DSL router remotely controlled by URL
Michal Sajdak revealed at CONFidence 2009 in Krakow in mid-May that it's relatively easy to make the Linksys WAG54G2 WLAN DSL router execute arbitrary shell commands. He has now published further details.
Sajdak discovered that it's easy to add a shell command to a POST request and have the router execute it. To test this, all you need is a proxy that can modify the POST request before it's sent. Sajdak says he told the manufacturer, Cisco, about the error in March and his message was acknowledged, but he has received no report of a fix as yet.
It's possible that other Linksys devices are also affected, because manufacturers try not to reinvent the wheel for each new model, but rely as far as possible on reusable firmware. Vulnerabilities were found some time ago in the WRT54GL router, which also enabled cross-site request forgery (CSRF) attacks.
A crumb of comfort for the vulnerable: if they have at least changed the default password, then they have to be logged on for the trick to work. The only other hurdle is that such attacks are normally made using HTTP GET and are concealed, for example, in an IMG SRC tag. A POST request normally requires a click from the user, as Sadjak's example shows, but that too can be automated with JavaScript, allowing for an exploit with no user interaction.
(djwm)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
