[ 0 Day ] Linksys-Cisco X3000 Wireless Router Version: 1.0.05. WebAdmin-Page Vulnerabilities: Broken Authentication & XSS.

Well, its my 30th post on my blog; and for this post I’ve got a zero-day.

I did some poking around at a router of mine, a Linksys X3000.
Now we all know that just about every router of this sort (home use types) is vulnerable to some really basic but potentially devastating security-oversights. This post I hope will illustrate this point:

The firmware revision of my X3000 has been updated to the most recent revision: 1.0.05 Annex A.

Very quickly I came across two vulnerabilities within the WebAdmin panel. The one quite severe, and the second only of moderate use.
The first is a Authentication Bypass Vulnerability that exists within the Apply.cgi module.
The second is a XSS vulnerability that exists within the Status.asp page. The entry point for this Domain Name field within the Setup page.

Authentication Bypass:

On all transmissions made between user and router, a Base64 encoded authentication string is included in the form of Username:Password. (Would be possible to sniff this type of info out!). However, if this authentication string is simply removed on all POST requests made to Apply.cgi, the application still processes the request as if it were a valid request. The implications of this are: this easily allows an attacker to completely modify any router settings, including Logon passwords and SSIDs.

The below screenshot displays a POST request being made to, without authentication, change the WebAdmin Panel logon password:

The following screenshot displays a POST request being made to change the station SSID, WITH valid authentication.

The below image displays the return upon the application accepting the request as valid:


A simple XSS Vulnerability exists within the Status.asp page, due to the lack of proper input validation.
This vulnerability allows the execution of unsolicited JavaScript code.
The entry point for this vulnerability is the Domain-name field within the Setup page.

The example entry point is displayed in the below screenshot:

By supplying an attack string to the edit-field, such as:

It is then possible to initiate this vulnerability through the viewing of the status page.
In the below screenshot, a message box is displayed once the embedded JavaScript code has been successfully executed.


I have had a discussion with Linksys-Cisco on the 26th of July and they have assured me they will deal with this issue.


~ by Rhys Mossom on July 27, 2013.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: