14 DAY TRIAL // A hacker has published details about a zero-day vulnerability found in the popular DD-WRT open source firmware for wireless routers. Exploiting the flaw is rather trivial and allows an attacker to execute arbitrary commands as root.
DD-WRT is a Linux-based firmware that can be installed on more than 200 wireless router models from a wide range of manufacturers, including big industry players such as Linksys, Netgear or D-Link. A significant number of knowledgeable users replace pre-installed router firmware with DD-WRT in order to extend the capabilities of their device.
A Bulgarian hacker going by the online handle of "gat3way" announced that all versions of the open source firmware up to V24 preSP2 contained a critical shell command injection flaw, which he described as a "weird vulnerability you're unlikely to see in 2009."
More specifically, the bug is located in DD-WRT's HTTPD daemon and, according to gat3way, it is the result of several poor architectural decisions. For example, the web interface will accept and execute commands passed directly via URLs, without requiring authentication, even if an authentication dialog does appear.
In addition, in keeping with gat3way, the HTTPD server runs as root, meaning that, by typing the http://routerIP/cgi-bin/;command, a shell command can be executed with the highest privileges. Remote attacks are not that straightforward, though, because the administration interface is not remotely accessible by default.
However, an attacker can bypass that limitation through cross-site request forgery (CSRF), and there are even ways to suppress the login dialog in order to make the attack transparent. "This means someone can even post some crafted [img] link on a forum and a dd-wrt router owner visiting the forum will get owned," gat3way warns.
According to The Register, Sebastian Gottschall, DD-WRT's founder and main developer, confirmed the vulnerability, but noted that the development team was not notified in advance of it being made public. He pointed out that the issue had been addressed in build 07-21-09-r12533 of the V24 preSP2 version.