Feeds

Open-source firmware vuln exposes wireless routers

Back door to complete control

High performance access to file storage

A hacker has discovered a critical vulnerability in open-source firmware available for wireless routers made by Linksys and other manufacturers that allows attackers to remotely penetrate the device and take full control of it.

The remote root vulnerability affects the most recent version of DD-WRT, a piece of firmware many router users install to give their device capabilities not available by default. The bug allows unauthenticated users to remotely gain root access simply by luring someone on the local network to a malicious website.

"This means someone can even post some crafted [img] link on a forum and a dd-wrt router owner visiting the forum will get owned," a user named Leka Vecher "gat3way" wrote in this posting to Milw0rm. "A weird vulnerability you're unlikely to see in 2009 :) Quite embarrassing I would say."

Messages sent through the DD-WRT website to the software designers weren't returned by time of publication, but comments posted to this user forum thread said the vulnerability affected the most recent builds, prompting a user by the name of autobot to declare the vulnerability a "mini code red."

The bug resides in DD-WRT's hyper text transfer protocol daemon, which runs as root. Because the httpd doesn't sanitize user-supplied input, it's vulnerable to remote command injection. While the httpd doesn't listen on the outbound interface, attackers can easily access it using CSRF (cross-site request forgery) techniques.

What's more, exploits need not be part of an authenticated session, making them easy to carry out. Examples of URLs that allow remote takeover include:

http://routerIP/cgi-bin/;command_to_execute

or even:

<img src="http://192.168.0.1/cgi-bin/;CMD" alt="">

DD-WRT is open-source firmware that runs more than 200 different models of wireless routers and embedded devices, including those made Linksys, D-Link, Buffalo, and Netgear. If you don't know whether your device uses it, chances are it does not. Penetration testers using the Metasploit project can download this module to audit whether a particular piece of hardware is vulnerable.

Additional details about the bug are here and here. ®

Update

DD-WRT developer Sebastian Gottschall just emailed to say an interim fix is available here. "Consider that this exploit was released without any Report to us," he added.

A DD-WRT representative also says attacks exploiting the vulnerability can be prevented without updating the firmware by adding a firewall rule. Here's how:

Go to your router, "Administration", "Commands" and enter the follwing text:

insmod ipt_webstr

iptables -I INPUT -p tcp -m tcp -m webstr --url cgi-bin -j REJECT --reject-with tcp-reset

and press "Save Firewall", then reboot your router.

This rule blocks any try to access sth that has "cgi-bin" in the URL.

You can prove that the rule works by entering: http://192.168.1.1/cgi-bin/;reboot in your browser. That should give a "Connection was reset" (Firefox).

Important Note: this does not work, if https management is turned on.

You need to turn off https management. If you don't want to do that, PLEASE UPDATE.

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.