The next target for virus/trojan writers (+ DD-WRT Vulnerability)

altis · 17-07-2009, 20:13

Sorry to spread more doom and gloom but I've a feeling that this could turn out to be a big problem.

http://www.theregister.co.uk/2009/07...terface_peril/

Many appliances (routers, webcams, NAS etc) that we plug into our networks are running long-out-of-date Linux kernels with application software that's out of the door as fast as possible with little regard to security. Many are rarely updated - if at all. Little wonder, then, that many are wide open to attacks from malware.

Druchii · 17-07-2009, 20:21

Yep, i was thinking about this years ago, when i managed to somehow get into my router via web-interface, without supplying the set password.
Only happened once... Made me think though.

Personally, i think they big 3rd party firmware creators could do well to protect against as much of this as possible when the Manufacturers aren't.
I'm looking at things like DD-WRT, Tomato and Open-WRT etc... It could pay to be the one to develop and protect against all this... This is just routers though.

altis · 21-07-2009, 20:27

DD-WRT users beware:

http://www.theregister.co.uk/2009/07...t_router_vuln/

Dai · 22-07-2009, 07:25

http://www.theregister.co.uk/2009/07...t_router_vuln/

A hacker has discovered a critical vulnerability in open-source firmware available for wireless routers made by Linksys and other manufacturers that allows attackers to remotely penetrate the device and take full control of it.

**Graham M** · 22-07-2009, 07:29

I have merged these 2 threads as they are on the same subject, 2 threads away from each other, in the same forum

Dai · 22-07-2009, 08:47

Oops. Time for specsavers..

altis · 22-07-2009, 09:16

To be fair, the original title was far more generic and didn't specifically mention DD-WRT so was easy to miss.

A quick fix is available here:
http://www.dd-wrt.com/dd-wrtv2/down....-21-09-r12533/

No doubt there'll be more appliances under attack soon.

Druchii · 22-07-2009, 15:20

My WRT54GL V1.1 running V24 SP1 seems not to be vulnerable. I've been hitting it with this attack to reboot and it hasn't done so once.

And i can't find WRT54GL in the update list.

Raistlin · 28-07-2009, 08:21

Just been looking at the exploit code for this and thought it was worth pointing out that (in the default configuration) routers running vulnerable firmware are only available from inside the network.

That is to say that it is only vulnerable from the private interface, and not the public on. The exploit needs to be directed at the router's web management interface, typically this wouldn't be exposed to the public.

That doesn't mean that it isn't an issue though. An attacker could set up some sort of cross-site request forgery attack (a maliciously crafted media file for example) that triggers in the victim's browser, runs the exploit against the router's management interface, and then returns the root shell to the attacker.

Found an interesting little video (you'll need to blow it up to full screen) that shows the proof of concept attack.

http://www.youtube.com/watch?v=UhDcXCVFrvM

By the way, all of this information is public domain - I present it here for the interest of those people that I know are interested in these things. Hopefully if more people are educated to how these things work we might see fewer people affected in the future.