Matt Posted July 3, 2013 Report Posted July 3, 2013 Description : Linksys versions EA2700, EA3500, E4200, EA4500 using lighttpd 1.4.28 and Utopia on Linux 2.6.22 suffer from an unauthenticated access vulnerability.Author : Kyle LovettSource : Linksys EA2700 / EA3500 / E4200 / EA4500 Unauthenticated Access ? Packet StormCode : Vulnerable products : Linksys EA2700, EA3500, E4200, EA4500 usinglighttpd 1.4.28 and Utopia on Linux 2.6.22Firmware Version: 1.0.14 EA2700Firmware Version: 1.0.30 EA3500Firmware Version: 2.0.36 E4200Firmware Version: 2.0.36 EA4500Impact: - MajorTimeline: - Still awaiting word back from Linksys support. Partialdisclosure at the present due to the impact; Full disclosure in nearfuture if warranted.Vulnerabilities:- Unauthenticated remote access to all pages of the routeradministration GUI, bypassing any credential prompts under certaincommon configurations (see below)- Direct access to several other critical files, unauthenticated as wellVulnerability Conditions seen in all variations:- Remote Management - Disabled- UPnP - Enabled- IPv4 SPI Firewall Protection - DisabledAlthough not the same symptoms as the bug that plagues most ASUSrouters that are AiCloud enabled with WebDav, the utilization of bothUPnP and SSL on lighttpd v 1.4.28 appears to be an extremelyproblematic combination, exposing certain vulnerabilities to the WANside of the router.Recommendations-- Disable UPnP- Enable at minimum the built in IPv4 SPI firewall- Oddly, in some instances, resetting the password and doing a fullpower down reboot has shown to close the vulnerability, but not always- Disallow remote access from the WAN side - both http and https- Changing the default user name and password won't help in this case,but it always bears repeating- Since an attacker has access to enable FTP service, USB drivesmounted in the router should be removed until a patch is out, or thefull scope of the issue is knownTesting additional firmware is ongoing. Quote
d4rkm4nx99 Posted July 3, 2013 Report Posted July 3, 2013 PONTA!!! stim si noi de Packet Storm incearca sa faci ceva original ca ne-am saturat de plagiatori !!!Description : Linksys versions EA2700, EA3500, E4200, EA4500 using lighttpd 1.4.28 and Utopia on Linux 2.6.22 suffer from an unauthenticated access vulnerability.Author : Kyle LovettSource : Linksys EA2700 / EA3500 / E4200 / EA4500 Unauthenticated Access ? Packet StormCode : Vulnerable products : Linksys EA2700, EA3500, E4200, EA4500 usinglighttpd 1.4.28 and Utopia on Linux 2.6.22Firmware Version: 1.0.14 EA2700Firmware Version: 1.0.30 EA3500Firmware Version: 2.0.36 E4200Firmware Version: 2.0.36 EA4500Impact: - MajorTimeline: - Still awaiting word back from Linksys support. Partialdisclosure at the present due to the impact; Full disclosure in nearfuture if warranted.Vulnerabilities:- Unauthenticated remote access to all pages of the routeradministration GUI, bypassing any credential prompts under certaincommon configurations (see below)- Direct access to several other critical files, unauthenticated as wellVulnerability Conditions seen in all variations:- Remote Management - Disabled- UPnP - Enabled- IPv4 SPI Firewall Protection - DisabledAlthough not the same symptoms as the bug that plagues most ASUSrouters that are AiCloud enabled with WebDav, the utilization of bothUPnP and SSL on lighttpd v 1.4.28 appears to be an extremelyproblematic combination, exposing certain vulnerabilities to the WANside of the router.Recommendations-- Disable UPnP- Enable at minimum the built in IPv4 SPI firewall- Oddly, in some instances, resetting the password and doing a fullpower down reboot has shown to close the vulnerability, but not always- Disallow remote access from the WAN side - both http and https- Changing the default user name and password won't help in this case,but it always bears repeating- Since an attacker has access to enable FTP service, USB drivesmounted in the router should be removed until a patch is out, or thefull scope of the issue is knownTesting additional firmware is ongoing. Quote
