Back in 2012 I gave a talk at a conference titled Blended Threats and JavaScript. I demonstrated how anybody could design an internet worm that targeted common network devices like routers and turn them into a powerful botnet that is able to monitor traffic across all types of networks. For the presentation, I demonstrated a vulnerability in the uber-popular Linksys WRT54GL router. Well, it's been almost a year since that presentation, so where are we now? In January of this year, Cisco (who owned Linksys until recently) published a patch to the router. Unfortunately, as the change log indicates, the patch only addressed an unrelated XSS issue. Today, the latest firmware version 4.30.16 (build 4) remains vulnerable to the attack, dubbed Cross-Site File Upload (CSFU).

The router itself was only a mechanism to demonstrate the attack. During my research process, I thought it would be good to take a look at how Cisco's newer devices did in regards to securing their administration features. I chose the Linksys EA2700 Network Manager N600 Wi_Fi Wireless-N Router because it is a major brand device, and was recently released in March 2012, making it an easy choice for home users looking for an easy to use home Wi-Fi router. I hooked it up and spent maybe 30 minutes testing the security of the embedded website used to manage the device, then never used it again. What I found was so terrible, awful, and completely inexcusable! It only took 30 minutes to come to the conclusion that any network with an EA2700 router on it is an insecure network!

On March 5, 2013, I emailed my research to Cisco.

Today I am publishing 5 Linksys router vulnerabilities so that consumers may be aware of the risks.

1. Linksys WRT54GL Firmware Upload CSRF Vulnerability

I demonstrate Cross-Site File Upload in my BlackHat and AppSec USA talks. If you need more info on the vector itself, check out How to upload arbitrary file contents cross-domain by Kotowicz.

2. Linksys EA2700 XSS Vulnerability

XSS on the apply.cgi page (used for nearly all state changing requests). Works authenticated or non-authenticated. Can be used to steal access to the device, change settings, or assist in uploading backdoored firmware.

3. Linksys EA2700 File Path Traversal Vulnerability

Get the routers /etc/passwd file or other config files easily, and without ever logging in! This vulnerability tells me that this routers software was never given a security pen-test because it is just TOO easy!