Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#7039 closed (invalid)

RCE with a single HTTP request

Reported by: Th3Law Owned by:
Keywords: Cc: Th3Law

Description

Using the so-called "Diagnostic" page, the attacker can run any command including telnetd, using the remote host field of the ping utility: echo 127.0.0.1; /usr/sbin/telnetd -l bin/sh -p 25

https://s3.anh.im/2020/03/28/Screenshot_2020-03-28_11-39-4548608f74b807ec83.png

What is run with root user?

https://s3.anh.im/2020/03/28/Screenshot_2020-03-28_11-44-26f2e5c933cde13095.png

An attacker via RCE will be able to dump and modify the configuration by editing /dev/mtd3. Using command "echo 127.0.0.1; cat /dev/random > /dev/mtd0" router is bricked.

Attachments (2)

Screenshot_2020-03-28_11-44-26.png (133.4 KB ) - added by Th3Law 3 years ago.
Screenshot_2020-03-28_11-39-45.png (141.7 KB ) - added by Th3Law 3 years ago.

Download all attachments as: .zip

Change History (10)

by Th3Law, 3 years ago

by Th3Law, 3 years ago

comment:1 by kernel-panic69, 3 years ago

The attacker would have to crack into the webUI first. And if you were smart, you would block wireless access to httpd, telnet, and ssh via firewall rules. This is an extreme case scenario where someone would have to purposely open their router to attack or the LAN / WAN would have to be compromised first.

comment:2 by Th3Law, 3 years ago

Why do you need to go to webui with an attacker? An attacker only needs to send an HTTP request to the user and they can enable any service on the route. Those are all Unix commands? While with the webserver root, do you think an attacker can't do anything else? Besides that authentication code is completely easy base64, deocde it appears that we already have an authentication account.

comment:3 by Th3Law, 3 years ago

I offer risks so that they can find a way to fix it, if providing mass to users should not be too dangerous to exploit.

comment:4 by roboman, 3 years ago

Hmmm...it looks like this can be exploited using CSRF/CSS attack if the router owner is already logged into web interface and is using any browser without full session & tab isolation (only safari has full session & tab isolation at this point - but only in Private Mode). All this is assuming said attack works as advertised on the most recent build.

Seeing as there is no way to log off, this would be easy to exploit but same can be said for any other CSRF/CSS attack if the user receives a malicious http request and inadvertantly executes it while the browser still remembers the login session of the dd-wrt GUI.

Possible quick fixes for dev:

  1. Logout option
  2. Modify webgui code to remove possibility

Stating that the attacker would need to crack gui first is incorrect. If session is already underway by router user, CSRF/CSS http request can be placed on page or link by attacker Netgear fixes stuff like this that people find all the time in their stock firmware. What we have here is a niche but potentially damaging exploit opportunity.

Also stating that LAN/WAN access needs to be gained by attacker is false. CSRF/CSS attack does not need that to compromise router. User only needs to visit compromised web page or even just click on a link or even just have Malicious javascript Executed on visiting a page.

Possible mitigation for users:

  1. Use firewall rule to disable internet access on an IP dedicated to dd-wrt web GUI management.
  1. Session & tab isolation in private mode on safari is only mode that should be used to access dd-wrt web gui. Do not open any other links in the same tab as web-gui if internet access is kept enabled.

We shall leave it up to BS to determine best course of action or inaction based on how risky he assesses this to be for the average non-expert user.

Last edited 3 years ago by roboman (previous) (diff)

comment:5 by BrainSlayer, 3 years ago

Resolution: invalid
Status: newclosed

the diagnostic page is able run commands. thats what its made for. but you must be authenticated. and no. the webserver is CSS safe. have fun with trying and if you find a way, i will fix it

comment:6 by BrainSlayer, 3 years ago

the version you tested is also usually old. in current version you cannot use the request line for commands. only post requests are accepted for form submits

comment:7 by roboman, 3 years ago

Thank you, BS, for clarifying that this is for old version. Case closed :)

comment:8 by BrainSlayer, 3 years ago

i dont know. i havent seen the version. i would like to see a proof of concept if there is still a problem

Note: See TracTickets for help on using tickets.