DD-WRT and Router Vulnerabilities
DD-WRT is a Linux-based alternative OpenSource firmware suitable for a great variety of WLAN routers and embedded systems. This firmware is suitable for many systems with many routers using it like Netgear Nighthawk, Asus, and Linksys routers.
It provides superior firmware to some WiFi routers and improves their built-in basic firmware. Firmwares like these also provide a higher level of security than regular routers which makes them hard to exploit but not impossible. We will have a look at some of these vulnerabilities here.
CVE-2020–13976 — Remote Command Execution via Shell Metacharacters
This vulnerability was discovered on the diagnostics page of DD-WRT. A remote attacker could execute arbitrary commands on this page using shell metacharacters in the host field of the ping command. This vulnerability could be escalated using a CSRF like the one used in an earlier vulnerability from 2012 (CVE-2012–6297).
Even though this vulnerability has received a high ranking of 8.8, DD-WRT has disputed the legitimacy of this vulnerability. They refused to accept these findings since the vulnerability refers to an old version, requires administrative privileges, and doesn’t provide access beyond those of administrative users.
There still hasn’t been any definitive conclusion to this dispute seems to be regarding the severity of this vulnerability.
CVE-2020–7982 — OpenWRT Remote Code Execution via Authentication Bypass
This vulnerability was found in OpenWRT which is the software that DD-WRT is based on. It was discovered and reported by Guido Vranken, a researcher from ForAllSecure. He found the flaw in the OPKG Package Manager of OpenWRT that is used to download and install OpenWrt packages.
This vulnerability allows attackers to bypass the integrity checking of downloaded .ipk packages. Thus allowing an attacker to download malicious packages and execute a remote code execution inside of the OpenWRT firmware.
Unlike the last vulnerability, OpenWRT had accepted the findings and the verification of its Package Manager was corrected.
Muhstik Botnet Attacking Routers Running OpenSource Firmware
This last case isn’t a vulnerability found by researchers before being exploited but actually, a botnet malware infecting routers running DD-WRT.
In 2018, researchers from Palo Alto Networks announced that they discovered that the Muhstik Botnet is exploiting vulnerabilities in GPON routers one of them is found in the DD-WRT firmware.
This Botnet exploited an Authentication Bypass and Command Execution vulnerabilities to inject the GPON routers. After that Muhstik used Web Authentication Brute Forcing to penetrate the DD-WRT firmware. It did this by scanning for vulnerable GPON devices, infecting them with malware, installing it, and in the end executing attacks.
The researchers managed to slow down Muhstik expansion by shutting down some of its servers. Unfortunately, this didn’t prevent Muhstik malware from expanding. In January 2020, researchers discovered that this Botnet was infecting routers using Tomato, another OpenSource firmware.
Found similar vulnerabilities in DD-WRT? We’ll get you the best reward out there!
At SSD, we help security researchers turn their skills in uncovering security vulnerabilities into a career. Designed by researchers, for researchers, SSD provides the fast response and support needed to get zero-day vulnerabilities and disclosures reported to vendors and to get researchers the compensation they deserve. We help researchers get to the bottom of vulnerabilities affecting major operating systems, software or devices.
We are constantly publishing our findings, intended on educating our global security researcher’s community. You can find more vulnerabilities on our Advisories page. If you have findings of your own you can send us your findings here using our report template.
