Linksys-routers Vulnerable due to multiple cgi-scripts

[tim]

Sorry if this has been posted before. Didn't find it with a forum search.

From GURU3D http://www.guru3d.com/news-story/linksys-routers-vulnerable-due-to-multiple-cgi-scripts.html

Linksys routers ranging from model EA6100 up-to EA6300 are Vulnerable and exploitable due to multiple cgi-scripts. The scripts can be used by an unauthorized attacker, which can get them access to the master password of the device.

Linksys' EA6100-6300 wireless routers will need a patch reports the register: KoreLogic has published an advisory saying that CGI scripts in the admin interface open the device up to remote attackers. Since it's a consumer product the risk is high that most of the devices out there never would be patched. The bad scripts include the bootloader, sysinfo.cgi, ezwifi_cfg.cgi, qos_info.cgi and others.

The disclosure is attributed to Matt Bergin of KoreLogic. His proof-of-concept code provided with the advisory includes testing the target device to see if its admin password remains set to default. At the time of writing, Linksys has not published a fix, so it's at the very least recommended to shut down remote admin access to any devices you're in contact with.

 

[System Error Message]

i doubt there would be a fix. DLink has these problems and worse and they dont fix it.

 

[remixedcat]

@chadster766 I think is a linksys rep it would be nice if he can comment on this

 

[htismaqe]

Pretty much all Linksys routers using SmartWifi firmware are vulnerable because the guest network runs on an open SSID with no option to use security. The captive portal web daemon runs as root, so if a user can can crash or compromise the router via the guest network and web daemon, they'll have full control of the entire box.

SFX2000 first reported this to Linksys and that was several months ago. I wouldn't expect a fix honestly.

And the report in the OP probably isn't comprehensive enough - they only mention the EA6100 to EA6300. Both the EA6900 and WRT1900AC (I have owned both) run multiple CGI scripts and they can be executed from a web browser, such as sysinfo.cgi.

 

[chadster766]

The OP linked article isn't quite right AFAIK. The vulnerability is as @htismage mentions through local access to the router not remote access.

I reported the below article to Linksys engineering on Dec 7, 2015:
https://www.korelogic.com/Resources/Advisories/KL-001-2015-006.txt

 

[sfx2000]

Pretty much all Linksys routers using SmartWifi firmware are vulnerable because the guest network runs on an open SSID with no option to use security. The captive portal web daemon runs as root, so if a user can can crash or compromise the router via the guest network and web daemon, they'll have full control of the entire box.

SFX2000 first reported this to Linksys and that was several months ago. I wouldn't expect a fix honestly.

The vuln I reported is specific to the Guest Network functionality, and it's pretty much broken on every linksys device I've tested against...