Horrible remote root exploit in DD-WRT’s httpd server

I really like my Linksys Router at home. I use the great DD-WRT firmware — but since some hours, the sky is falling down on DD-WRT.. There is some stupid code in DD-WRT’s httpd server, that enables executing code via cgi-bin without being authenticated by just inserting a metacharacter into an URL. Do you like to reboot you rooter by visiting http://192.168.1.1/cgi-bin/;reboot? Or do you like to easily get a root shell (as demonstrated in this video)? Ohoh..

To exploit this bug, you even don’t need to have enabled the administration GUI for WAN access. Simple drive-by exploits are possible by placing URLs like

<img src="http://192.168.1.1/cgi-bin/;ANYCOMMAND" alt="">

in any website. Then, the attack comes from within your network. Some Javascript code could find out your router’s IP address. This should work very often and smells like a DD-WRT bot net. Someone stated in DD-WRT’s forum:

The sky is falling…
This is all much to do about nothing.
This is an international community.
65,270 registered members. Right now, there is 129 guests online (guests = not registered) + the registered members.
Who has been hacked?

In fact, this vulnerability is horrible. So, hurry up with changing your router’s setting! You’ve two possibilities:

  • If you do not want to update, it seems that the only secure options is to turn off https management and to reject inbound traffic containing “cgi-bin” in an URL. Go to your router admin GUI, choose “Administration”, “Commands” and enter the follwing commands to 1) insert ipt_webstr kernel module and 2) set the corresponding iptables REJECT rule:
    insmod ipt_webstr
    iptables -I INPUT -p tcp -m tcp -m webstr --url cgi-bin -j REJECT --reject-with tcp-reset

    Press “Save Firewall”, then reboot your router.

Let’s see what the future brings….