A serious vulnerability in a popular Belkin router could be exploited by a local, unauthenticated attacker to gain full control over affected devices.
The good news is that the bug has already been patched by Belkin. The bad news is that approximately nobody installs router firmware updates.
The vulnerability exists in the guest network Web interface of Belkin’s N750 DB Wi-Fi Dual-Band N+ Gigabit Router (firmware version F9K1103_WW_1.10.16m). In this particular router, the guest network functionality is turned on by default and there is no authentication required to join it. In order to resolve the problem users will need to upgrade their firmware to version F9K1103_WW_1.10.17m.
According to Marco Vaz of Integrity Labs, the bug (CVE-2014-1635), at first seemed to be a simple buffer overflow and there was a question as to whether or not it was even exploitable.
Vaz found the vulnerability after doing a bit of light fuzzing. He realized that the the POST parameter “jump” process was afflicted by a buffer overflow from payloads containing 5000 bytes. When he triggered the overflow, the process crashed.
In order to determine the bug’s exploitability, he virtualized the router process so that he would be able to debug the mips32 process in an x86 machine. This required further binary patching and function injection to bypass configuration access limitations on his QEMU emulator. Vaz’s walks through his extensive, virtualized exploitability tests in a blog post in the Integrity Labs website. Follow the link for a more technical analysis.
In the end, he determined that a remote unauthenticated attacker can execute root-level commands into the router by sending a specially crafted POST requests to the httpd (Apache HyperText Transfer Protocol server program), which serves as the authentication agent guest network logins.
Integrity Labs reported the bug to Belkin on Jan. 24 and sent along their exploit proof-of-concept on Jan. 28. Belkin issued an updated version of their firmware resolving the bug on March 31.
The vulnerability itself, as you can see, is not new. On the other hand, Vaz’s published his exploit just yesterday.