Sekcje

Przejdź na skróty do treści. | Przejdź do nawigacji


Devices hacking research Linksys WAG54G2 - escape to OS root

Linksys WAG54G2 - escape to OS root

About Linksys router

Linksys WAG54G2 router is a (somehow) popular SOHO class device in Poland. It provides ADSL / WiFi / Ethernet interfaces.

The router is based on a linux distrubution which runs on ARM architecture.

If you are interested in more specific hardware description, here is a hint, obtained using OS shell escape from the web management:

# cat /proc/cpuinfo

Processor    : ARM1026EJ-Sid(wb)B rev 2 (v5l)
BogoMIPS    : 351.43
Features    : swp half thumb fastmult edsp java 
CPU implementer    : 0x41
CPU architecture: 5TEJ
CPU variant    : 0x0
CPU part    : 0xa26
CPU revision    : 2
Cache type    : write-back
Cache clean    : cp15 c7 ops
Cache lockdown    : format C
Cache format    : Harvard
I size        : 16384
I assoc        : 4
I line length    : 32
I sets        : 128
D size        : 8192
D assoc        : 4
D line length    : 32
D sets        : 64

Hardware    : Solos CX4615
Revision    : 0000
Serial        : 000000c002123588

The router can be managed via a management console which is on by default (to LAN users only).

Tested on firmware: V1.00.10 (newest available at the time).

Linksys Cisco router

Compromise

When you are logged in to the web administration, simple injection leads to OS root access.

Cisco root OS escape


Many characters lead to injection, including at least:

  • ;
  • &
  • |
  • `` (backquotes)
  • %0a

As you might have noticed, the above request is used with default administration credentials (admin/admin). It can be exploited using CSRF and these credentials (assuming a user did not change default user/password). But it is not as straightforward as in our other research: ASMAX router compromise.

One can still backdoor the router having access to web administration. Another outcome of the bug is an ablility to quite easily examine what services are running on the router, what is its internal configuration, etc. It may be a hint to find some more interesting vulnerabilities.

Also if one could find auth bypass vulnerability in http server / management software it can lead to easy full remote router compromise, as described in the ASMAX case.

UPDATE [05.06.2009]

The bug mentioned below is already confirmed by mozilla security team.

UPDATE [31.05.2009]

  • We managed to trivially exploit the vulnerability by a bug (unconfirmed yet) in a web browser.
  • It allows stealth remote takeover of the router by CSRF attack (but using no javascript/no flash/no java).
  • It still requires passing default (valid) router credentials.
  • Stay tuned for more info.

UPDATE [29.05.2009]: due to some misunderstanding of the issue we clarify that:

  • possible remote exploitation would need a router with not changed default user/password to web management. If the password was changed the issue is not remotely exploitable. So we believe that the issue is not critical (ie: no direct remote compromise / in any conditions; on the other hand how many people change default router credentials?)
  • We did not find authentication bypass in the router.
  • The web management console is open by default to LAN users only (it is not accessible directly from WAN - so for example CSRF is needed to try remote exploitation the issue).

Vendor's reaction / issue history

  • The research was performed in early 2009.
  • The vendor was notified on 18.03.09.
  • Quick response (within one day)
  • Quick confirmation of the issue (within few days).
  • No fix till now (15.05.2009)
  • 15.05.2009 - public disclosure

More information

Research / contact

  • We are performing research on web management interfaces on network appliances. If you want to help, feel free to contact as @ devices_hacking@securitum.pl

Disclaimer

  • All the information is provided for educational use only.
  • We strongly discourage to use the information for cracking purposes.
  • We are not responsible for damages made to your router - play with your router carefully.

 

Michal Sajdak
michal.sajdak@securitum.pl

Przydatne informacje? Polub nas na facebooku.

Zapraszamy na sekurak.pl

RSS
Subskrybuj RSS:
RSS