He informed then-Linksys owner Cisco of the issue, and while Linksys has published a patch to the router, “as the change log indicates, the patch only addressed an unrelated XSS issue,” Purviance said in a blog post. “The latest firmware version 4.30.16 (build 4) remains vulnerable to the attack, dubbed Cross-Site File Upload (CSFU).”
Purviance also decided to look beyond that router to see if he could turn up any additional issues. “During my research process, I thought it would be good to take a look at how Cisco's newer devices did in regards to securing their administration features,” said Purviance. “I chose the Linksys EA2700 Network Manager N600 Wi-Fi Wireless-N Router because it is a major brand device, and was recently released in March 2012, making it an easy choice for home users looking for an easy to use home Wi-Fi router.”
He added, “What I found was so terrible, awful, and completely inexcusable! It only took 30 minutes to come to the conclusion that any network with an EA2700 router on it is an insecure network!” He said that after hooking it up, he spent about 30 minutes testing the security of the embedded website used to manage the device, then never used it again after discovering five major vulnerabilities in the device.
In addition to the aforementioned Linksys WRT54GL firmware upload CSRF vulnerability, there’s also a Linksys EA2700 cross-site scripting vulnerability that can be used to steal access to the device, change settings or assist in uploading backdoored firmware. A Linksys EA2700 file path traversal vulnerability allows users to get the router’s password file or other configuration files easily, and without ever logging in. “This vulnerability tells me that this routers software was never given a security pen-test because it is just too easy,” said Purviance.
Also, on a Linksys EA2700 router, he discovered that anybody on the same network can change the router's password and enable remote management, allowing access the network from the internet. It's also possible for a remote attacker on the internet to design a malicious website that would exploit the same vulnerabilities without actually being on the home network.
“This is just STUPID,” wrote Purviance. “I don't know whether to laugh or cry at this because it's essentially the same as putting an unpatched Windows machine directly on the Internet. This is just so sad that I really don't know what else to say about this. *mindblown.gif*”
Finally, he discovered that adding a "/" to any URL while browsing through the administrative panel opens up the raw source code of the page. “Feel like hacking the EA2700, but only have a keyboard with one character on it? If that character is a ‘/’ then you are in luck,” he said. “No, I'm not talking the HTML source code, but the actual web application level source code that is used to convert the page to HTML. I wonder how many more vulns you can find by going through the source code of this appliance.”
Purviance said that he sent his findings to Cisco in March. Cisco had no comment for Infosecurity on the issue, but we reached out to Belkin, which took over Linksys last month.
"Linksys is aware of recently cited alleged vulnerabilities on our EA routers," the company said in a statement. "However, last year (on June 26, 2012) new Linksys Smart Wi-Fi firmware was released to EA customers that would eliminate any such alleged vulnerabilities. If customers use methods of setup and configuration other than the methods recommended by Linksys, such as using Web browser setup (192.168.1.1), or if customers use older firmware, they could be at risk of potential attacks. Accordingly, all Linksys EA customers are strongly encouraged to upgrade to the new Smart Wi-Fi firmware.”
It added, “We have and will continue to urge our customers to use our recommended methods of setup and configuration, and to change their user names and passwords periodically.”