrt, then you are not affected. Those who have it installed it themselves. There are also a few companies selling routers pre-flashed with dd-wrt but again their market isn't the average joe. By the way, google is your friend.
Re:This is a common stack in wifi APs (Score:2, Informative)
+1 for Tomato, that firmware is awesome and rock solid.
It's "homogeneity" (Score:2, Informative)
Sorry about that.
Re:DD-WRT !GPL Compliant (or open source) (Score:5, Informative)
DD-WRT is Harmful [bitsum.com] to open source
Re:Worse than that (Score:2, Informative)
NoScript! (Score:3, Informative)
NoScript actually mitigates this vulnerability. The ABE feature, in particular:
http://noscript.net/abe/ [noscript.net]
So although I added the firewall mitigation in dd-wrt, I was pleased to find that NoScript blocked the CSRF request before it even got to the router.
Re:This issue is way overblown. FUD (Score:3, Informative)
DD-WRT is a lie! (Score:0, Informative)
Some jackass named brainslayer stole the openwrt source code, wrote a dinky (and obviously poorly written) web interface for it and branded the whole thing as "his" and probably said fuck the gpl and the golden goose it rode in on.
See: http://www.bitsum.com/about-ddwrt.htm
Re:Linksys suck (Score:4, Informative)
Re:This is a common stack in wifi APs (Score:4, Informative)
So you agree that earlier models which were released shortly before the WRT54GL, were stripped and crippled. Except for the part where you said he was wrong you just agreed with everything the grandparent poster said.
Re:Sheesh, go RTFA (Score:3, Informative)
It can only be remotely exploited in that case. However, it can be exploited locally if you load any page that that has a tag of the form <img src="http://192.168.1.1/cgi-bin/;reboot"> replacing 192.168.1.1 with your router's actual IP, and the reboot command with whatever command is desired. So you visit any webpage in any browser and you don't have the browser set to not load images from another domain, and you can be exploited.
Re:NoScript! (Score:3, Informative)
That might help some, but what about:
1. Places that have 40 computers, running 3 different browsers.
2. Your friend/relative that comes over with their laptop
3. Embedded browsers in applications (even if they use your FF/Gecko does it load NoScript for those?)
4. That time you disabled NoScript cause something was "all fucked up", and you may as well "test"
5. What if someone got to the NoScript update servers?
6. ???
7. Loss of profit!
Re:This is a common stack in wifi APs (Score:2, Informative)
I would have said "pre-2005" models, but that's not entirely accurate either.
Last time I checked recently, stores mostly had the non-Linux versions in stock or they had the WRT54G"L" side-by-side with the low-memory non-Linux version of the same router. I know NewEgg sells both versions also. Local brick&mortar stores only carried the bad version.
Re:This is a common stack in wifi APs (Score:3, Informative)
"You think enough of them are running DD-WRT to call it a homogeny? Name a router that you think has more instances of DD-WRT installed than the factory firmware. "
Buffalo WHR-HP-G54DD comes with it installed by default.
Re:Mod Parent Up (Score:3, Informative)
>If people just disabled remote admin (which you should do anyway)
FYI, the exploit is Internet-ready even if you turn off remote management.
It's in the article, if you read it. Webpages (or flash, etc) can just craft a request to exploit this and in the process, turn remote shell ON.
Web-managed routers will always be LESS secure than router types managed via local telnet or ssh. Such designs are immune to browser and cross site attacks... but they're more difficult to manage for novice users, which is why these days only the serious and high-end routers lack web interfaces.
Re:DD-WRT is not opensource! (Score:2, Informative)
I switched to OpenWRT as soon as I realized what DD-WRT is about.
http://en.wikipedia.org/wiki/DD-WRT#Controversy [wikipedia.org]
The OpenWRT community is a bit more technical and far more competent.
Re:How did this happen? (Score:1, Informative)
I have a Linksys 350N. Aside from Tomato's confusing website (Firefox? Japanese?) it isn't supported. OpenWRT looks like it has support for bricking the router.. great..
I've been using DD-WRT on this router for years and still the open source firmware maintainers still can't get their shit together. Don't worry though keep complaining about the freedom DD-WRT gives me when you don't even offer the same level of service.