Technical Advisory – Linksys WRT160NL – Authenticated Remote Buffer Overflow (CVE-2020-26561)
Current Vendor: Belkin Vendor URL: https://www.linksys.com/sg/p/P-WRT160NL/ Versions affected: Latest FW version - 1.0.04 build 2 (FW_WRT160NL_1.0.04.002_US_20130619_code.bin) Systems Affected: Linksys WRT160NL (maybe others) Authors: Diego Gómez Marañón – Diego.GomezMaranon[at]nccgroup[dot]com CVE Identifier: CVE-2020-26561 Risk: 8.8 (High) – AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
The Linksys WRT160NL is a switch device initially owned by Cisco and, after the sale of its respective technology branch, by Belkin. In the latest version of the official firmware, the web server binary contained a buffer overflow vulnerability that could be remotely triggered by requesting an authenticated endpoint.
Successful exploitation of this vulnerability can lead to remote code execution on the affected device.
The mini_httpd binary in the firmware version 1.0.04 build 2 of the Linksys WRT160NL uses the insecure function sprintf when a specific and authenticated POST request is sent.
The vulnerable function is called create_dir and its decompiled code can be checked below.
The following request was used to trigger this functionality:
POST /apply.cgi;session_id=42ef7c31a24121c858d670e84d0350d9 HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 1197 Origin: http://192.168.1.1 Connection: close Referer: http://192.168.1.1/apply.cgi;session_id=d55bad29cf2ca864be41836aa71a3e46 Upgrade-Insecure-Requests: 1 submit_button=Disk_Properties&change_action=gozila_cgi&submit_type=create_dir&next_page=Share_Properties.asp&create_name=AAAA...AAAA&share_name=
Due to the fact that the product is no longer supported, the best option is to update its firmware with an open-source alternative like OpenWRT.
- 23 Sep 2020 – NCC Group contacted Belkin to make them aware of the found vulnerability.
- 27 Sep 2020 – A new case is created to look into the issue.
- 05 Oct 2020 – Answer from Belkin explaining that the device is not actively supported.
- 20 Oct 2020 – Advisory published.
About NCC Group
NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.
Published date: 20/10/2020
Written by: Diego Gómez Marañón