Remote Linksys 0-Day Root Exploit Uncovered

Orome1 writes "DefenseCode researchers have uncovered a remote root access vulnerability in the default installation of Linksys routers. They contacted Cisco and shared a detailed vulnerability description along with the PoC exploit for the vulnerability. Cisco claimed that the vulnerability was already fixed in the latest firmware release, which turned out to be incorrect. The latest Linksys firmware (4.30.14) and all previous versions are still vulnerable."

WRT54GL

[markdavis]

Yes, you would think the summary would at LEAST say *WHICH* router it affects, since Linksys has lots of different models. It is the WRT54GL.

I *love* that router and have probably 30 of them. Low power draw, real antenna, wall mountable, etc. My recommendation- install Toastman Tomato on it. They never crash, freeze, freak out, not work with certain devices, etc. Rock solid stuff.

Strangely, the WRT54GL is STILL BEING SOLD!

Re:WRT54GL

[YodasEvilTwin]

Wait, are we pronouncing the hyphens or not?

Re:WRT54GL

[VValdo]

I agree it's bad form not to put the router models in the summary. But from the press release...

Exploit shown in this video has been tested on Cisco Linksys WRT54GL, but other Linksys versions/models are probably also affected.

(emphasis mine)

Incidentally, re: the GL model of the Linksys-- the "L" I'm pretty sure stands for Linux, and was the model that was in response to everyone reinstalling dd-wrt and other firmware...

Re:WRT54GL

[clarkn0va]

The WRT54GL is the minority of all routers.

For those who don't know, the L in WRT54GL stands for Linux. This routers was differentiated from the contemporary revision WRT54G only in that it ran the Linux-based firmware. While subsequent revisions of the WRT54G featured less and less capable hardware, the WRT54GL maintained its original configuration of flash and RAM, allowing it to run third party firmwares such as dd-wrt, openwrt, and Tomato.

To the average consumer, the WRT54GL looked exactly like the significantly less expensive WRT54G and its prolific variants, but to the power user and professional, it held much greater potential and warranted the higher price tag. These pros and power users generally have no use for stock firmwares, and are only interested in the open nature of the hardware platform, and are therefore willing to pay the premium (although personally I preferred the more capable and less expensive ASUS WL-520gu. I guess legend status has its privileges).

So yes, it is shocking to those who are familiar with the platform to learn that any significant portion of WRT54GL is running stock firmware in the wild.

I'm fine.

[drunkennewfiemidget]

I'm pretty sure my Linksys router doesn't have that vulnerabil -- HA JUST KIDDING, WHO WANTS MY CREDIT CARD NUMBER?

Zero day?

[arth1]

What's zero-day about this exploit?
It was found during testing, and there are no exploits in the wild.

As such it fails BOTH tests for being a zero day exploit:
- The company must not know the details of the exploit
- It must be in the wild

Stop using the phrase "zero day" about just any exploitable bug. Call them security vulnerabilities, which is what they are.

DHS Needs to Make Announcement

[loxfinger]

The Department of Homeland Security needs to tell everyone to uninstall their Linksys routers until this is fixed, a la Java.

Public Service Announcement

[Raystonn]

Unless you have remote administration enabled, this exploit is only achievable from a system within the local network. This attack is not an internet threat.