Slashdot Mirror
Critical Flaw Discovered In DD-WRT
MagicM writes "A critical flaw has been discovered in DD-WRT, a Linux based alternative open source firmware for WLAN routers such as the fan-favorite Linksys WRT54GL. The flaw can give an attacker instant root access to the router merely by embedding an image with a specially crafted URL in a Web page (CSRF attack)." The linked page notes that a fix is being rolled out (build 12533) and gives firewall rules to thwart the attack if the fix is not available yet for a particular device.
Yes, there's a fix for this, but what is the likelihood of every person who owns a Wifi router fixing this flaw?
We talk about the dangers of homogeny, but this is exactly the type of thing that homogeny causes. All the routers with DD-WRT implemented to save costs, but in the end everyone is screwed.
Just because we love Linux doesn't mean that we should sacrifice the entire ecosystem to that love. We need to nurture other implementations to prevent this type of virus from wiping out our entire networking infrastructure.
I was wondering: How can this attack be carried out if the external web management is turned off? From the article:
Note: The exploit can only be used directly from outside your network over the internet if you have enabled remote Web GUI management in the Administration tab. As immediate action please disable the remote Web GUI management. But that limitation could be easily overridden by a Cross-Site Request Forgery (CSFR) where a malicious website could inject the exploit from inside the browser.
The Shashdot blurb does state "The linked page notes that a fix is being rolled out (build 12533) and gives firewall rules to thwart the attack if the fix is not available yet for a particular device." but that statement doesn't curb a lot of the "The Sky is FALLING!" reactions....
Basically, I would NEVER allow remote web management of a device if it's on the internet. I believe the default for DD-WRT is to disable it as well, so you'd have to go in and tell the device that you want to enable this feature. All in all, I think for most users, this issue is a non-issue.
Karnal
It's worse than a specially crafted image - there's a code injection flaw in the httpd server so merely accessing a URL that looks like "http://routerIP/cgi-bin/;command_to_execute" will do the trick. That URL can be put in a malicious tag on an HTML page and the user most likely won't even notice it.
See the Register article on it from a couple of days ago.
You know, as much as I used to complain about the many different distros - you've got a damn good point.
Why can't all fpga/microcontroller manufacturers just release free optimizing compilers???
my router keeps redirecting me to porn sites and scrolling "pWnD by c0d3k177y" in HTML marquee tags at the top of my browser.
Bravo to them for owning up to it and also posting the fix on the same page.
The interesting thing I've read a lot here is how vulnerable and worthless Microsoft is when it comes to security...but it seems the people that think this automatically point to Linux as being secure.
Linux is somewhat secure, but a LOT of the security of linux is due to a limited (unfortunately) market share. If Linux owned 30% or more of the market space for end-user goods, we'd see a HUGE influx of hacks, malware, adware, etc.
It flabbergasts me that people don't see this. The greatest thing Linux has going for it is the collaboration and freedom of the code. With that freedom comes the ability to exploit it. Wait til market share gets larger, it'll start to happen a lot more than the rare article here and there. The good news, though, is again, they identified the problem AND THE FIX on the same page. (Something MS has to be drug kicking and screaming along in order to do that)
Sent from your iPad.
Your statement is exactly analogous to this one:
What the hell is a linux? Can someone find a list of actual computers that are affected by this instead of speaking in geek terms?
If you had dd-wrt, you would know.
Give me Classic Slashdot or give me death!
DD-WRT is custom firmware that supports more than 200 different devices. This page will tell you if your device is supported. Someone who wants to use DD-WRT needs to get one of those devices then install this firmware. To answer your question no, someone can not find a list of actual routers that are affect by this. It is likely though that only geeks have it installed and that means that it is more likely that they will patch it.
DD-WRT just isn't compliant with the GPL on so many levels.calling it an "open source" firmware is a lie and a disgrace to the open source community.
The open source parts are OpenWRT.
... to add a firewall-rule fixing this issue.
what the hell is a DD-WRT? Can someone find a list of actual routers that are affected by this instead of speaking in geek terms?
Dude... This is Slashdot. What did you expect? :)
This should have all of the information you need:
http://www.google.com/search?source=ig&hl=en&rlz=&=&q=dd-wrt&aq=f&oq=&aqi=g10
Well, that depends if you installed DD-WRT on it. If you did, then you're affected. If you have the Linksys firmware, then you're not.
If you don't know what is dd-wrt, then you are not affected. Those who have it installed it themselves. There are also a few companies selling routers pre-flashed with dd-wrt but again their market isn't the average joe. By the way, google is your friend.
Sorry about that.
Slashdot entertains. Windows pays the mortgage.
