Hackers love to attack Java. Why? Well, not only because it is full of holes, but because it’s everywhere, embedded on endpoints, Web browsers, mobile devices and more. The same goes for attacking wireless routers; they’re buggy and they’re everywhere.
A handful of vulnerabilities were identified late last week in the Cisco Linksys EA2700 Network Manager N600 Wireless-N routers, which has been on the market a little more than a year, and is a popular choice not only for home users, but for small businesses.
Pen-tester and researcher Phil Purviance, who has presented similar research at security industry events, reported his findings to Cisco on March 5. No patches are available yet. Cisco did not respond to a request for comment.
“I hooked it up and spent maybe 30 minutes testing the security of the embedded website used to manage the device, then never used it again,” Purviance wrote on his blog of the EA2700. “What I found was so terrible, awful, and completely inexcusable! It only took 30 minutes to come to the conclusion that any network with an EA2700 router on it is an insecure network!”
His research looked at the administration features on the embedded management website. The vulnerabilities he found range in severity and simplicity to exploit.
A cross-site scripting bug was found on the router’s apply.cgi that works regardless of authentication and would allow an attacker to access the device, change settings or upload modified firmware.
A file path traversal vulnerability was also discovered that would enable an attacker to remotely access password or configuration files without being logged in. “This vulnerability,” Purviance wrote, “tells me that this router’s software was never given a security pen-test because it is just too easy.”
He also found a cross-site request forgery flaw that would allow an attacker on the same network to change log-in information and remotely manage the hardware. He said a remote attacker could also exploit the same vulnerability by luring the user to a website hosting an exploit, which he said, amounts to a POST request to the management page that opens the admin interface and changes the user’s password to “password.”
The final EA2700 bug can lead to source code disclosure. By inserting a particular character into a URL while browsing the admin interface, raw source code is presented. “No I’m not talking the HTML source code, but the actual Web application level source code that is used to convert the page to HTML,” he said.
In addition, Purviance said a Cisco patch released in January for a cross-site request forgery flaw in the Linksys WRT54GL router was incomplete, and patched only an unrelated cross-site scripting flaw. He said the latest firmware version 4.30.16 remains vulnerable to the attack he presented last year at Black Hat and AppSec USA.
Security researchers are starting to look at these vulnerable home customer premise devices as possible launchpads for a variety of attacks. IOActive researchers Sofiane Talmat and Ehab Hussein recently shared research with Threatpost that demonstrated that home routers and modems from ISPs can be chained together to redirect traffic in click-fraud scams, keep blocks of users from reaching the Internet, or launch denial-of-service attacks.
Recently, new modules were added to Metasploit that exploit vulnerabilities in embedded Linux-based routers from Linksys, D-Link and Netgear. The modules fingerprint the devices, retrieve configuration files or enable an attacker to get shell access.
“The major difference between these vulnerabilities and the more traditional PC-based vulnerabilities (such as Java and Windows vulnerabilities) is that the existence of vendor patches doesn’t really matter,” said Tod Beardsley, engineering manager at Rapid7. “Even if vendors release patched firmware for these devices, the vast majority of users will never learn about them. There aren’t automatic update functions on any of these devices, and there is nothing like anti-virus software that can run on these low-memory, low-power devices. As a result, these kinds of bugs are extremely long-lived.”
Talmat and Hussein were also able to take advantage of vulnerable firmware and upload their own in simulated attacks. Their new firmware took the place of factory-installed firmware, rendering factory-reset options useless.
“In addition, if an attacker is able to get control of a device, that attacker has effective control over all the devices that associate with it. He can poison DNS, he can reflect traffic to a malicious site, he can inject phishing links in HTTP sessions, he can disable firewall rules – the number of attack vectors is limited only by imagination,” Beardsley said. “This extends not only to the computers on the internal network, but also phones that associate to the wireless.”