Bugtraq mailing list archives
Re: Multiple XSRF in DD-WRT (Remote Root Command Execution)
From: "Sebastian Gottschall (DD-WRT) " <s.gottschall () dd-wrt com>
Date: Thu, 11 Dec 2008 14:07:43 +0100
pUm schrieb:
this is no security flaw since you must be already logged in within the webinterface of dd-wrt. otherwise this here will not work. we already fixed this issue in our sourcetree as additional information. this is no dd-wrt specific issue. all other firmware like openwrt etc. would suffer from it too. in fact. just a plain POST to a authenticated dd-wrt session. without beeing logged in locally it would not have any effect ----------------------------------- oh god - you dd-wrt people sucks so much. its unbelievable in which way you are handling security advisories. if you would be able to make a post without authentication it would be much worst. I would recommend to read www.owasp.org
this is why a authentication is required for every POST
this is removed since a long time and these both ip did not exist. i explained also in the forum how this problem occuredanother example for the bad security work of the dd-wrt guys are one this forum post: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783&postdays=0&postorder=asc&start=0 bitmage discovered that in every fresh release and every custom firewall two other rules are added in front of all. the rules will allow every service on the dd-wrt router from the ip 194.231.229.20 and from the ip 212.65.2.116
for sure you can. nobody informed me about this issue. it was posted without a notice to the developer and this sucks much more as i already told. i'm not able to provide a stable fixed version in a good timeframe.some workarounds exist, I didnt test any of them, because dd-wrt isnt trustworth anymore for me. I can confirm this flaw in the latest stable vpn release.
fore sure its no security hole. it would be one if you can get into the router without authenticationplease note the workarounds from the main developer from dd-wrt: "even i see no reason for this. these ip addresses arent valid anymore. it seems that chris implemented this for a customer. i removed it now" (they are still in the default install image) "nvram unset ral nvram commit " "there is no security hole. both ip's are not active anymore and obsolete since a long time. " "i will lock this thread now. a new release is scheduled soon (within this or next week), but you cannot force me to release buggy code based on the current internal tree.thats my last statement on this topic" (Posted: Tue Aug 19, 2008 10:57 pm) I recommend everyone to not use dd-wrt anymore, at least as long as they didnt change their politics and stops talking bullshit "there is no security hole"
and consider that i reacted fast enough to fix it in our sourcecode. -- Mit freundlichen Grüssen / RegardsSebastian Gottschall / CTO NewMedia-NET GmbH - DD-WRT Firmensitz: Wormser Straße 5 - 7, 64625 Bensheim
Registergericht: Amtsgericht Darmstadt, HRB 25473 Geschäftsführer: Peter Steinhäuser, Christian Scheele http://www.dd-wrt.com email: s.gottschall () dd-wrt comTel.: +496251-582650 / Fax: +496251-5826565
Current thread:
- Multiple XSRF in DD-WRT (Remote Root Command Execution) th3 . r00k . ieatpork (Dec 08)
- <Possible follow-ups>
- Re: Multiple XSRF in DD-WRT (Remote Root Command Execution) s . gottschall (Dec 10)
- Re: Multiple XSRF in DD-WRT (Remote Root Command Execution) Hanno Böck (Dec 11)
- Re: Multiple XSRF in DD-WRT (Remote Root Command Execution) David E. Thiel (Dec 11)
- Re[2]: Multiple XSRF in DD-WRT (Remote Root Command Execution) Vladimir '3APA3A' Dubrovin (Dec 11)
- Re: Multiple XSRF in DD-WRT (Remote Root Command Execution) pUm (Dec 11)
- Re: Multiple XSRF in DD-WRT (Remote Root Command Execution) Sebastian Gottschall (DD-WRT) (Dec 11)
- Re: Multiple XSRF in DD-WRT (Remote Root Command Execution) Sebastian Gottschall (DD-WRT) (Dec 11)
- Re: Multiple XSRF in DD-WRT (Remote Root Command Execution) David E. Thiel (Dec 11)
- Re: Multiple XSRF in DD-WRT (Remote Root Command Execution) dan . crowley (Dec 11)
- Re: Re: Multiple XSRF in DD-WRT (Remote Root Command Execution) dan . crowley (Dec 11)
- Re: Re: Multiple XSRF in DD-WRT (Remote Root Command Execution) 0xjbrown41 (Dec 15)