Greetings, I am a Linksys customers service representative. While I'm sorry to hear that you'll be leaving us, I'd like to remind you that if you have to wait for your paycheck in order to purchase a piece of home networking equipment, perhaps navigating flash based websites is the least of your worries. Have you considered going back to school?
I submitted this story more than 72 hours ago. It's been public knowledge for at least 96 hours. I know this isn't strictly a security site, but c'mon! Four days is too long for a remote exploit on one of the most widely deployed consumer router platforms.
That does block the nastier exploit (explained below). But there is another vector which that doesn't address: commands issued *from* your browser. Steps:
The bigger exploit is if you enabled remote management. In that case you don't even have to turn on your computer, they can just directly access your router from the outside. But exploits that require you to visit a malicious link, in any common browser, are still serious.
$_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
The bug resides in DD-WRT's hyper text transfer protocol daemon, which runs as root.
Whhaaat??? And the command looks like:
http://routerIP/cgi-bin/;command_to_execute
Whhaaat???
This is a bug even Adobe would be ashamed to admit. An http server, running as root, accepts arbitrary commands, without authentication, embedded in a URL? That's not a bug thats... that's a design flaw... no... that's... unbelievable!
Is there a legitimate reason that the http daemon runs as root? (It is for embedded devices...) Or that commands are accepted over HTTP GET like that?
Feel free to hate Linksys for any of the other reasons. I was royally pissed off for a long time by the relentless router reboots caused by poor interaction between the logging mechanism and BitTorrent; thankfully they released fixed firmware for that a few years ago. But I'm not going to drop them just because they overuse Flash.
$_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
I have the non-wireless version of this router (BEFSR41)
Does anyone know if affects that too?
It will only affect routers that have the DD-WRT firmware loaded on them. You have to load that firmware yourself, so you would more than likely know if this flaw affected you.
If you installed DD-WRT, yes. This has nothing to do with any technical specs on the router; it's a software processing bug that is exploitable either via an incoming connection from the internet (if remote management is enabled) or if any local user accesses a carefully crafted malicious website.
$_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
NoScript actually mitigates this vulnerability. The ABE feature, in particular:
http://noscript.net/abe/
So although I added the firewall mitigation in dd-wrt, I was pleased to find that NoScript blocked the CSRF request before it even got to the router.
Nope, it affects https as well. Furthermore, it does not require remote web management since the attack can be carried out via CSRF.
You have to re-flash the firmware to install DD-WRT (or Tomato, Open-WRT, etc).
I don't even see your device listed here: http://www.dd-wrt.com/wiki/index.php/Supported_Devices
It's mostly Broadcom or Atheros chipset WiFi routers that are supported.
An easy work around for this is make the router URL IP address on the LAN side not easily predictable.
Stick it somewhere in the 10. private IP space block and any code injection not also stumbling on the correct URL and will instead get a "Server not found" error.
This will vastly reduce the chances of getting hit by any future as of yet undiscovered security problems using a URL, updated patches or not.
Huh? With a URL in a web page the request comes from the browser run by the person sitting inside the network.
How is that a "remote web management" issue? Remote web management would allow a login attempt from anywhere on the internet.
This attack does not need that.
I think YOU need to go re-read the article and come back and explain how a URL on an internal machine is going to try to connect to the external interface of the router (which is what the "remote web management" does, turns on the WAN interface to accept logins.
Comment removed based on user account deletion
If you paid even a lick of attention to TFA, you'd note that this is a vulnerability in third party software. If you've got stock firmware, you don't need to update, and if you don't have stock firmware, you couldn't get the update from Linksys anyway.
$_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
I disagree. Security through obscurity works.
For example: in this case if you had already changed your router's IP address, it would be harder for the attackers to figure it out. For example if you use the 10.35.79.184, the same url that can exploit thousands of other dd-wrt routers (e.g. http://192.168.1.1/etcetc ), won't work on your router. So there has to be an attack specifically targeting you[1]. Which rarely happens unless you're famous or have made yourself infamous (or well-hated amongst hacker circles).
So you have more time to update your router or even have time to wait to see if the updates don't break other stuff first.
You're not as vulnerable to zero-day attacks as other people.
Same goes for putting running sshd servers on a different port. I could use port knocking or other other stuff, but so far running it on a different port works well enough for me.
I actually have my sshd server bound on an IP and port that's unreachable from outside, and my firewall has a rule to forward outside connections to it. This way if a mistake happens and my firewall rules get disabled/cleared, ssh and other crap from outside won't work.
[1] If a top hacker was targeting you specifically, they'd probably be able to pwn you.
For example:
1) I'm sure there are many zero-day browser/plugin exploits left (just look at how fast the pwn2own winners pwn stuff - they just sacrifice one of the zero-day exploits they have).
2) I doubt most ISPs have locked their BGP stuff down, so the attackers could use "BGP eavesdropping/prefix attacks" to hijack your connections.
