no one is safe ...

Linksys

New #Metasploit modules for attacking embedded devices are available

During the last few weeks a lot of new stuff in breaking embedded devices has arrived. There are some quite interesting vulnerabilities, exploits and some new payloads available.

Linksys WRT120N

First of all Craig Heffner has analyzed the Linksys WRT120N router and he has created a lot of detailed information about this work on his blog. The series of blogposts start with some details about breaking the hardware. Second he shows how it is possible to extract the firmware from the device. Finally Craig has found an interesting buffer overflow vulnerability and he has created a nice and shiny exploit for it. This exploit is able to reset the password for the web-interface of the router. So I thought this would be a quite nice Metasploit Auxiliary module.

The following code is the interesting part of the module – the full code is available on Github.

Within the main function (run) it starts with a first test of the login with the username admin and no password. If this test is successful there is no further need for this module and it is finished:

Linksys X3000 - Multiple Vulnerabilities

Device: X3000
Vendor: Linksys

============ Vulnerable Firmware Releases: ============

Firmware Version: v1.0.03 build 001 Jun 11,2012

============ Vulnerability Overview: ============

OS Command Injection

The vulnerability is caused by missing input validation and can be exploited to inject and execute arbitrary shell commands.

You need to be authenticated to the device or you have to find other methods for inserting the malicious commands.

* OS Command Injection - Vector 1 (1):
=> Parameter: ping_ip

Multiple Vulnerabilities in Linksys WRT160Nv2

Device Name: Linksys WRT160Nv2
Vendor: Linksys/Cisco

============ Device Description: ============

Best For: Delivers plenty of speed and coverage, so large groups of users can go online, transfer large files, print, and stream stored media

Features:
* Fast Wireless-N connectivity frees you to do more around your home
* Easy to set up and use, industrial-strength security protection
* Great for larger homes with many users

Source: http://homestore.cisco.com/en-us/routers/Linksys-WRT160N-Wireless-N-Rout...

============ Vulnerable Firmware Releases: ============

Firmware Version: v2.0.03 build 009

Multiple Vulnerabilities in Linksys WAG200G

Device Name: Linksys WAG200G
Vendor: Linksys/Cisco

============ Device Description: ============

The WAG200G is a Linksys Wireless-G ADSL Home Gateway which has a high-speed ADSL2+ modem that gives you a fast connection to the Internet.

Source: http://homesupport.cisco.com/en-us/support/gateways/WAG200G

============ Vulnerable Firmware Releases ============

Firmware-Version: v1.01.06

============ Shodan Torks ============

Shodan Search: WAG200GB

============ Vulnerability Overview: ============

Multiple Vulnerabilities in Linksys E1500/E2500

Device Name: Linksys E1500 / E2500
Vendor: Linksys

============ Device Description: ============

The Linksys E1500 is a Wireless-N Router with SpeedBoost. It lets you access the Internet via a wireless connection or through one of its four switched ports. You can also use the Linksys E1500 to share resources, such as computers, printers and files.

The installation and use of the Linksys E1500 is easy with Cisco Connect, the software that is installed when you run the Setup CD. Likewise, advanced configuration of the Linksys E1500 is available through its web-based setup page.

Source: http://homekb.cisco.com/Cisco2/ukp.aspx?pid=80&app=vw&vw=1&login=1&json=...

============ Vulnerable Firmware Releases - e1500: ============

Firmware-Version: v1.0.00 - build 9 Feb. 17, 2011
Firmware-Version: v1.0.04 - build 2 Mär. 8, 2012
Firmware-Version: v1.0.05 - build 1 Aug. 23, 2012