LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Press page

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Open-source firmware vuln exposes wireless routers (Register)

[Posted July 22, 2009 by corbet]

The Register reports on a DD-WRT vulnerability that would appear to justify an update. "The bug resides in DD-WRT's hyper text transfer protocol daemon, which runs as root. Because the httpd doesn't sanitize user-supplied input, it's vulnerable to remote command injection. While the httpd doesn't listen on the outbound interface, attackers can easily access it using CSRF (cross-site request forgery) techniques."
(Log in to post comments)

Open-source firmware vuln exposes wireless routers (Register)

Posted Jul 22, 2009 18:23 UTC (Wed) by lkundrak (subscriber, #43452) [Link]

I'm wondering if CSRF, which requires the victim's cooperation to some
extend and requires that the attacker has a knowledge of the inner network
still qualifies as "easily access".

Open-source firmware vuln exposes wireless routers (Register)

Posted Jul 22, 2009 18:40 UTC (Wed) by clugstj (subscriber, #4020) [Link]

Considering that most people don't change the internal network configuration from the default, it would be pretty easy.

Open-source firmware vuln exposes wireless routers (Register)

Posted Jul 22, 2009 22:51 UTC (Wed) by dwmw2 (subscriber, #2063) [Link]

I'm wondering if CSRF, which requires the victim's cooperation to some extend and requires that the attacker has a knowledge of the inner network still qualifies as "easily access".
I think so. Given that most people are unfortunately afflicted with crappy ISPs who force NAT upon them by only giving a single IP address, the presented example <img src="http://192.168.0.1/cgi-bin;command"> seems perfectly feasible and doesn't really require any co-operation from the victim at all, does it?

Open-source firmware vuln exposes wireless routers (Register)

Posted Jul 23, 2009 0:39 UTC (Thu) by clugstj (subscriber, #4020) [Link]

I don't know how you can blame the ISP's for people not changing the default network on their NAT device.

Open-source firmware vuln exposes wireless routers (Register)

Posted Jul 23, 2009 0:46 UTC (Thu) by dwmw2 (subscriber, #2063) [Link]

"I don't know how you can blame the ISP's for people not changing the default network on their NAT device."
I don't. I blame the low-quality ISPs for the fact that these people are using NAT at all. That people don't bother to change their RFC1918 addresses from the default is just a fact of life.

When my ISP sent me my router, it was configured with the range of public IP addresses that they'd assigned to my DSL line, in accordance with the number of computers I told them I'd be connecting.

Open-source firmware vuln exposes wireless routers (Register)

Posted Jul 23, 2009 9:24 UTC (Thu) by tzafrir (subscriber, #11501) [Link]

let's blame the ISPs for the clients not having IPv6, then.

With IPv6 such a default address of the router would be pointless, right?

(though there may be some default name to replace it?)

Open-source firmware vuln exposes wireless routers (Register)

Posted Jul 23, 2009 11:46 UTC (Thu) by dwmw2 (subscriber, #2063) [Link]

Nah, in this context IPv6 is mostly irrelevant — even when you have a decent ISP who provides IPv6 connectivity, you're still likely to be running dual-stack, rather than using something like NAT-PT. So your router is still going to have to route Legacy IP too.

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds