Slashdot Mirror
Critical Flaw Discovered In DD-WRT
MagicM writes "A critical flaw has been discovered in DD-WRT, a Linux based alternative open source firmware for WLAN routers such as the fan-favorite Linksys WRT54GL. The flaw can give an attacker instant root access to the router merely by embedding an image with a specially crafted URL in a Web page (CSRF attack)." The linked page notes that a fix is being rolled out (build 12533) and gives firewall rules to thwart the attack if the fix is not available yet for a particular device.
It's worse than a specially crafted image - there's a code injection flaw in the httpd server so merely accessing a URL that looks like "http://routerIP/cgi-bin/;command_to_execute" will do the trick. That URL can be put in a malicious tag on an HTML page and the user most likely won't even notice it.
See the Register article on it from a couple of days ago.
Maybe I'm misunderstanding, but if the exploit is "injected from inside the browser" then won't the management of the device be coming from the local interface, not the internet side?
Basically, I would NEVER allow remote web management of a device if it's on the internet.
Good idea, but this is a critical exploit because hackers can make an img tag load the malformed URL. If they can trick you into viewing that image, then your router will be compromised from your computer on the network. Disabling the external management will prevent internet users from compromising your router, but it is still vulnerable to local threats, as executed through the CSRF method.
Bravo to them for owning up to it and also posting the fix on the same page.
The interesting thing I've read a lot here is how vulnerable and worthless Microsoft is when it comes to security...but it seems the people that think this automatically point to Linux as being secure.
Linux is somewhat secure, but a LOT of the security of linux is due to a limited (unfortunately) market share. If Linux owned 30% or more of the market space for end-user goods, we'd see a HUGE influx of hacks, malware, adware, etc.
It flabbergasts me that people don't see this. The greatest thing Linux has going for it is the collaboration and freedom of the code. With that freedom comes the ability to exploit it. Wait til market share gets larger, it'll start to happen a lot more than the rare article here and there. The good news, though, is again, they identified the problem AND THE FIX on the same page. (Something MS has to be drug kicking and screaming along in order to do that)
Sent from your iPad.
Yea, thats what I got from that statement too.
The easy way is to go directly in through the remote Web GUI.
slightly harder to go in through the browser running inside the network.
It's hardly an issue with every wireless router. For example, the Tomato firmware is not vulnerable to this. Furthermore, most routers with DD-WRT are custom flashed, they don't come stock with it.
Game! - Where the stick is mightier than the sword!
DD-WRT is custom firmware that supports more than 200 different devices. This page will tell you if your device is supported. Someone who wants to use DD-WRT needs to get one of those devices then install this firmware. To answer your question no, someone can not find a list of actual routers that are affect by this. It is likely though that only geeks have it installed and that means that it is more likely that they will patch it.
DD-WRT just isn't compliant with the GPL on so many levels.calling it an "open source" firmware is a lie and a disgrace to the open source community.
The open source parts are OpenWRT.
3. Homogeny? Huh?! Do you mean the homogeny that's defined has "a significant portion of huge nerds (though certainly not even close to a majority) uses this software" ? How many routers are being used in homes and small businesses around the world? You think enough of them are running DD-WRT to call it a homogeny? Name a router that you think has more instances of DD-WRT installed than the factory firmware.
WRT54GL
http://www.linksysbycisco.com/US/en/products/WRT54GL
If you don't know what is dd-wrt, then you are not affected. Those who have it installed it themselves. There are also a few companies selling routers pre-flashed with dd-wrt but again their market isn't the average joe. By the way, google is your friend.
+1 for Tomato, that firmware is awesome and rock solid.
Sorry about that.
Slashdot entertains. Windows pays the mortgage.
NoScript actually mitigates this vulnerability. The ABE feature, in particular:
http://noscript.net/abe/
So although I added the firewall mitigation in dd-wrt, I was pleased to find that NoScript blocked the CSRF request before it even got to the router.
Nope, it affects https as well. Furthermore, it does not require remote web management since the attack can be carried out via CSRF.
Some jackass named brainslayer stole the openwrt source code, wrote a dinky (and obviously poorly written) web interface for it and branded the whole thing as "his" and probably said fuck the gpl and the golden goose it rode in on.
See: http://www.bitsum.com/about-ddwrt.htm
If you paid even a lick of attention to TFA, you'd note that this is a vulnerability in third party software. If you've got stock firmware, you don't need to update, and if you don't have stock firmware, you couldn't get the update from Linksys anyway.
$_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
So you agree that earlier models which were released shortly before the WRT54GL, were stripped and crippled. Except for the part where you said he was wrong you just agreed with everything the grandparent poster said.
It can only be remotely exploited in that case. However, it can be exploited locally if you load any page that that has a tag of the form <img src="http://192.168.1.1/cgi-bin/;reboot"> replacing 192.168.1.1 with your router's actual IP, and the reboot command with whatever command is desired. So you visit any webpage in any browser and you don't have the browser set to not load images from another domain, and you can be exploited.
Stylish sheet to fix many problems in Slashdot's D3: https://gist.github.com/801524
He's right also. I should've said "some of the earlier models (versions 5.0 -> 8.2)".
I would have said "pre-2005" models, but that's not entirely accurate either.
Last time I checked recently, stores mostly had the non-Linux versions in stock or they had the WRT54G"L" side-by-side with the low-memory non-Linux version of the same router. I know NewEgg sells both versions also. Local brick&mortar stores only carried the bad version.
"You think enough of them are running DD-WRT to call it a homogeny? Name a router that you think has more instances of DD-WRT installed than the factory firmware. "
Buffalo WHR-HP-G54DD comes with it installed by default.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
>If people just disabled remote admin (which you should do anyway)
FYI, the exploit is Internet-ready even if you turn off remote management.
It's in the article, if you read it. Webpages (or flash, etc) can just craft a request to exploit this and in the process, turn remote shell ON.
Web-managed routers will always be LESS secure than router types managed via local telnet or ssh. Such designs are immune to browser and cross site attacks... but they're more difficult to manage for novice users, which is why these days only the serious and high-end routers lack web interfaces.
I switched to OpenWRT as soon as I realized what DD-WRT is about.
http://en.wikipedia.org/wiki/DD-WRT#Controversy
The OpenWRT community is a bit more technical and far more competent.
I have a Linksys 350N. Aside from Tomato's confusing website (Firefox? Japanese?) it isn't supported. OpenWRT looks like it has support for bricking the router.. great..
I've been using DD-WRT on this router for years and still the open source firmware maintainers still can't get their shit together. Don't worry though keep complaining about the freedom DD-WRT gives me when you don't even offer the same level of service.