A way to stop the root-exploit (milw0rm) without update

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Announcements
Author Message
chris
Site Admin


Joined: 06 Jun 2006
Posts: 99
Location: Germany, Bensheim

PostPosted: Wed Jul 22, 2009 19:15    Post subject: A way to stop the root-exploit (milw0rm) without update Reply with quote
Hi,

the exploit also could be stopped, using a firewall rule.

Go to your router, "Administration", "Commands" and enter the follwing text:

insmod ipt_webstr
iptables -I INPUT -p tcp -m tcp -m webstr --url cgi-bin -j REJECT --reject-with tcp-reset

and press "Save Firewall", then reboot your router.

This rule blocks any try to access sth that has "cgi-bin" in the url.

You can proove, that the rule works by entering: http://192.168.1.1/cgi-bin/;reboot in your browser. That should give a "Connection was reset" (Firefox).

Important Note: This only works for non-https requests. if you have HTTPS Management turned on under > Administration > Management > Remote Access, then turn it off. If you don't want to turn it off, you only can do an Update.

_________________
NewMedia-NET GmbH
Christian Scheele (CEO)
http://www.dd-wrt.com
Sponsor
chris
Site Admin


Joined: 06 Jun 2006
Posts: 99
Location: Germany, Bensheim

PostPosted: Thu Jul 23, 2009 12:44    Post subject: Reply with quote
i did several tests on that, also request over WAN are catched by this rule.

If you add this:

ln -s /dev/null /tmp/exec.tmp

(For those who want to know, what /dev/null is, see here: http://en.wikipedia.org/wiki//dev/null )
to it, then even if something is written to that file, it ends up in /dev/null (where it belongs..)

If the user is NOT able to login to the router, the unlink does not happen:

926 if (auth_fail == 1) {
[...]
930 return;

is before

935 unlink("/tmp/exec.tmp");

The link even does not get removed when you log in, ONLY if you use "cgi-bin" in your url to attach the router.

here the full rc_firewall:

insmod ipt_webstr
ln -s /dev/null /tmp/exec.tmp
iptables -D INPUT -p tcp -m tcp -m webstr --url cgi-bin -j LOG --log-prefix 'CGI-BIN-EXPLOIT '
iptables -D INPUT -p tcp -m tcp -m webstr --url cgi-bin -j REJECT --reject-with tcp-reset
iptables -I INPUT -p tcp -m tcp -m webstr --url cgi-bin -j REJECT --reject-with tcp-reset
iptables -I INPUT -p tcp -m tcp -m webstr --url cgi-bin -j LOG --log-prefix 'CGI-BIN-EXPLOIT '

i added a log target, for those who want to see if somebody tries to use the exploit.

Keep in mind, that if you use these rules over the commandline, the will NOT be there after reboot.

Go to your router, "Administration", "Commands" and enter the the rules, then press "Save Firewall" and reboot your router.

On a buffalo, that looks like this in dmesg then:

CGI-BIN-EXPLOIT IN=vlan1 OUT= MAC=00:1x:7x:55:8x:11:00:1f:5b:c8:ab:cf:08:00:45:00:01:e1 SRC=1.2.3.4 DST=192.168.1.1 LEN=481 TOS=0x00 PREC=0x00 TTL=64 ID=63903 DF PROTO=TCP SPT=64049 DPT=80 WINDOW=65535 RES=0x00 ACK PSH URGP=0

If the IN interface is br0, then the request came from inside, otherwise over WAN

If you use syslog, you can search for "CGI-BIN-EXPLOIT".
With

dmesg | grep "^CGI-BIN-EXPLOIT"

you can grep those lines out of the router.

I think, that's all i can do from here.

_________________
NewMedia-NET GmbH
Christian Scheele (CEO)
http://www.dd-wrt.com
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Announcements All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum