Linksys WAG54G2 - escape to OS root
About Linksys router
Linksys WAG54G2 router is a (somehow) popular SOHO class device in Poland. It provides ADSL / WiFi / Ethernet interfaces.
The router is based on a linux distrubution which runs on ARM architecture.
If you are interested in more specific hardware description, here is a hint, obtained using OS shell escape from the web management:
# cat /proc/cpuinfo Processor : ARM1026EJ-Sid(wb)B rev 2 (v5l) BogoMIPS : 351.43 Features : swp half thumb fastmult edsp java CPU implementer : 0x41 CPU architecture: 5TEJ CPU variant : 0x0 CPU part : 0xa26 CPU revision : 2 Cache type : write-back Cache clean : cp15 c7 ops Cache lockdown : format C Cache format : Harvard I size : 16384 I assoc : 4 I line length : 32 I sets : 128 D size : 8192 D assoc : 4 D line length : 32 D sets : 64 Hardware : Solos CX4615 Revision : 0000 Serial : 000000c002123588
The router can be managed via a management console which is on by default (to LAN users only).
Tested on firmware: V1.00.10 (newest available at the time).
When you are logged in to the web administration, simple injection leads to OS root access.
Many characters lead to injection, including at least:
- `` (backquotes)
As you might have noticed, the above request is used with default administration credentials (admin/admin). It can be exploited using CSRF and these credentials (assuming a user did not change default user/password). But it is not as straightforward as in our other research: ASMAX router compromise.
One can still backdoor the router having access to web administration. Another outcome of the bug is an ablility to quite easily examine what services are running on the router, what is its internal configuration, etc. It may be a hint to find some more interesting vulnerabilities.
Also if one could find auth bypass vulnerability in http server / management software it can lead to easy full remote router compromise, as described in the ASMAX case.
The bug mentioned below is already confirmed by mozilla security team.
- We managed to trivially exploit the vulnerability by a bug (unconfirmed yet) in a web browser.
- It still requires passing default (valid) router credentials.
- Stay tuned for more info.
UPDATE [29.05.2009]: due to some misunderstanding of the issue we clarify that:
- possible remote exploitation would need a router with not changed default user/password to web management. If the password was changed the issue is not remotely exploitable. So we believe that the issue is not critical (ie: no direct remote compromise / in any conditions; on the other hand how many people change default router credentials?)
- We did not find authentication bypass in the router.
- The web management console is open by default to LAN users only (it is not accessible directly from WAN - so for example CSRF is needed to try remote exploitation the issue).
Vendor's reaction / issue history
- The research was performed in early 2009.
- The vendor was notified on 18.03.09.
- Quick response (within one day)
- Quick confirmation of the issue (within few days).
- No fix till now (15.05.2009)
- 15.05.2009 - public disclosure
Research / contact
- We are performing research on web management interfaces on network appliances. If you want to help, feel free to contact as @ email@example.com
- All the information is provided for educational use only.
- We strongly discourage to use the information for cracking purposes.
- We are not responsible for damages made to your router - play with your router carefully.