Due to a meta-character vulnerabilityin the httpd servers, users that run DD-WRT on their routers are vulnerable to a remote root exploit.
More information can be found on the DD-WRT Forum at http://www.dd-wrt.com/phpBB2/viewtopic.php?t=55173&postdays=0&postorder=asc&start=0
Although this daemon usually listens on the internal interface only, there are still ways to exploit it:
Metasploit now has in the 3.3 Dev SVN an exploit for embedded device Linux distribution DD-WRT. This exploit module abuses a metacharacter injection vulnerability in the HTTP management server of wireless gateways running DD-WRT. This flaw allows an unauthenticated attacker to execute arbitrary commands as the root user account. It was argued that this exploit is of low impact by some since the distribution only listens for HTTP connections thru the internal interface. In this example of using the exploit the exploit will be used thru a pivot obtained thru a client side exploit from which we will pivot, do a discovery, finger print the device and exploit it. In the following example we will start by showing our IP of the attacker machine, receiving the Meterpreter shell and showing the target box IP thru a cmd shell (For details, see Pauldotcom)DD-WRT developer Sebastian Gottschall says the bug fixed firmware version "DD-WRT V24 preSP2" can already be downloaded.
(Photo under creative commons from patrick h. lauke's photostream)
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
0 comments:
Post a Comment