Thursday, July 23, 2009

DD-WRT v24 SP1 httpd vulnerability

As reported at there is a vulnerability in the http-server for the DD-WRT management GUI that can be used for execution of an exploit to gain control over the router.

By default, if you have used our DD-WRT install guide, followed those steps only, and didn't enable the remote web gui management in the router, your router is safe.

BUT if you have enabled the remote web gui management in the Administration tab AND your router is connected directly to the internet (is not behind another router, but is connecting to the ADSL modem directly with an ADSL username or password for example), your router is vulnerable and you should do one of the following to make your router safe:

- You can turn off the remote web gui management under the Administration tab in the router's admin panel if you don't need this function

- You can update your firewall settings through the Administration > Commands tab. Press EDIT in the firewall section and paste these commands into the box:

insmod ipt_webstr
ln -s /dev/null /tmp/exec.tmp
iptables -D INPUT -p tcp -m tcp -m webstr --url cgi-bin -j REJECT --reject-with tcp-reset
iptables -I INPUT -p tcp -m tcp -m webstr --url cgi-bin -j REJECT --reject-with tcp-reset

then press "Save Firewall" and reboot your router.

If you do this, be sure that if you have HTTPS Management turned ON under > Administration > Management > Remote Access, then turn it off.

- You can replace the DD-WRT firmware to a newer one (latest is v24 preSP2 build 12533), you can download it from using the router search. However, this firmware is a beta firmware, so use it at your own risk. The setup command from the Control Center should work, but be sure to reset the firmware to factory defaults before using the command.

- You can change your firmware to CoovaAP. Only do this if you don't use special functions in DD-WRT like the secondary SSID function.