Jump to content


Photo
- - - - -

Cisco Linksys EA Series Vulnerability


  • Please log in to reply
10 replies to this topic

#1 computerchris

computerchris

    Hak5 Zombie

  • Active Members
  • PipPipPipPipPip
  • 162 posts
  • Gender:Male

Posted 03 July 2013 - 12:33 PM

I ran a port scan on my network over a VPN because I was curious to see what ports were open, one of the open ports was 8083. So I enter my ip :8083 in to Firefox and the admin interface popped up without asking me for the password and did allow me to make changes to the router. I have remote management turned off. The router is an EA2700, we have also confirmed that the EA3500 is vulnerable too. The e2500 and e1000 don't appear to be vulnerable. This is a huge issue and I would have expected better out of Cisco, they made amazing enterprise stuff and then sell polished turds so consumers. If anyone else has access to one of the newer Cisco linksys, please test this out I would like to get a list going of vulnerable routers. The ea2700 was on FW 1.0.14.

Edit, I updated the firmware and the Vulnerability has been patched in the new and ugly "smart wi-fi" firmware.

Edit 2: You can still get to the login page on the new firmware on port 10080, however you can not login, even with the correct password it will tell you there was an error. also you can login correctly if you have the right password on port 52000

Edit 3: As it turns out the latest version of the "Classic" or "Cisco Connect" firmware for all of the EA Series routers, EA2700, EA3500, EA4500 and the E4200v2 are vulnerable to this, and Linksys doesn't give a shit because the new and crappy "Smart Wifi" firmware is not affected by this. I upgraded my router to the "Smart wifi" firmware and now my IRC sessions randomly drop. The DD-WRT port for the EA2700 is not done yet and the EA3500 as well as the EA4500 and E4200v2 are based on marvel chipsets. Also AFAIK you have to manually upgrade to the "Smart wifi" firmware, I had auto updating enabled and mine was never updated.

The last "Classic" firmware for each router is listed below:

EA4500:     2.0.37

EA3500:     1.0.30

EA2700:     1.0.14

EA4200v2 :2.0.37


Edited by computerchris, 04 July 2013 - 10:29 AM.

IC3_logo.jpghttp://computerchris.pw

IC3 Certified                  BTC: 115QHv5kUS9GjqmFVm5PNEsRmLSKNeamYu

Studying for A+             LTC: Leiyqrr8fRFvKyvRzvzH7ZarunVWk7ex7N


#2 newbi3

newbi3

    Hak5 Pirate

  • Active Members
  • PipPipPipPipPipPip
  • 363 posts
  • Gender:Male
  • Location:The Nebakanezer
  • Interests:Networking, Programming, Learning, Observing, and Drumming

Posted 03 July 2013 - 01:11 PM

I was litterally just about to post this same thing! I did a port scan last night around 3 am and was completely shocked! I thought it was just me having a bad configuration on my router so I reset it and made sure to that remote management was off and it was still there! To fix it I just forwarded port 80 and 443 to non existent hosts on my network. I have an E1200 so add that to your list!


Check out my Pineapple Infusions

SMSer - Control your pineapple with a text message

Black_Out - Turn on and off the LEDs on your pineapple

Evil_Portal - A UI front end for Nodogsplash Captive Portal

Data Locker - Encrypt data on your pineapple with AES-128/256

 

For more of my projects

Personal Website - innoc-sec.net

youtube channel (Don't forget to subscribe:D)


#3 computerchris

computerchris

    Hak5 Zombie

  • Active Members
  • PipPipPipPipPip
  • 162 posts
  • Gender:Male

Posted 03 July 2013 - 01:27 PM

yeah for some reason if you don't forward port 80 to anything it will also pop up the gui, but the difference is it asks you to login.


IC3_logo.jpghttp://computerchris.pw

IC3 Certified                  BTC: 115QHv5kUS9GjqmFVm5PNEsRmLSKNeamYu

Studying for A+             LTC: Leiyqrr8fRFvKyvRzvzH7ZarunVWk7ex7N


#4 newbi3

newbi3

    Hak5 Pirate

  • Active Members
  • PipPipPipPipPipPip
  • 363 posts
  • Gender:Male
  • Location:The Nebakanezer
  • Interests:Networking, Programming, Learning, Observing, and Drumming

Posted 03 July 2013 - 02:25 PM

Of course but if that happens no matter how you configure remote management and no one changes the default passwords that is still pretty vulnerable. 


Check out my Pineapple Infusions

SMSer - Control your pineapple with a text message

Black_Out - Turn on and off the LEDs on your pineapple

Evil_Portal - A UI front end for Nodogsplash Captive Portal

Data Locker - Encrypt data on your pineapple with AES-128/256

 

For more of my projects

Personal Website - innoc-sec.net

youtube channel (Don't forget to subscribe:D)


#5 digip

digip

    -we're all just neophytes-

  • Active Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 7,655 posts
  • Gender:Male
  • Location:RnVjayBPZmYh 192.168.100.1

Posted 03 July 2013 - 03:12 PM

Internal scans are different from results by an external scan using tools like nmap. Use a VPN or Proxy and scan from an external machine to your home IP. Be surprised the difference in what says its open and what is not, and they shouldn't give the same results either.

