Root vulnerability in DD-WRT free router firmware
The management interface of the current stable version of DD-WRT, the free router firmware, suffers a vulnerability that lets attackers run programs with root rights on the router. The vulnerability, described at milw0rm and in the DD-WRT forum, is caused by inadequate handling of meta-characters in the query string in DD-WRT's httpd web server. The server will then run programs even when no session is running.
Furthermore, the management interface runs with maximum rights. That means attackers can input a URL such as "http://routerIP/cgi-bin/;command_to_execute" to run commands existing on the system, or take control by running programs with root rights on the equipment. Although by default the DD-WRT web interface can only be reached via the LAN interfaces, this limitation can easily be circumvented, for example with a CSRF (Cross-Site Request Forgery) attack, especially as the vulnerability requires no authentication on the web server. A manipulated IMG tag in a forum would be enough to put a router under an attacker’s control.
DD-WRT developer Sebastian Gottschall says the bug fixed firmware version "DD-WRT V24 preSP2" can already be downloaded. More information can be found in the DD-WRT forum. DD-WRT runs on routers by Linksys, D-Link Buffalo, ASUS and some other makers.