I really like my Linksys Router at home. I use the great DD-WRT firmware — but since some hours, the sky is falling down on DD-WRT.. There is some stupid code in DD-WRT’s httpd server, that enables executing code via cgi-bin without being authenticated by just inserting a metacharacter into an URL. Do you like to reboot you rooter by visiting http://192.168.1.1/cgi-bin/;reboot? Or do you like to easily get a root shell (as demonstrated in this video)? Ohoh..
To exploit this bug, you even don’t need to have enabled the administration GUI for WAN access. Simple drive-by exploits are possible by placing URLs like
<img src="http://192.168.1.1/cgi-bin/;ANYCOMMAND" alt="">
The sky is falling…
This is all much to do about nothing.
This is an international community.
65,270 registered members. Right now, there is 129 guests online (guests = not registered) + the registered members.
Who has been hacked?
In fact, this vulnerability is horrible. So, hurry up with changing your router’s setting! You’ve two possibilities:
- Update to DD-WRT V24-SP2pre (there, they’ve already fixed the problem)
- If you do not want to update, it seems that the only secure options is to turn off https management and to reject inbound traffic containing “cgi-bin” in an URL. Go to your router admin GUI, choose “Administration”, “Commands” and enter the follwing commands to 1) insert ipt_webstr kernel module and 2) set the corresponding iptables REJECT rule:
insmod ipt_webstr iptables -I INPUT -p tcp -m tcp -m webstr --url cgi-bin -j REJECT --reject-with tcp-reset
Press “Save Firewall”, then reboot your router.
Let’s see what the future brings….