Well, its my 30th post on my blog; and for this post I’ve got a zero-day.
I did some poking around at a router of mine, a Linksys X3000.
Now we all know that just about every router of this sort (home use types) is vulnerable to some really basic but potentially devastating security-oversights. This post I hope will illustrate this point:
The firmware revision of my X3000 has been updated to the most recent revision: 1.0.05 Annex A.
Very quickly I came across two vulnerabilities within the WebAdmin panel. The one quite severe, and the second only of moderate use.
The first is a Authentication Bypass Vulnerability that exists within the Apply.cgi module.
The second is a XSS vulnerability that exists within the Status.asp page. The entry point for this Domain Name field within the Setup page.
On all transmissions made between user and router, a Base64 encoded authentication string is included in the form of Username:Password. (Would be possible to sniff this type of info out!). However, if this authentication string is simply removed on all POST requests made to Apply.cgi, the application still processes the request as if it were a valid request. The implications of this are: this easily allows an attacker to completely modify any router settings, including Logon passwords and SSIDs.
The below screenshot displays a POST request being made to, without authentication, change the WebAdmin Panel logon password:
The following screenshot displays a POST request being made to change the station SSID, WITH valid authentication.
The below image displays the return upon the application accepting the request as valid:
A simple XSS Vulnerability exists within the Status.asp page, due to the lack of proper input validation.
The entry point for this vulnerability is the Domain-name field within the Setup page.
The example entry point is displayed in the below screenshot:
By supplying an attack string to the edit-field, such as:
It is then possible to initiate this vulnerability through the viewing of the status page.
I have had a discussion with Linksys-Cisco on the 26th of July and they have assured me they will deal with this issue.