CVE-2008-6974
published 2009-08-14CVE-2008-6974: Multiple cross-site request forgery (CSRF) vulnerabilities in apply.cgi in DD-WRT 24 sp1 and earlier allow remote attackers to hijack the authentication of…
PriorityP335medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
1.45%
70.1th percentile
Multiple cross-site request forgery (CSRF) vulnerabilities in apply.cgi in DD-WRT 24 sp1 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) execute arbitrary commands via the ping_ip parameter; (2) change the administrative credentials via the http_username and http_passwd parameters; (3) enable remote administration via the remote_management parameter; or (4) configure port forwarding via certain from, to, ip, and pro parameters.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dd-wrt | dd-wrt | <= 24 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
DD-WRT HTTPd Daemon/Service - Remote Command Execution
exploitdb·2009-07-20
CVE-2009-2766 DD-WRT HTTPd Daemon/Service - Remote Command Execution
DD-WRT HTTPd Daemon/Service - Remote Command Execution
---
This is a remote root vulnerability in DD-WRT's httpd server. The bug exists
at the latest 24 sp1 version of the firmware.
The problem is due to many bugs and bad software design decisions. Here is
part of httpd.c:
859 if (containsstring(file, "cgi-bin")) {
860
861 auth_fail = 0;
862 if (!do_auth
863 (conn_fp, auth_userid, auth_passwd, auth_realm,
864 authorization, auth_check))
865 auth_fail = 1;
......... (snip)............
899
900 }
901 exec = fopen("/tmp/exec.tmp", "wb");
902 fprintf(exec, "export REQUEST_METHOD=\"%s\"\n", method);
903 if (query)
904 fprintf(exec, "/bin/sh %s/%s/tmp/shellout.asp");
........... (snip)..........
926 if (auth_fail == 1) {
927 send_authenticate(auth_realm);
928 auth_fail = 0;
3) issue 3:
Exploit-DB
DD-WRT v24-sp1 - Cross-Site Reference Forgery
exploitdb·2008-12-08
CVE-2008-6975 DD-WRT v24-sp1 - Cross-Site Reference Forgery
DD-WRT v24-sp1 - Cross-Site Reference Forgery
---
Remote root dd-wrt
Written by Michael Brooks
Special thanks to str0ke
Exploits tested on the newist stable version:
Firmware: DD-WRT v24-sp1 (07/27/08) micro
Product Homepage:
http://dd-wrt.com/
Impact:
1)Remote root command execuiton /bin/sh
2)Change web administration password and enable remote admistration
3)create new Port Forwarding rules to byass NAT.
Remote root command execution /bin/sh
enable remote administration and change login to root:password
Change Port Forwarding to byass NAT protection.
document.getElementById(1).submit();//remote root command execution!
# milw0rm.com [2008-12-08]
No writeups or analysis indexed.
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=55173http://www.securityfocus.com/archive/1/499024http://www.securityfocus.com/archive/1/499119http://www.securityfocus.com/archive/1/499132http://www.securityfocus.com/archive/1/499135https://www.exploit-db.com/exploits/9209http://www.dd-wrt.com/phpBB2/viewtopic.php?t=55173http://www.securityfocus.com/archive/1/499024http://www.securityfocus.com/archive/1/499119http://www.securityfocus.com/archive/1/499132http://www.securityfocus.com/archive/1/499135https://www.exploit-db.com/exploits/9209
2009-08-14
Published