SourceSecurity expert Michael Messner has posted details of vulnerabilities in a number of different routers on his blog. Routers from Linksys, Netgear and repeat offender D-Link are affected. Some of the vulnerabilities can be exploited to inject commands remotely.
Messner has discovered
multiple security problems in the firmware used in Linksys E1500 and E2500 routers. Arbitrary Linux commands can be executed on these routers using the URL parameter ping_size. Although this requires authentication for the web interface, this can be obtained via a browser session in another tab or if the user has failed to modify the default password.
The web interface does not need to be externally accessible. An attacker could lure his victim to a crafted web site pointing to the router interface on the local network (cross site request forgery, CSRF). Messner has verified the vulnerabilities in the current version, 1.0.05, of the E1500 firmware and has demonstrated injection of commands in version 1.0.03 of the E2500 firmware. He reports that he informed Linksys of the vulnerabilities in October, but that the vulnerabilities have still not been fixed.
Messner was able to use a similar technique involving the ping_ipaddr parameter to inject commands on D-Link's DIR-615 router. Messner discovered this and
other vulnerabilities in version 8.04 of the firmware, dated 15 January 2013. Here too, he informed the manufacturer, but, as with the vulnerabilities in the DIR-300 and DIR-600, it was not interested in fixing them, as it deemed them to be vulnerabilities in the browser.
Messner was also
able to inject commands via the web interface on the Linksys WRT54GL. In this case, the manufacturer did, three months after being informed of the vulnerability, release a firmware update (version 4.30.16, build 2) which fixed some of the vulnerabilities.
Messner also cast a critical eye over Netgear routers and, among other exploits,
was able to execute commands via the UPnP configuration page on the DGN1000B. Affected firmware versions include the current version, for Germany, 1.1.00.45; it is likely that the worldwide and other versions of the firmware are also vulnerable, but they are as yet, untested. Messner informed Netgear of his discovery back in October. He also discovered
vulnerabilities in the SPH200D, which can be exploited to read critical system files via the web interface. Messner contacted Netgear on 7 August 2012. It took the manufacturer just a day to declare the case closed – without having fixed the vulnerability.