[TriLUG] Anybody using DD-WRT?

Brian Daniels bitmage at pobox.com
Fri Aug 1 09:11:41 EDT 2008


So, to follow up from my original...

I got the following reply from BrainSlayer, the dd-wrt dev:

"it was implemented years ago for a customer, since we are maintaining the
networks in a small town here in germany.
these both ip's arent valid anymore and i removed it from my code as well
yesterday.
but thanks for finding it."

Apparently it's a backdoor created for a customer that got left in by accident 
on the main builds.  As noted by Jason upthread, the code is full of worrisome 
things.  A bunch of IFDEFs that create firewall openings and account/password 
combinations.  Obviously for different customers, but having them in the main 
tree seems like a bad idea to me.

Few people are going to build the firmware binaries themselves, so most won't 
know what IFDEF options are active in the build they're using.  Hopefully there 
aren't any other forgotten ones from years ago.

It's a sobering reminder about trusting code.  It was almost by chance that I 
found it - had I not wanted to do something a little unusual with allowing 
outside access, I wouldn't have looked at the raw iptables rules at all.  DD-WRT 
has been around for a while, seems well-trusted, and I would have assumed that 
it was creating a secure firewall.

As it is, that string of IFDEFs bothers me enough that I won't be using DD-WRT 
any further.  Of course, it's not like I have the time/skills to do a code audit 
on OpenWRT or Tomato.  You gotta trust somebody...

--Brian

-- 
Be it thy course to busy giddy minds
With foreign quarrels; that action, hence borne out,
May waste the memory of the former days.
			Henry IV, Part 2
	

Brian Daniels                  bitmage at pobox.com
      http://www.eviloverlord.net




More information about the TriLUG mailing list