[TriLUG] DD-WRT Remote Vulnerability

Edwin Castillo edwin at wiredbytes.com
Wed Jul 29 13:35:11 EDT 2009


Thanks for the heads up.

In DD-WRT you can disable this via the Administration tab, under Management
> Remote Access > Web GUI Management.

Edwin Castillo
Twitter: @edwincastillo AIM: MaxWave3 * MSN Messenger:
edwincastillo at live.com
Yahoo Messenger: tecwave at yahoo.com * Skype: maxwave3


On Wed, Jul 29, 2009 at 9:38 AM, Jim Tuttle <jjtuttle at trilug.org> wrote:

> From http://www.dd-wrt.com/dd-wrtv3/index.php
>
> As reported at www.miw0rm.com there is a vulnerability in the
> http-server for the DD-WRT management GUI that can be used for execution
> of an exploit to gain control over the router.
>
> Note: The exploit can only be used directly from outside your network
> over the internet if you have enabled remote Web GUI management in the
> Administration tab. As immediate action please disable the remote Web
> GUI management. But that limitation could be easily overridden by a
> Cross-Site Request Forgery (CSFR) where a malicious website could inject
> the exploit from inside the browser.
>
> We have fixed the issue and generated new builds of the latest DD-WRT
> version. You can temporarily download the these files from here until we
> did update the router database.
> [UPDATE] We have integrated most of the fixed build files into the
> router database. You can check there if files for build 12533 are
> available for your router. If not (yet) please check the location
> mentioned above to obtain the files.
>
> The exploit can also be stopped, using a firewall rule: Go to your
> router's admin interface to > Administration > Commands and enter the
> following text:insmod ipt_webstr
> ln -s /dev/null /tmp/exec.tmp
> iptables -D INPUT -p tcp -m tcp -m webstr --url cgi-bin -j REJECT
> --reject-with tcp-reset
> iptables -I INPUT -p tcp -m tcp -m webstr --url cgi-bin -j REJECT
> --reject-with tcp-reset press "Save Firewall" and reboot your router.
> This rule blocks any attempt to access sth that has "cgi-bin" in the
> url. You can verify that the rule is working by entering:
> http://192.168.1.1/cgi-bin/;reboot in your browser. That should give a
> "Connection was reset" (Firefox).
>
> Important Note: This only works for non-https requests. if you have
> HTTPS Management turned on under > Administration > Management > Remote
> Access, then turn it off. If you don't want to turn it off, you only can
> do an Update.
>
>
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG FAQ  : http://www.trilug.org/wiki/Frequently_Asked_Questions
>
>



More information about the TriLUG mailing list