Slashdot Mirror

← Back to Stories (view on slashdot.org)

Critical Flaw Discovered In DD-WRT

Posted by kdawson on from the my-router-my-self dept.

MagicM writes "A critical flaw has been discovered in DD-WRT, a Linux based alternative open source firmware for WLAN routers such as the fan-favorite Linksys WRT54GL. The flaw can give an attacker instant root access to the router merely by embedding an image with a specially crafted URL in a Web page (CSRF attack)." The linked page notes that a fix is being rolled out (build 12533) and gives firewall rules to thwart the attack if the fix is not available yet for a particular device.

3 of 225 comments (clear)

  1. Please look at this picture ... by janwedekind · · Score: 5, Interesting

    ... to add a firewall-rule fixing this issue.

  2. Re:This is a common stack in wifi APs by HockeyPuck · · Score: 5, Interesting

    1. If people not only updated the firmware on their router, but had to do hacks to get it on there, don't you think they're probably at least a tad more likely to keep the firmware up to date than Joe Blammo with the factory firmware installed?

    You're assuming that all these people that installed dd-wrt on their router installed it on their own routers only. Not their parents, friends etc, and forgot about it.

    Do most open source projects have a mailing list in which ONLY important notifications like this go out? In comparison, two years ago I bought a coffee pot from Amazon, and the manufacturer issued a recall for the pot itself. Amazon notified me via email that there was a recall for the pot and provided instructions on how to get a new replacement glass pot. Trolling forums or slashdot isn't exactly my idea of customer service.

    If I had bought a Cisco/linksys router and there was a similar problem would I have been notified after registering the product?

  3. How did this happen? by MobyDisk · · Score: 5, Interesting

    The bug resides in DD-WRT's hyper text transfer protocol daemon, which runs as root.

    Whhaaat??? And the command looks like:

    http://routerIP/cgi-bin/;command_to_execute

    Whhaaat???

    This is a bug even Adobe would be ashamed to admit. An http server, running as root, accepts arbitrary commands, without authentication, embedded in a URL? That's not a bug thats... that's a design flaw... no... that's... unbelievable!

    Is there a legitimate reason that the http daemon runs as root? (It is for embedded devices...) Or that commands are accepted over HTTP GET like that?