Slashdot Mirror
Critical Flaw Discovered In DD-WRT
MagicM writes "A critical flaw has been discovered in DD-WRT, a Linux based alternative open source firmware for WLAN routers such as the fan-favorite Linksys WRT54GL. The flaw can give an attacker instant root access to the router merely by embedding an image with a specially crafted URL in a Web page (CSRF attack)." The linked page notes that a fix is being rolled out (build 12533) and gives firewall rules to thwart the attack if the fix is not available yet for a particular device.
I was wondering: How can this attack be carried out if the external web management is turned off? From the article:
Note: The exploit can only be used directly from outside your network over the internet if you have enabled remote Web GUI management in the Administration tab. As immediate action please disable the remote Web GUI management. But that limitation could be easily overridden by a Cross-Site Request Forgery (CSFR) where a malicious website could inject the exploit from inside the browser.
The Shashdot blurb does state "The linked page notes that a fix is being rolled out (build 12533) and gives firewall rules to thwart the attack if the fix is not available yet for a particular device." but that statement doesn't curb a lot of the "The Sky is FALLING!" reactions....
Basically, I would NEVER allow remote web management of a device if it's on the internet. I believe the default for DD-WRT is to disable it as well, so you'd have to go in and tell the device that you want to enable this feature. All in all, I think for most users, this issue is a non-issue.
Karnal
It's worse than a specially crafted image - there's a code injection flaw in the httpd server so merely accessing a URL that looks like "http://routerIP/cgi-bin/;command_to_execute" will do the trick. That URL can be put in a malicious tag on an HTML page and the user most likely won't even notice it.
See the Register article on it from a couple of days ago.
What are you talking about?
1. If people not only updated the firmware on their router, but had to do hacks to get it on there, don't you think they're probably at least a tad more likely to keep the firmware up to date than Joe Blammo with the factory firmware installed?
2. Do you think DD-WRT was really all that much more susceptible to having a flaw than, say, something from Cisco? Or, by the same thought process, do you think open source Linux is inherently more vulnerable than Windows?
3. Homogeny? Huh?! Do you mean the homogeny that's defined has "a significant portion of huge nerds (though certainly not even close to a majority) uses this software" ? How many routers are being used in homes and small businesses around the world? You think enough of them are running DD-WRT to call it a homogeny? Name a router that you think has more instances of DD-WRT installed than the factory firmware.
Software bugs happen. You don't need to get all philosophical about it. And besides, this is no more dangerous than the much larger number of people probably still using the default password on their router, and probably only slightly more dangerous than the huge number of people who don't have any kind of security. Relax.
Whale
Yes, there's a fix for this, but what is the likelihood of every person who owns a Wifi router fixing this flaw?
We talk about the dangers of homogeny, but this is exactly the type of thing that homogeny causes. All the routers with DD-WRT implemented to save costs, but in the end everyone is screwed.
Just because we love Linux doesn't mean that we should sacrifice the entire ecosystem to that love. We need to nurture other implementations to prevent this type of virus from wiping out our entire networking infrastructure.
What is the likelihood of any flaw on any system getting patched? I don't see how a vulnerability in DD-WRT is any different than if Cisco announced a major vulnerability in one of their systems. I bet just about the same percentage would be patched.
We talk about the dangers of homogeny, but this is exactly the type of thing that homogeny causes. All the routers with DD-WRT implemented to save costs, but in the end everyone is screwed.
As opposed to using the base software from Linksys/Cisco where you don't know where the flaws lie, and if someone figures it out, it rarely ever gets published on the web openly or gets fixed soon enough in a firmware update. How is that different ? At least if you use Linux, you have people who care, and only people who care about their networks or improved experience with their routers use DD-WRT/OpenWRT/Other in the first place. Most just use the default software on their routers, which remains unpatched for a large portion of its use if at all.
It's hardly an issue with every wireless router. For example, the Tomato firmware is not vulnerable to this. Furthermore, most routers with DD-WRT are custom flashed, they don't come stock with it.
Game! - Where the stick is mightier than the sword!
DD-WRT is custom firmware that supports more than 200 different devices. This page will tell you if your device is supported. Someone who wants to use DD-WRT needs to get one of those devices then install this firmware. To answer your question no, someone can not find a list of actual routers that are affect by this. It is likely though that only geeks have it installed and that means that it is more likely that they will patch it.
DD-WRT just isn't compliant with the GPL on so many levels.calling it an "open source" firmware is a lie and a disgrace to the open source community.
The open source parts are OpenWRT.
3. Homogeny? Huh?! Do you mean the homogeny that's defined has "a significant portion of huge nerds (though certainly not even close to a majority) uses this software" ? How many routers are being used in homes and small businesses around the world? You think enough of them are running DD-WRT to call it a homogeny? Name a router that you think has more instances of DD-WRT installed than the factory firmware.
WRT54GL
http://www.linksysbycisco.com/US/en/products/WRT54GL
... to add a firewall-rule fixing this issue.
1. If people not only updated the firmware on their router, but had to do hacks to get it on there, don't you think they're probably at least a tad more likely to keep the firmware up to date than Joe Blammo with the factory firmware installed?
You're assuming that all these people that installed dd-wrt on their router installed it on their own routers only. Not their parents, friends etc, and forgot about it.
