BugTraq
Re: Multiple XSRF in DD-WRT (Remote Root Command Execution) Dec 11 2008 08:57AM
pUm (hijacka googlemail com) (2 replies)
Re: Multiple XSRF in DD-WRT (Remote Root Command Execution) Dec 11 2008 01:14PM
Sebastian Gottschall (DD-WRT) (s gottschall dd-wrt com) (1 replies)
all fixed images (for all platforms) are now provided here in our test
folder

http://www.dd-wrt.com/dd-wrtv2/down.php?path=downloads%2Fothers%2Feko%2F
BrainSlayer-V24-preSP2%2F111208/

consider, before you advise to "not use" dd-wrt.

all other major firmware distributions are affected by the same issue.
this includes openwrt too

Sebastian

pUm schrieb:
> this is no security flaw since you must be already logged in within
> the webinterface of dd-wrt. otherwise this here will not work. we
> already fixed this issue in our sourcetree
>
> as additional information. this is no dd-wrt specific issue. all other
> firmware like openwrt etc. would suffer from it too.
>
> in fact. just a plain POST to a authenticated dd-wrt session. without
> beeing logged in locally it would not have any effect
> -----------------------------------
>
> oh god - you dd-wrt people sucks so much. its unbelievable in which
> way you are handling security advisories. if you would be able to make
> a post without authentication it would be much worst. I would
> recommend to read www.owasp.org
>
> another example for the bad security work of the dd-wrt guys are one
> this forum post:
> http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783&postdays=0&postorder=
asc&start=0
>
> bitmage discovered that in every fresh release and every custom
> firewall two other rules are added in front of all.
> the rules will allow every service on the dd-wrt router from the ip
> 194.231.229.20 and from the ip 212.65.2.116
>
> some workarounds exist, I didnt test any of them, because dd-wrt isnt
> trustworth anymore for me. I can confirm this flaw in the latest
> stable vpn release.
>
> please note the workarounds from the main developer from dd-wrt:
> "even i see no reason for this. these ip addresses arent valid
> anymore. it seems that chris implemented this for a customer. i
> removed it now" (they are still in the default install image)
> "nvram unset ral
> nvram commit "
> "there is no security hole. both ip's are not active anymore and
> obsolete since a long time. "
> "i will lock this thread now. a new release is scheduled soon (within
> this or next week), but you cannot force me to release buggy code
> based on the current internal tree.thats my last statement on this
> topic" (Posted: Tue Aug 19, 2008 10:57 pm)
>
> I recommend everyone to not use dd-wrt anymore, at least as long as
> they didnt change their politics and stops talking bullshit "there is
> no security hole"
>
> cheers
>
>

--
Mit freundlichen Grüssen / Regards

Sebastian Gottschall / CTO

NewMedia-NET GmbH - DD-WRT
Firmensitz: Wormser StraÃ?e 5 - 7, 64625 Bensheim
Registergericht: Amtsgericht Darmstadt, HRB 25473
Geschäftsführer: Peter Steinhäuser, Christian Scheele
http://www.dd-wrt.com
email: s.gottschall (at) dd-wrt (dot) com [email concealed]
Tel.: +496251-582650 / Fax: +496251-5826565

[ reply ]
Re: Multiple XSRF in DD-WRT (Remote Root Command Execution) Dec 11 2008 05:57PM
David E. Thiel (lx redundancy redundancy org)
Re: Multiple XSRF in DD-WRT (Remote Root Command Execution) Dec 11 2008 01:07PM
Sebastian Gottschall (DD-WRT) (s gottschall dd-wrt com)


 

Privacy Statement
Copyright 2010, SecurityFocus