Verder naar navigatie Doorgaan naar hoofdinhoud Ga naar de voettekst

Technical Advisory – Linksys WRT160NL – Authenticated Remote Buffer Overflow (CVE-2020-26561)

20 oktober 2020

door Diego Gómez Marañon

Current Vendor: Belkin
Vendor URL: https://www.linksys.com/sg/p/P-WRT160NL/
Versions affected: Latest FW version - 1.0.04 build 2 (FW_WRT160NL_1.0.04.002_US_20130619_code.bin)
Systems Affected: Linksys WRT160NL (maybe others)
Authors: Diego Gómez Marañón – Diego.GomezMaranon[at]nccgroup[dot]com
CVE Identifier: CVE-2020-26561
Risk: 8.8 (High) – AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

The Linksys WRT160NL is a switch device initially owned by Cisco and, after the sale of its respective technology branch, by Belkin. In the latest version of the official firmware, the web server binary contained a buffer overflow vulnerability that could be remotely triggered by requesting an authenticated endpoint.

Impact

Successful exploitation of this vulnerability can lead to remote code execution on the affected device.

Details

The mini_httpd binary in the firmware version 1.0.04 build 2 of the Linksys WRT160NL uses the insecure function sprintf when a specific and authenticated POST request is sent.

The vulnerable function is called create_dir and its decompiled code can be checked below.

Decompiled function with Ghidra

The following request was used to trigger this functionality:

POST /apply.cgi;session_id=42ef7c31a24121c858d670e84d0350d9 HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 1197
Origin: http://192.168.1.1
Connection: close
Referer: http://192.168.1.1/apply.cgi;session_id=d55bad29cf2ca864be41836aa71a3e46
Upgrade-Insecure-Requests: 1

submit_button=Disk_Properties change_action=gozila_cgi submit_type=create_dir next_page=Share_Properties.asp create_name=AAAA...AAAA share_name=

Recommendation

Due to the fact that the product is no longer supported, the best option is to update its firmware with an open-source alternative like OpenWRT.

Vendor Communication

  • 23 Sep 2020 – NCC Group contacted Belkin to make them aware of the found vulnerability.
  • 27 Sep 2020 – A new case is created to look into the issue.
  • 05 Oct 2020 – Answer from Belkin explaining that the device is not actively supported.
  • 20 Oct 2020 – Advisory published.

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.

Published date: 20/10/2020
Written by: Diego Gómez Marañón