Gargoyle Forum

Hi Eric

I see that DD-WRT has recently found a critical vulnerability in their router (see http://www.theregister.co.uk/2009/07/21 ... uter_vuln/ ). Can you confirm that OpenWRT, and hence Gargoyle, are not similarly affected?

This appears to have caused quite a scare amongst the DD-WRT community...

No, Gargoyle is not vulnerable.

Looks like the problem is in the DD-WRT httpd daemon. Gargoyle uses a (minimally) modified mini_httpd daemon, while DD-WRT uses a different, highly customized version of the httpd daemon from the original linksys firmware. The portion of the firmware that causes this problem is not shared between the projects.

Just to be absolutely sure I just tried accessing "http://[my router ip]/cgi-bin/rm -rf ..", which if the vulnerability were present would erase all web scripts/pages being served, but nothing happened. Also, I rechecked the code of my httpd daemon and verified what I recalled: it checks that a file is present before loading it, so if you enter a command in the url it won't run unless there's actually a script with that name.

So... don't worry. Gargoyle is definitely not vulnerable to this exploit.

Thanks

This was fixed with a iptables rule, not too difficult.

insmod ipt_webstr
ln -s /dev/null /tmp/exec.tmp
iptables -D INPUT -p tcp -m tcp -m webstr --url cgi-bin -j REJECT --reject-with tcp-reset
iptables -I INPUT -p tcp -m tcp -m webstr --url cgi-bin -j REJECT --reject-with tcp-reset

http://192.168.1.1/cgi-bin/;reboot

Ummm... wow. Just wow. That's... special.

You mean instead of patching the http server daemon, they're just blocking http requests that meet the criteria?

Besides being an ugly hack, that leaves the vulnerability wide open if you try connecting via https...

I don't have a dd-wrt installation, but if what you say is true, I'm guessing that if the only patch they applied is that one the following is going to work:

https://192.168.1.1/cgi-bin/;reboot

Eric wrote:Ummm... wow. Just wow. That's... special.

You mean instead of patching the http server daemon, they're just blocking http requests that meet the criteria?

Besides being an ugly hack, that leaves the vulnerability wide open if you try connecting via https...

I don't have a dd-wrt installation, but if what you say is true, I'm guessing that if the only patch they applied is that one the following is going to work:

https://192.168.1.1/cgi-bin/;reboot

No they patched it within hours with a new build release but some routers won't work correctly with some builds so it was discovered that the iptables fix worked also. There's a better explanation on their main page than I could do here.

sounds so delicious! Thanks