Wide open remote root exploit on dd-wrt


As reported on Slashdot, there is a wide open exploit on dd-wrt due to how the httpd server handles and parses incoming requests without being authenticated.  The HTTP get code to execute has been posted on milw0rm. If you haven’t already, you should either update your dd-wrt installation to build 11533 (most router firmwares have already been updated to this latest build ondd-wrt’s router database) or insert the following firewall rules:

The below was taken from dd-wrt’s site directly.

The exploit can also be stopped, using a firewall rule: Go to your router’s admin interface to > Administration > Commands and enter the following text:

insmod ipt_webstr
ipt_webstr
ln -s /dev/null /tmp/exec.tmp
iptables -D INPUT -p tcp -m tcp -m webstr --url cgi-bin -j REJECT
--reject-with tcp-reset
iptables -I INPUT -p tcp -m tcp -m webstr --url cgi-bin -j REJECT
--reject-with tcp-reset</span> press "Save Firewall" and reboot your
router. This rule blocks any attempt to access sth that has "cgi-bin" in
the url. You can verify that the rule is working by entering:

in your browser. That should give a “Connection was reset” (Firefox).

This article was posted by Matty on 2009-07-25 08:08:00 -0400 EDT