Slashdot Mirror

← Back to Stories (view on slashdot.org)

Critical Flaw Discovered In DD-WRT

Posted by kdawson on from the my-router-my-self dept.

MagicM writes "A critical flaw has been discovered in DD-WRT, a Linux based alternative open source firmware for WLAN routers such as the fan-favorite Linksys WRT54GL. The flaw can give an attacker instant root access to the router merely by embedding an image with a specially crafted URL in a Web page (CSRF attack)." The linked page notes that a fix is being rolled out (build 12533) and gives firewall rules to thwart the attack if the fix is not available yet for a particular device.

11 of 225 comments (clear)

  1. Worse than that by tomtomtom · · Score: 4, Informative

    It's worse than a specially crafted image - there's a code injection flaw in the httpd server so merely accessing a URL that looks like "http://routerIP/cgi-bin/;command_to_execute" will do the trick. That URL can be put in a malicious tag on an HTML page and the user most likely won't even notice it.

    See the Register article on it from a couple of days ago.

  2. Re:Standard Practices by BigHungryJoe · · Score: 4, Informative

    Maybe I'm misunderstanding, but if the exploit is "injected from inside the browser" then won't the management of the device be coming from the local interface, not the internet side?

  3. Re:Standard Practices by gamefreak1450 · · Score: 5, Informative

    Basically, I would NEVER allow remote web management of a device if it's on the internet.

    Good idea, but this is a critical exploit because hackers can make an img tag load the malformed URL. If they can trick you into viewing that image, then your router will be compromised from your computer on the network. Disabling the external management will prevent internet users from compromising your router, but it is still vulnerable to local threats, as executed through the CSRF method.

  4. Re:This is a common stack in wifi APs by Mad+Merlin · · Score: 4, Informative

    It's hardly an issue with every wireless router. For example, the Tomato firmware is not vulnerable to this. Furthermore, most routers with DD-WRT are custom flashed, they don't come stock with it.

    --
    Game! - Where the stick is mightier than the sword!
  5. Re:wtf is a DD-WRT? by Pulse_Instance · · Score: 4, Informative

    DD-WRT is custom firmware that supports more than 200 different devices. This page will tell you if your device is supported. Someone who wants to use DD-WRT needs to get one of those devices then install this firmware. To answer your question no, someone can not find a list of actual routers that are affect by this. It is likely though that only geeks have it installed and that means that it is more likely that they will patch it.

  6. DD-WRT !GPL Compliant (or open source) by Anonymous Coward · · Score: 5, Informative

    DD-WRT just isn't compliant with the GPL on so many levels.calling it an "open source" firmware is a lie and a disgrace to the open source community.

    The open source parts are OpenWRT.

    1. Re:DD-WRT !GPL Compliant (or open source) by Anonymous Coward · · Score: 5, Informative

      DD-WRT is Harmful to open source

  7. Re:This is a common stack in wifi APs by Anonymous Coward · · Score: 5, Informative

    3. Homogeny? Huh?! Do you mean the homogeny that's defined has "a significant portion of huge nerds (though certainly not even close to a majority) uses this software" ? How many routers are being used in homes and small businesses around the world? You think enough of them are running DD-WRT to call it a homogeny? Name a router that you think has more instances of DD-WRT installed than the factory firmware.

    WRT54GL

    http://www.linksysbycisco.com/US/en/products/WRT54GL

  8. Re:This issue is way overblown. FUD by abcabcabc · · Score: 3, Informative

    Nope, it affects https as well. Furthermore, it does not require remote web management since the attack can be carried out via CSRF.

  9. Re:Linksys suck by ShadowRangerRIT · · Score: 3, Informative

    If you paid even a lick of attention to TFA, you'd note that this is a vulnerability in third party software. If you've got stock firmware, you don't need to update, and if you don't have stock firmware, you couldn't get the update from Linksys anyway.

    --
    $_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
  10. Re:This is a common stack in wifi APs by Minwee · · Score: 3, Informative

    No, you've got it the wrong way around. Earlier models (up to v5.0) were hackable out-of-the-box. Linksys received quite some flak when they introduced the v5.0 model that had less memory and as such could not be easily re-flashed with third-party firmware. As a remedy they introduced the 54GL model that again had more memory (and a higher price of course).

    So you agree that earlier models which were released shortly before the WRT54GL, were stripped and crippled. Except for the part where you said he was wrong you just agreed with everything the grandparent poster said.