Re: Multiple XSRF in DD-WRT (Remote Root Command Execution) Dec 10 2008 12:22PM
s gottschall dd-wrt com (3 replies)
Re[2]: Multiple XSRF in DD-WRT (Remote Root Command Execution) Dec 11 2008 09:55AM
Vladimir '3APA3A' Dubrovin (3APA3A SECURITY NNOV RU)
Re: Multiple XSRF in DD-WRT (Remote Root Command Execution) Dec 10 2008 11:51PM
David E. Thiel (lx redundancy redundancy org)
On Wed, Dec 10, 2008 at 05:22:56AM -0700, s.gottschall (at) dd-wrt (dot) com [email concealed] wrote:
> this is no security flaw since you must be already logged in
> within the webinterface of dd-wrt. otherwise this here will not
> work. we already fixed this issue in our sourcetree

It is a security flaw, you've neither fixed it nor understood it. The
whole point of CSRF is that it works by using the victim's active
session. An easy scenario in the case of DD-WRT is one where a victim
reads a malicious "HOWTO" site, which has step by step instructions on
how to say, boost signal strength. The user opens one tab to read the
howto, and another to log into the DD-WRT web interface. Javascript in a
tiny IFRAME on the malicious site performs repeated POSTs such as those
posted in the original advisory.

Your "fix" is simply checking the Referer header if it's present.
Referer is an optional header which is often omitted, either due to
firewalls/AV software removing it, or due to it being not sent by the
browser due to an HTTP/HTTPS site transition.


I suggest giving these a read:


> as additional information. this is no dd-wrt specific issue. all
> other firmware like openwrt etc. would suffer from it too.

Even if this were true, that wouldn't make this less of a flaw.
Rooting your router through CSRF is pretty bad. Linksys has supposedly
fixed theirs, but I don't know how well. Other firmwares do have CSRF
problems, but they don't have the same entertainment value of DD-WRT's
httpd.c (I like line 963).

[ reply ]
Re: Multiple XSRF in DD-WRT (Remote Root Command Execution) Dec 10 2008 11:42PM
Hanno Böck (hanno hboeck de)


Privacy Statement
Copyright 2010, SecurityFocus