With 1) and 2) you'd be merrily browsing your usual sites and pwned without noticing a thing- the hacker would just pass most of the traffic on, and just alter one or two connections to exploit the relevant browser bug.
I have Tomato on my outward inner router but this doesn't seeem to be affected as it's based on Linksys' own firmware.
Slashdot needs Geekcode | Can anyone recommend any good SCIFI? My tastes: Foundation, Startide Rising, CITY, Ringworld,
I went over the details one thing I am confused about is in this situation is the internal or External IP of the router that is Key here?
Power Corrupts,Absolute Power Corrupts Absolutely, leaving one person(group)in charge is absolutely corrupt.
I'm guessing you could add it to an href in a stylesheet reference, a script src, or even as a link target. I don't see why this would be limited to just images.
today is spelling optional day.
It can only be remotely exploited in that case. However, it can be exploited locally if you load any page that that has a tag of the form <img src="http://192.168.1.1/cgi-bin/;reboot"> replacing 192.168.1.1 with your router's actual IP, and the reboot command with whatever command is desired. So you visit any webpage in any browser and you don't have the browser set to not load images from another domain, and you can be exploited.
Stylish sheet to fix many problems in Slashdot's D3: https://gist.github.com/801524
there is no such thing as a "flaw" in Linux.
And this isn't a flaw in Linux: it's a poorly-configured web-server that does stupid things as root. That's no more a flaw in Linux than logging into the console as root and getting the system infected by malware when someone sends you the latest 'naked hot chick' screensaver.
>Yes, there's a fix for this, but what is the likelihood of every person who owns a Wifi router fixing this flaw?
I would use your question to defeat your argument... I can't think of another user community who would be MORE security conscious regarding firmware updates. If you thought about this before posting, you would also have come up empty.
Even the dd-wrt "newbs" know to check for updates, if for nothing else than shiny new features.
>We talk about the dangers of homogeny, but this is exactly the type of thing that homogeny causes. All the routers with DD-WRT implemented to save costs, but in the end everyone is screwed.
This does not follow.
The dd-wrt flaw is caused by a STUPID programming error, and would not be mitigated by "homogeny". You might as well claim that "Windows would be more secure if there were more versions of Windows".
Firmware bugs are always nasty face-palm slaps of stupidity. It doesn't matter if you are open source or closed.
dd-wrt will have a lower ratio of developers:users compared to say Ubuntu. With fewer developers, a bug is less likely to be caught in code review, testing, or if someone walks into the error that they recognize it for what it is.
>Just because we love Linux doesn't mean that we should sacrifice the entire ecosystem to that love. We need to nurture other implementations to prevent this type of virus from wiping out our entire networking infrastructure.
Why do you think this is a "Linux" problem?
If you could take the dd-wrt code and run it on top of Windows (which you probably could..), it would STILL have the same vulnerability. Please learn what "CGI" is before conflating it with something else.
Look, the dev team obviously made some stupid design errors (httpd as root...). But also know now that dd-wrt has a huge community... folks will start looking REAL closely at the code for other security gaffes. Paid developers are starting to look at the dd-wrt code now, as some shrinkwrapped routers come with open source firmwares pre-installed.
Besides all that, you can't get any more fragmented (dd-wrt or not) than the router market.
Using this example as for why "Linux [would] sacrifice the entire ecosystem" is just rubbish, sorry to say.
It appears that recent versions of NoScript block this by default with ABE (http://noscript.net/abe/index.html)
Let's hear it for NoScript!
For you, I would recommend tossing it all in the trash.
.sig withheld by request
OK, that's funny. Well deserving of +5.
Indulge me here in a rant about spelling.
I'm sure we all agree that English spelling is hard and irrational. G.B. Shaw joked that "ghoti" is pronounced "fish": 'gh' as in "cough", 'o' as in "women", and 'ti' as in "nation". Story goes that English spelling was set in stone by the first printer who typeset an English manuscript: a dutchman who didn't speak the language.
Spanish did away with all that nonsense years ago. Words are spelled exactly as they are pronounced: "fotografia", etc.
Correct spelling is important for the following reason: it's a measure of your skill at observation. If you have been looking at the correct spelling of a word all your life, every time you read, how come you can't get it right?
When you get hired for a job, you will be expected to learn lots of things by observation; also you will be expected to pay attention to detail. Whether you can spell or not is a measure of your ability. It's a test of whether you understand the code, have had the proper upbringing.
Bad spelling means you are not able to pay attention to detail, and you're a slow learner. Does that sound like someone an employer would want to hire? Unless it's flipping burgers.
Poor spelling is like showing up at a hip venue, dressed in a 70's leisure suit: you just don't get it.
Caveat: English is not my native language (neither is Spanish), sorry for any typos.
Slashdot entertains. Windows pays the mortgage.
God, I love flashing out from under active systems. tldr: Hooray for updates that break wireless and then the whole router. Also, how moronic is it to have the default wireless config be "ddwrt" SSID with no security and no password?
I heard about this on Wednesday, but made sure I had remote admin off [why, God, why would you ever have that on unless you're doing weird voodoo with a wireless point NATting inside your internal network?] and sailed on, planning to takedown and flash sometime Saturday.
This news pushed it to the top of my cut list. People, I know this is old hat to many of you, but backup, backup, backup. I had in hand before I started:
* Settings backed up.
* A copy of the old firmware
* A copy of the new firmware
First flash seemed to go just fine, router said it was rebooting... and then didn't. Uptime still read 20 days. Issued web GUI reboot command... nothing.
Went to the closet, unplugged, replugged. Correct version confirmed, traffic flowing... wireless vanished. What the hell. Went in, redid all the wireless settings. Nope. But I do have a Linksys_SES_blahblah network in view. Nah. Couldn't be.
Unplugged the router again... nope, the SES net is still on the air. Good. Plugged the router back in... "ddwrt" net appears. Aw crap. Plugged the laptop in and changed the password and took the (unpassworded, unencrypted) net off the air. Fuck, that's a moronic default config.
To make a long story less long: flashed back to v24-sp1, reapplied my saved config, flashed the new config, it broke AGAIN. Thought for a minute, applied saved state, crossed fingers... and everything worked. Phew.
Now I have to go around unconfusing all the laptops. Desktops should be fine, since they (hopefully) didn't re-DHCP while the router was at 192.168.1.1 ...
if the answer isn't violence, neither is your silence / freedom of expression doesn't make it alright
I switched to OpenWRT as soon as I realized what DD-WRT is about.
http://en.wikipedia.org/wiki/DD-WRT#Controversy
The OpenWRT community is a bit more technical and far more competent.
all you need to do is install the certificate when you connect the first time and it is no longer a problem.
If you train end users to install certificates so easily, you also train end users to install a certificate that a phishing site recommends.
Self-signed certificates are only defeated when you have no way to verify that they are who they say there are, not that the encryption is less secure.
I'm starting with the man in the middle. I'm asking him to change his ways. No message could have been any clearer: You could be communicating with a proxy.
It would be nice to know if this affects DD-WRT boxes that are not WAN-facing and are not in router mode.
I have three DD-WRT's in client bridge mode so as to provide wired connections throughout the house. They hop over WiFi to the WAN-facing router which still runs stock VxWorks. So I'd be inclined to think that my boxes are safe.
As for DD-WRT releasing a patch, gee thanks. I have two different (and old) versions of DD-WRT among the three devices and haven't touched them since installing, because upgrading requires lots of personal time with each device to reinstall and reconfigure and god knows what else and I simply don't have the time -- the whole point of setting up client bridges was to make life easier, not some sort of time-consuming exercise in obscure geek cred.
Terrorists can attack freedom, but only Congress can destroy it.
Right, all excellent points. Also, I neglected the even more straightforward scenario of internal attackers. Sigh. Note to self: don't reason about computer security before being truly awake. ;-)
You're doing it wrong.
zarthrag didn't ask for the points for his/her post.
i wish i could stop
This isn't on the desktop, it's on the router. What an idiot...
After reading your link the only jackass is the GNU zealot who thought it would be a good idea to enter the #dd-wrt irc channel and cause a disturbance and the rest of it is whining about him being banned for trolling the channel and trying to justify it.
Also I had to laugh at your comment that dd-wrt is poorly written, because for a long time (I don't know if it's better now) Open wrt was horrible and never worked on almost any routers while dd-wrt ran great (and still does).
"attacks."
Those which target "you" and those which target "everybody."
Security through obscurity is great at insulating you from those attacks that target "everybody" (worms, etc.) because the attack is happy to exploit the common case and not bother with specificities, since that will still net it a bunch of bots/slaves/zombies/etc.
For those which target "you" specifically, security through obscurity will solve absolutely nothing.
Most pointedly (and many people on Slashdot miss this) the largest threat to the common Internet user is precisely of the former kind (the odd worm, being a part of a "net public") and not necessarily attacks that specifically want to compromise ONE machine or network somewhere that is the TARGET of the attack.
Security through obscurity is therefore a useful basic defense if you are not particularly interesting as a node.
STOP . AMERICA . NOW
I loved DD-WRT, and was saddened to see this exploit and the controversy. The exploit is definitely worth jumping ship for, and it took me 40 minutes to install tomato and get my configuration right. And that's only because I'm drunk.
My amazing wife - Artist, Author, Philosopher - Laurie M