Hi Eric
I see that DD-WRT has recently found a critical vulnerability in their router (see http://www.theregister.co.uk/2009/07/21 ... uter_vuln/ ). Can you confirm that OpenWRT, and hence Gargoyle, are not similarly affected?
This appears to have caused quite a scare amongst the DD-WRT community...
Critical vulnerability in DD-WRT, also in OpenWRT?
Moderator: Moderators
Critical vulnerability in DD-WRT, also in OpenWRT?
Regards, Nigel
Re: Critical vulnerability in DD-WRT, also in OpenWRT?
No, Gargoyle is not vulnerable.
Looks like the problem is in the DD-WRT httpd daemon. Gargoyle uses a (minimally) modified mini_httpd daemon, while DD-WRT uses a different, highly customized version of the httpd daemon from the original linksys firmware. The portion of the firmware that causes this problem is not shared between the projects.
Just to be absolutely sure I just tried accessing "http://[my router ip]/cgi-bin/rm -rf ..", which if the vulnerability were present would erase all web scripts/pages being served, but nothing happened. Also, I rechecked the code of my httpd daemon and verified what I recalled: it checks that a file is present before loading it, so if you enter a command in the url it won't run unless there's actually a script with that name.
So... don't worry. Gargoyle is definitely not vulnerable to this exploit.
Looks like the problem is in the DD-WRT httpd daemon. Gargoyle uses a (minimally) modified mini_httpd daemon, while DD-WRT uses a different, highly customized version of the httpd daemon from the original linksys firmware. The portion of the firmware that causes this problem is not shared between the projects.
Just to be absolutely sure I just tried accessing "http://[my router ip]/cgi-bin/rm -rf ..", which if the vulnerability were present would erase all web scripts/pages being served, but nothing happened. Also, I rechecked the code of my httpd daemon and verified what I recalled: it checks that a file is present before loading it, so if you enter a command in the url it won't run unless there's actually a script with that name.
So... don't worry. Gargoyle is definitely not vulnerable to this exploit.
Re: Critical vulnerability in DD-WRT, also in OpenWRT?
This was fixed with a iptables rule, not too difficult.
insmod ipt_webstr
ln -s /dev/null /tmp/exec.tmp
iptables -D INPUT -p tcp -m tcp -m webstr --url cgi-bin -j REJECT --reject-with tcp-reset
iptables -I INPUT -p tcp -m tcp -m webstr --url cgi-bin -j REJECT --reject-with tcp-reset
http://192.168.1.1/cgi-bin/;reboot
insmod ipt_webstr
ln -s /dev/null /tmp/exec.tmp
iptables -D INPUT -p tcp -m tcp -m webstr --url cgi-bin -j REJECT --reject-with tcp-reset
iptables -I INPUT -p tcp -m tcp -m webstr --url cgi-bin -j REJECT --reject-with tcp-reset
http://192.168.1.1/cgi-bin/;reboot
Re: Critical vulnerability in DD-WRT, also in OpenWRT?
Ummm... wow. Just wow. That's... special.
You mean instead of patching the http server daemon, they're just blocking http requests that meet the criteria?
Besides being an ugly hack, that leaves the vulnerability wide open if you try connecting via https...
I don't have a dd-wrt installation, but if what you say is true, I'm guessing that if the only patch they applied is that one the following is going to work:
https://192.168.1.1/cgi-bin/;reboot
You mean instead of patching the http server daemon, they're just blocking http requests that meet the criteria?
Besides being an ugly hack, that leaves the vulnerability wide open if you try connecting via https...
I don't have a dd-wrt installation, but if what you say is true, I'm guessing that if the only patch they applied is that one the following is going to work:
https://192.168.1.1/cgi-bin/;reboot
Re: Critical vulnerability in DD-WRT, also in OpenWRT?
No they patched it within hours with a new build release but some routers won't work correctly with some builds so it was discovered that the iptables fix worked also. There's a better explanation on their main page than I could do here.Eric wrote:Ummm... wow. Just wow. That's... special.
You mean instead of patching the http server daemon, they're just blocking http requests that meet the criteria?
Besides being an ugly hack, that leaves the vulnerability wide open if you try connecting via https...
I don't have a dd-wrt installation, but if what you say is true, I'm guessing that if the only patch they applied is that one the following is going to work:
https://192.168.1.1/cgi-bin/;reboot
Re: Critical vulnerability in DD-WRT, also in OpenWRT?
sounds so delicious! Thanks