NAT and the router itself should, by default, reject everything unless remote administration is truly enabled or you port forward a service, it will return the port forwarded. Be sure to use --open and --reason in your nmap scans too.
@xxdigipxx http://www.attack-scanner.com/ | I'm the resident dick around here, or so I am told. Don't take it personally, I just give a shit too much sometimes. respect to all, its the Internet, don't take it to heart.
"Staying quiet doesn't mean I have nothing to say, it means I don't think you're ready to hear my thoughts..."

#6 computerchris

computerchris

    Hak5 Zombie

  • Active Members
  • PipPipPipPipPip
  • 162 posts
  • Gender:Male

Posted 03 July 2013 - 05:14 PM

Internal scans are different from results by an external scan using tools like nmap. Use a VPN or Proxy and scan from an external machine to your home IP. Be surprised the difference in what says its open and what is not, and they shouldn't give the same results either.

NAT and the router itself should, by default, reject everything unless remote administration is truly enabled or you port forward a service, it will return the port forwarded. Be sure to use --open and --reason in your nmap scans too.

All of the Scans were done from the outside via a vpn.


IC3_logo.jpghttp://computerchris.pw

IC3 Certified                  BTC: 115QHv5kUS9GjqmFVm5PNEsRmLSKNeamYu

Studying for A+             LTC: Leiyqrr8fRFvKyvRzvzH7ZarunVWk7ex7N


#7 digip

digip

    -we're all just neophytes-

  • Active Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 7,655 posts
  • Gender:Male
  • Location:RnVjayBPZmYh 192.168.100.1

Posted 04 July 2013 - 12:57 PM

All of the Scans were done from the outside via a vpn.

Then THAT is def an issue you need to lock down. Did your original post say it was from outside the network though? Maybe I missed that first reading. See original post edited.
@xxdigipxx http://www.attack-scanner.com/ | I'm the resident dick around here, or so I am told. Don't take it personally, I just give a shit too much sometimes. respect to all, its the Internet, don't take it to heart.
"Staying quiet doesn't mean I have nothing to say, it means I don't think you're ready to hear my thoughts..."

#8 computerchris

computerchris

    Hak5 Zombie

  • Active Members
  • PipPipPipPipPip
  • 162 posts
  • Gender:Male

Posted 04 July 2013 - 09:25 PM

Then THAT is def an issue you need to lock down. Did your original post say it was from outside the network though? Maybe I missed that first reading. See original post edited.

I think you missed it on your first read, but you can just go on shodanhq.com and type in "Linksys EA" and find probably tens of thousands of vulnerable routers and exploit them if you please. Not that I condone doing that.


Edited by computerchris, 04 July 2013 - 09:28 PM.

IC3_logo.jpghttp://computerchris.pw

IC3 Certified                  BTC: 115QHv5kUS9GjqmFVm5PNEsRmLSKNeamYu

Studying for A+             LTC: Leiyqrr8fRFvKyvRzvzH7ZarunVWk7ex7N


#9 Infiltrator

Infiltrator

    Gray-Hat Specialist

  • Active Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 4,392 posts
  • Gender:Male
  • Location:Over the Atlantic, at a cruising altitude of 70.000 feet.
  • Interests:Wireless and Network Security
    Server Virtualization
    Computer Network Infrastructure
    Server implementation.
    General Aviation
    RC Airplanes and Helicopters
    Scuba Diving
    Sky Diving
    War driving
    Solar battery Systems.
    Pen-Testing
    Command & Conquer

Posted 08 July 2013 - 01:24 AM

This is an interesting thread, the other I ran Nmap against my Asus router and found about 4 different ports opened.

This was an internal scan, so all good. I am going to do an external scan, to see what interesting results I might get.


Regards,
Infiltrator


Posted Image

Currently studying for my CCE.

#10 barry99705

barry99705

    Hak5 1337 Fan

  • Active Members
  • PipPipPipPipPipPipPipPipPipPip
  • 1,476 posts
  • Gender:Male

Posted 09 July 2013 - 07:02 AM

Speaking of access points that make you go WTF!!  EnGenius EAP9550 has ssh enabled with the following default user:pass, Administrator:admin, admin:admin, login:admin, and manager:admin.  SSH isn't a configurable option, and these are burned in accounts.


The Pineapple Wiki

http://wiki.wifipineapple.com

1JRos2rbs9wKRBMchL9Ahw.png


#11 computerchris

computerchris

    Hak5 Zombie

  • Active Members
  • PipPipPipPipPip
  • 162 posts
  • Gender:Male

Posted 09 July 2013 - 02:00 PM

Yeah It looks like I am just going to spend the money on a standalone aironet. You can buy one $100 shit box every 2 years or buy a $350 Aironet that will work for 10 years.


IC3_logo.jpghttp://computerchris.pw

IC3 Certified                  BTC: 115QHv5kUS9GjqmFVm5PNEsRmLSKNeamYu

Studying for A+             LTC: Leiyqrr8fRFvKyvRzvzH7ZarunVWk7ex7N





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users