Linksys routers vulnerable through CGI scripts

Solarquest

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
1
23,394
3,488
Content source
http://www.theregister.co.uk/2015/12/08/linksys_routers_vulnerable_through_cgi_scripts/
More SOHOpeless misery

8 Dec 2015 at 05:02, Richard Chirgwin

Linksys' EA6100-6300 wireless routers need a patch: KoreLogic has published an advisory saying that rubbish CGI scripts in the admin interface open the device up to remote attackers.

Since it's a consumer product, it's a fair bet that most of the devices out there won't get patched, but here's the detail.


Many of the CGI scripts included in the admin interface provide an attacker with unauthenticated access. The attacker can then get the router's admin password and p0wn the device, the advisory says.

The bad scripts include the bootloader, sysinfo.cgi, ezwifi_cfg.cgi, qos_info.cgi and others.

The disclosure is attributed to Matt Bergin of KoreLogic. His proof-of-concept code provided with the advisory includes testing the target device to see if its admin password remains set to default.

At the time of writing, Linksys had not published a fix, so it's at least prudent to shut down remote admin access to any devices you're in contact with. ®

It's incredible how often security issues related to routers are found!..an how often they are not patched or very late.
In my opinion it's actually a shame...
 
  • Like
Reactions: Sr. Normal, LabZero, upnorth and 2 others
There's 2 issues on the routers ( EA6100, EA6200 and EA6300 )...or I could probably include all routers no matter brand or vendor. :D
  • Users that don't change the default admin password
  • Users that enable Remote Management Access
IMO I strongly belive the described code will have almost non or atleast a extrem low numbers of impacts simply because alot of users and even those with very very low " how to " knowledge does change the default admin password and secondly there is very few amount of people that fiddles with the Remote Management Access in Linksys that is anyway always by default...disabled.

Linksys was actually hit about 2 years ago with something very similar. TheMoon malware.
 
  • Like
Reactions: Sr. Normal and LabZero
upnorth said:
There's 2 issues on the routers ( EA6100, EA6200 and EA6300 )...or I could probably include all routers no matter brand or vendor. :D
  • Users that don't change the default admin password
  • Users that enable Remote Management Access
IMO I strongly belive the described code will have almost non or atleast a extrem low numbers of impacts simply because alot of users and even those with very very low " how to " knowledge does change the default admin password and secondly there is very few amount of people that fiddles with the Remote Management Access in Linksys that is anyway always by default...disabled.

Linksys was actually hit about 2 years ago with something very similar. TheMoon malware.
Click to expand...
Yes, years ago an exploit hit two CGI script.
I ask myself: the patch has not been released or this is another but similar vulnerability...
 
  • Like
Reactions: upnorth and Sr. Normal
You must log in or register to reply here.

You may also like...