Critical Flaw Discovered In DD-WRT 225
MagicM writes "A critical flaw has been discovered in DD-WRT, a Linux based alternative open source firmware for WLAN routers such as the fan-favorite Linksys WRT54GL. The flaw can give an attacker instant root access to the router merely by embedding an image with a specially crafted URL in a Web page (CSRF attack)." The linked page notes that a fix is being rolled out (build 12533) and gives firewall rules to thwart the attack if the fix is not available yet for a particular device.
Mod Parent Up (Score:3, Interesting)
Please look at this picture ... (Score:5, Interesting)
... to add a firewall-rule fixing this issue.
Re:This is a common stack in wifi APs (Score:5, Interesting)
1. If people not only updated the firmware on their router, but had to do hacks to get it on there, don't you think they're probably at least a tad more likely to keep the firmware up to date than Joe Blammo with the factory firmware installed?
You're assuming that all these people that installed dd-wrt on their router installed it on their own routers only. Not their parents, friends etc, and forgot about it.
Do most open source projects have a mailing list in which ONLY important notifications like this go out? In comparison, two years ago I bought a coffee pot from Amazon, and the manufacturer issued a recall for the pot itself. Amazon notified me via email that there was a recall for the pot and provided instructions on how to get a new replacement glass pot. Trolling forums or slashdot isn't exactly my idea of customer service.
If I had bought a Cisco/linksys router and there was a similar problem would I have been notified after registering the product?
Re:Standard Practices (Score:3, Interesting)
Congrats on taking almost 4 days to post this! (Score:1, Interesting)
I submitted this story more than 72 hours ago. It's been public knowledge for at least 96 hours. I know this isn't strictly a security site, but c'mon! Four days is too long for a remote exploit on one of the most widely deployed consumer router platforms.
How did this happen? (Score:5, Interesting)
The bug resides in DD-WRT's hyper text transfer protocol daemon, which runs as root.
Whhaaat??? And the command looks like:
http://routerIP/cgi-bin/;command_to_execute
Whhaaat???
This is a bug even Adobe would be ashamed to admit. An http server, running as root, accepts arbitrary commands, without authentication, embedded in a URL? That's not a bug thats... that's a design flaw... no... that's... unbelievable!
Is there a legitimate reason that the http daemon runs as root? (It is for embedded devices...) Or that commands are accepted over HTTP GET like that?
Re:Worse than that (Score:3, Interesting)
Did you bother even reading the article? The code is in httpd.c, which obviously handled both types of connections. I almost hate SSL sometimes because people equate it with security -- but not encryption or integrity, but that somehow it's a magical fix-all for whatever the security flaw is. I see this kind of thinking in IT people in charge of the enterprise and it scares me. Security is not about having a setting enabled, and it certainly requires much more analysis than a simple dismissive suggestion.
Security through obscurity works. (Score:4, Interesting)
For example: in this case if you had already changed your router's IP address, it would be harder for the attackers to figure it out. For example if you use the 10.35.79.184, the same url that can exploit thousands of other dd-wrt routers (e.g. http://192.168.1.1/etcetc ), won't work on your router. So there has to be an attack specifically targeting you[1]. Which rarely happens unless you're famous or have made yourself infamous (or well-hated amongst hacker circles).
So you have more time to update your router or even have time to wait to see if the updates don't break other stuff first.
You're not as vulnerable to zero-day attacks as other people.
Same goes for putting running sshd servers on a different port. I could use port knocking or other other stuff, but so far running it on a different port works well enough for me.
I actually have my sshd server bound on an IP and port that's unreachable from outside, and my firewall has a rule to forward outside connections to it. This way if a mistake happens and my firewall rules get disabled/cleared, ssh and other crap from outside won't work.
[1] If a top hacker was targeting you specifically, they'd probably be able to pwn you.
For example:
1) I'm sure there are many zero-day browser/plugin exploits left (just look at how fast the pwn2own winners pwn stuff - they just sacrifice one of the zero-day exploits they have).
2) I doubt most ISPs have locked their BGP stuff down, so the attackers could use "BGP eavesdropping/prefix attacks" to hijack your connections.
With 1) and 2) you'd be merrily browsing your usual sites and pwned without noticing a thing- the hacker would just pass most of the traffic on, and just alter one or two connections to exploit the relevant browser bug.
Re:Standard Practices (Score:3, Interesting)
coming from the internet, but executed from YOUR browser. That's the danger they're talking about.
Re:This is a common stack in wifi APs (Score:2, Interesting)
Only for WAN facing routers? (Score:3, Interesting)
It would be nice to know if this affects DD-WRT boxes that are not WAN-facing and are not in router mode.
I have three DD-WRT's in client bridge mode so as to provide wired connections throughout the house. They hop over WiFi to the WAN-facing router which still runs stock VxWorks. So I'd be inclined to think that my boxes are safe.
As for DD-WRT releasing a patch, gee thanks. I have two different (and old) versions of DD-WRT among the three devices and haven't touched them since installing, because upgrading requires lots of personal time with each device to reinstall and reconfigure and god knows what else and I simply don't have the time -- the whole point of setting up client bridges was to make life easier, not some sort of time-consuming exercise in obscure geek cred.
Re:This is a common stack in wifi APs (Score:3, Interesting)
I hope the following tale satisfies your curiosity.
Back in the day, you had a company named Linksys. They made excellent home routers. I dare say the best you could get on the market. They release several versions of a certain wireless router, model WRT54G. People everywhere rejoice, because they can hack away at this machine to their heart's content. Modding the firmware, modding the hardware. You name it.
During this period, a certain, shall we say, rather shitty manufacturer of 'Enterprise' routers, named Cisco, decides to buy this rather successful smaller company. They want a piece of that vast home router market that Linksys enjoys.
So, the corporate behemoth decides to take a good look at the hardware that Linksys has been selling, and lo and behold, it is as good as or even better than the shite they sell to their 'Enterprise' customers! "Oh noes!" they exclaim, "We can't have THIS nonsense going on! What do we do if our 'Enterprise' customers see our webpage and start buying the Linksys branded routers instead of our over-priced 'Enterprise' Cisco-branded crap?"
Henceforth, it was decreed by the demi-dogs of Cisco Corporate Headquarters that "There shall not be any extra features or better hardware in the 'Consumer' class routers that already exist in our 'Enterprise' class routers!"
Narrator's Note: We ended up with the crippled turds known as the WRT54G v5 to v8.2.
Soon the Corporate demi-dogs started noticing they were swiftly losing sales and receiving MANY customer complaints about their latest iterations of the WRT54G. To save their own hides from the proverbial pitchforks and torches of their 'Consumer' class customers, and their cousins, called 'The Shareholders', they quickly released a version of the WRT54G, and designated it the WRT54GL v1.1 (US).
There was much rejoicing, as now we could happily hack away at our precious WRTs again, even if not quite so spectacularly as before.
Narrator's Note: For some odd reason, the US got a v1.1 and Europe started off with a v1.0c at the same time.