Do most open source projects have a mailing list in which ONLY important notifications like this go out? In comparison, two years ago I bought a coffee pot from Amazon, and the manufacturer issued a recall for the pot itself. Amazon notified me via email that there was a recall for the pot and provided instructions on how to get a new replacement glass pot. Trolling forums or slashdot isn't exactly my idea of customer service.
If I had bought a Cisco/linksys router and there was a similar problem would I have been notified after registering the product?
[Citation Needed]
If you read the comments on NewEgg.com for that router model, not everyone mentions DD-WRT. Some use other 3rd party firmwares like Tomato or Open-WRT or custom builds. And believe it or not, some even write a positive review for the default factory firmware. The nice thing about that model ("L" version) is the extra memory headroom. Earlier models were stripped and crippled to run a really crappy default firmware from Linksys. BitTorrent crashes these small memory models often.
http://en.wikipedia.org/wiki/Linksys_WRT54G_series#Hardware_and_revisions
Greetings, I am a Linksys customers service representative. While I'm sorry to hear that you'll be leaving us, I'd like to remind you that if you have to wait for your paycheck in order to purchase a piece of home networking equipment, perhaps navigating flash based websites is the least of your worries. Have you considered going back to school?
langs morf. get use 2 it.
The bug resides in DD-WRT's hyper text transfer protocol daemon, which runs as root.
Whhaaat??? And the command looks like:
http://routerIP/cgi-bin/;command_to_execute
Whhaaat???
This is a bug even Adobe would be ashamed to admit. An http server, running as root, accepts arbitrary commands, without authentication, embedded in a URL? That's not a bug thats... that's a design flaw... no... that's... unbelievable!
Is there a legitimate reason that the http daemon runs as root? (It is for embedded devices...) Or that commands are accepted over HTTP GET like that?
Nope, it affects https as well. Furthermore, it does not require remote web management since the attack can be carried out via CSRF.
If you paid even a lick of attention to TFA, you'd note that this is a vulnerability in third party software. If you've got stock firmware, you don't need to update, and if you don't have stock firmware, you couldn't get the update from Linksys anyway.
$_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
I disagree. Security through obscurity works.
For example: in this case if you had already changed your router's IP address, it would be harder for the attackers to figure it out. For example if you use the 10.35.79.184, the same url that can exploit thousands of other dd-wrt routers (e.g. http://192.168.1.1/etcetc ), won't work on your router. So there has to be an attack specifically targeting you[1]. Which rarely happens unless you're famous or have made yourself infamous (or well-hated amongst hacker circles).
So you have more time to update your router or even have time to wait to see if the updates don't break other stuff first.
You're not as vulnerable to zero-day attacks as other people.
Same goes for putting running sshd servers on a different port. I could use port knocking or other other stuff, but so far running it on a different port works well enough for me.
I actually have my sshd server bound on an IP and port that's unreachable from outside, and my firewall has a rule to forward outside connections to it. This way if a mistake happens and my firewall rules get disabled/cleared, ssh and other crap from outside won't work.
[1] If a top hacker was targeting you specifically, they'd probably be able to pwn you.
For example:
1) I'm sure there are many zero-day browser/plugin exploits left (just look at how fast the pwn2own winners pwn stuff - they just sacrifice one of the zero-day exploits they have).
2) I doubt most ISPs have locked their BGP stuff down, so the attackers could use "BGP eavesdropping/prefix attacks" to hijack your connections.
With 1) and 2) you'd be merrily browsing your usual sites and pwned without noticing a thing- the hacker would just pass most of the traffic on, and just alter one or two connections to exploit the relevant browser bug.
So you agree that earlier models which were released shortly before the WRT54GL, were stripped and crippled. Except for the part where you said he was wrong you just agreed with everything the grandparent poster said.
I hope the following tale satisfies your curiosity.
Back in the day, you had a company named Linksys. They made excellent home routers. I dare say the best you could get on the market. They release several versions of a certain wireless router, model WRT54G. People everywhere rejoice, because they can hack away at this machine to their heart's content. Modding the firmware, modding the hardware. You name it.
During this period, a certain, shall we say, rather shitty manufacturer of 'Enterprise' routers, named Cisco, decides to buy this rather successful smaller company. They want a piece of that vast home router market that Linksys enjoys.
So, the corporate behemoth decides to take a good look at the hardware that Linksys has been selling, and lo and behold, it is as good as or even better than the shite they sell to their 'Enterprise' customers! "Oh noes!" they exclaim, "We can't have THIS nonsense going on! What do we do if our 'Enterprise' customers see our webpage and start buying the Linksys branded routers instead of our over-priced 'Enterprise' Cisco-branded crap?"
Henceforth, it was decreed by the demi-dogs of Cisco Corporate Headquarters that "There shall not be any extra features or better hardware in the 'Consumer' class routers that already exist in our 'Enterprise' class routers!"
Narrator's Note: We ended up with the crippled turds known as the WRT54G v5 to v8.2.
Soon the Corporate demi-dogs started noticing they were swiftly losing sales and receiving MANY customer complaints about their latest iterations of the WRT54G. To save their own hides from the proverbial pitchforks and torches of their 'Consumer' class customers, and their cousins, called 'The Shareholders', they quickly released a version of the WRT54G, and designated it the WRT54GL v1.1 (US).
There was much rejoicing, as now we could happily hack away at our precious WRTs again, even if not quite so spectacularly as before.
Narrator's Note: For some odd reason, the US got a v1.1 and Europe started off with a v1.0c at the same time.
@Mindless Drivel: 100% of Twitter posts ever Tweeted.