chris Site Admin
Joined: 06 Jun 2006 Posts: 101 Location: Germany, Bensheim
|
Posted: Wed Jul 22, 2009 19:15 Post subject: A way to stop the root-exploit (milw0rm) without update |
|
Hi,
the exploit also could be stopped, using a firewall rule.
Go to your router, "Administration", "Commands" and enter the follwing text:
insmod ipt_webstr
iptables -I INPUT -p tcp -m tcp -m webstr --url cgi-bin -j REJECT --reject-with tcp-reset
and press "Save Firewall", then reboot your router.
This rule blocks any try to access sth that has "cgi-bin" in the url.
You can proove, that the rule works by entering: http://192.168.1.1/cgi-bin/;reboot in your browser. That should give a "Connection was reset" (Firefox).
Important Note: This only works for non-https requests. if you have HTTPS Management turned on under > Administration > Management > Remote Access, then turn it off. If you don't want to turn it off, you only can do an Update. _________________ NewMedia-NET GmbH
Christian Scheele (CEO)
http://www.dd-wrt.com |
|
chris Site Admin
Joined: 06 Jun 2006 Posts: 101 Location: Germany, Bensheim
|
Posted: Thu Jul 23, 2009 12:44 Post subject: |
|
i did several tests on that, also request over WAN are catched by this rule.
If you add this:
ln -s /dev/null /tmp/exec.tmp
(For those who want to know, what /dev/null is, see here: http://en.wikipedia.org/wiki//dev/null )
to it, then even if something is written to that file, it ends up in /dev/null (where it belongs..)
If the user is NOT able to login to the router, the unlink does not happen:
926 if (auth_fail == 1) {
[...]
930 return;
is before
935 unlink("/tmp/exec.tmp");
The link even does not get removed when you log in, ONLY if you use "cgi-bin" in your url to attach the router.
here the full rc_firewall:
insmod ipt_webstr
ln -s /dev/null /tmp/exec.tmp
iptables -D INPUT -p tcp -m tcp -m webstr --url cgi-bin -j LOG --log-prefix 'CGI-BIN-EXPLOIT '
iptables -D INPUT -p tcp -m tcp -m webstr --url cgi-bin -j REJECT --reject-with tcp-reset
iptables -I INPUT -p tcp -m tcp -m webstr --url cgi-bin -j REJECT --reject-with tcp-reset
iptables -I INPUT -p tcp -m tcp -m webstr --url cgi-bin -j LOG --log-prefix 'CGI-BIN-EXPLOIT '
i added a log target, for those who want to see if somebody tries to use the exploit.
Keep in mind, that if you use these rules over the commandline, the will NOT be there after reboot.
Go to your router, "Administration", "Commands" and enter the the rules, then press "Save Firewall" and reboot your router.
On a buffalo, that looks like this in dmesg then:
CGI-BIN-EXPLOIT IN=vlan1 OUT= MAC=00:1x:7x:55:8x:11:00:1f:5b:c8:ab:cf:08:00:45:00:01:e1 SRC=1.2.3.4 DST=192.168.1.1 LEN=481 TOS=0x00 PREC=0x00 TTL=64 ID=63903 DF PROTO=TCP SPT=64049 DPT=80 WINDOW=65535 RES=0x00 ACK PSH URGP=0
If the IN interface is br0, then the request came from inside, otherwise over WAN
If you use syslog, you can search for "CGI-BIN-EXPLOIT".
With
dmesg | grep "^CGI-BIN-EXPLOIT"
you can grep those lines out of the router.
I think, that's all i can do from here. _________________ NewMedia-NET GmbH
Christian Scheele (CEO)
http://www.dd-wrt.com |
|