Jump to content


Photo
- - - - -

Cisco Linksys EA Series Vulnerability


This topic has been archived. This means that you cannot reply to this topic.
9 replies to this topic

#1 computerchris

computerchris
  • Active Members
  • Hak5 Zombie

  • PipPipPipPipPip
  • 168 posts

Posted 03 July 2013 - 12:33 PM

I ran a port scan on my network over a VPN because I was curious to see what ports were open, one of the open ports was 8083. So I enter my ip :8083 in to Firefox and the admin interface popped up without asking me for the password and did allow me to make changes to the router. I have remote management turned off. The router is an EA2700, we have also confirmed that the EA3500 is vulnerable too. The e2500 and e1000 don't appear to be vulnerable. This is a huge issue and I would have expected better out of Cisco, they made amazing enterprise stuff and then sell polished turds so consumers. If anyone else has access to one of the newer Cisco linksys, please test this out I would like to get a list going of vulnerable routers. The ea2700 was on FW 1.0.14.

Edit, I updated the firmware and the Vulnerability has been patched in the new and ugly "smart wi-fi" firmware.

Edit 2: You can still get to the login page on the new firmware on port 10080, however you can not login, even with the correct password it will tell you there was an error. also you can login correctly if you have the right password on port 52000

Edit 3: As it turns out the latest version of the "Classic" or "Cisco Connect" firmware for all of the EA Series routers, EA2700, EA3500, EA4500 and the E4200v2 are vulnerable to this, and Linksys doesn't give a shit because the new and crappy "Smart Wifi" firmware is not affected by this. I upgraded my router to the "Smart wifi" firmware and now my IRC sessions randomly drop. The DD-WRT port for the EA2700 is not done yet and the EA3500 as well as the EA4500 and E4200v2 are based on marvel chipsets. Also AFAIK you have to manually upgrade to the "Smart wifi" firmware, I had auto updating enabled and mine was never updated.

The last "Classic" firmware for each router is listed below:

EA4500:     2.0.37

EA3500:     1.0.30

EA2700:     1.0.14

EA4200v2 :2.0.37


Edited by computerchris, 04 July 2013 - 10:29 AM.

IC3_logo.jpghttp://computerchris.pw

IC3 Certified                  BTC: 115QHv5kUS9GjqmFVm5PNEsRmLSKNeamYu

Studying for A+             LTC: Leiyqrr8fRFvKyvRzvzH7ZarunVWk7ex7N


#2 newbi3

newbi3
  • Active Members
  • Hak5 Ninja

  • PipPipPipPipPipPipPip
  • 784 posts

Posted 03 July 2013 - 01:11 PM

I was litterally just about to post this same thing! I did a port scan last night around 3 am and was completely shocked! I thought it was just me having a bad configuration on my router so I reset it and made sure to that remote management was off and it was still there! To fix it I just forwarded port 80 and 443 to non existent hosts on my network. I have an E1200 so add that to your list!


Check out my Pineapple Infusions

Black_Out - Turn on and off the LEDs on your pineapple

NbtScan - A GUI front end web interface for NBT Scanner

Evil_Portal - A GUI front end for Nodogsplash Captive Portal

Data Locker - Encrypt data on your pineapple with AES-128/256

BobTheBuilder - Tools to make and manage web pages on the pineapple

SMSer - Control your pineapple with a text message (Temporarily Gone)

 

Want to help out an infusion developer??

Help me develop this infusion!

 

For more of my projects

Personal Website - innoc-sec.net

youtube channel (Don't forget to subscribe:D)

 

keybase.io/newbi3

tweet @FrozenJava


#3 computerchris

computerchris
  • Active Members
  • Hak5 Zombie

  • PipPipPipPipPip
  • 168 posts

Posted 03 July 2013 - 01:27 PM

yeah for some reason if you don't forward port 80 to anything it will also pop up the gui, but the difference is it asks you to login.


IC3_logo.jpghttp://computerchris.pw

IC3 Certified                  BTC: 115QHv5kUS9GjqmFVm5PNEsRmLSKNeamYu

Studying for A+             LTC: Leiyqrr8fRFvKyvRzvzH7ZarunVWk7ex7N


#4 newbi3

newbi3
  • Active Members
  • Hak5 Ninja

  • PipPipPipPipPipPipPip
  • 784 posts

Posted 03 July 2013 - 02:25 PM

Of course but if that happens no matter how you configure remote management and no one changes the default passwords that is still pretty vulnerable. 


Check out my Pineapple Infusions

Black_Out - Turn on and off the LEDs on your pineapple

NbtScan - A GUI front end web interface for NBT Scanner

Evil_Portal - A GUI front end for Nodogsplash Captive Portal

Data Locker - Encrypt data on your pineapple with AES-128/256

BobTheBuilder - Tools to make and manage web pages on the pineapple

SMSer - Control your pineapple with a text message (Temporarily Gone)

 

Want to help out an infusion developer??

Help me develop this infusion!

 

For more of my projects

Personal Website - innoc-sec.net

youtube channel (Don't forget to subscribe:D)

 

keybase.io/newbi3

tweet @FrozenJava


#5 digip

digip
  • Active Members
  • -we're all just neophytes-

  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 8,024 posts

Posted 03 July 2013 - 03:12 PM

Internal scans are different from results by an external scan using tools like nmap. Use a VPN or Proxy and scan from an external machine to your home IP. Be surprised the difference in what says its open and what is not, and they shouldn't give the same results either.

NAT and the router itself should, by default, reject everything unless remote administration is truly enabled or you port forward a service, it will return the port forwarded. Be sure to use --open and --reason in your nmap scans too.
@xxdigipxx http://www.attack-scanner.com/ | I'm the resident dick around here, or so I am told. Don't take it personally, I just give a shit too much sometimes. respect to all, its the Internet, don't take it to heart.
"Staying quiet doesn't mean I have nothing to say, it means I don't think you're ready to hear my thoughts..."

#6 computerchris

computerchris
  • Active Members
  • Hak5 Zombie

  • PipPipPipPipPip
  • 168 posts

Posted 03 July 2013 - 05:14 PM

Internal scans are different from results by an external scan using tools like nmap. Use a VPN or Proxy and scan from an external machine to your home IP. Be surprised the difference in what says its open and what is not, and they shouldn't give the same results either.

NAT and the router itself should, by default, reject everything unless remote administration is truly enabled or you port forward a service, it will return the port forwarded. Be sure to use --open and --reason in your nmap scans too.

All of the Scans were done from the outside via a vpn.


IC3_logo.jpghttp://computerchris.pw

IC3 Certified                  BTC: 115QHv5kUS9GjqmFVm5PNEsRmLSKNeamYu

Studying for A+             LTC: Leiyqrr8fRFvKyvRzvzH7ZarunVWk7ex7N


#7 digip

digip
  • Active Members
  • -we're all just neophytes-

  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 8,024 posts

Posted 04 July 2013 - 12:57 PM

All of the Scans were done from the outside via a vpn.

Then THAT is def an issue you need to lock down. Did your original post say it was from outside the network though? Maybe I missed that first reading. See original post edited.
@xxdigipxx http://www.attack-scanner.com/ | I'm the resident dick around here, or so I am told. Don't take it personally, I just give a shit too much sometimes. respect to all, its the Internet, don't take it to heart.
"Staying quiet doesn't mean I have nothing to say, it means I don't think you're ready to hear my thoughts..."

#8 computerchris

computerchris
  • Active Members
  • Hak5 Zombie

  • PipPipPipPipPip
  • 168 posts

Posted 04 July 2013 - 09:25 PM

Then THAT is def an issue you need to lock down. Did your original post say it was from outside the network though? Maybe I missed that first reading. See original post edited.

I think you missed it on your first read, but you can just go on shodanhq.com and type in "Linksys EA" and find probably tens of thousands of vulnerable routers and exploit them if you please. Not that I condone doing that.


Edited by computerchris, 04 July 2013 - 09:28 PM.

IC3_logo.jpghttp://computerchris.pw

IC3 Certified                  BTC: 115QHv5kUS9GjqmFVm5PNEsRmLSKNeamYu

Studying for A+             LTC: Leiyqrr8fRFvKyvRzvzH7ZarunVWk7ex7N


#9 Infiltrator

Infiltrator
  • Active Members
  • Gray-Hat Specialist

  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 4,392 posts

Posted 08 July 2013 - 01:24 AM

This is an interesting thread, the other I ran Nmap against my Asus router and found about 4 different ports opened.

This was an internal scan, so all good. I am going to do an external scan, to see what interesting results I might get.


Regards,
Infiltrator


Posted Image

Currently studying for my CCE.

#10 barry99705

barry99705
  • Active Members
  • Hak5 Junkie

  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 2,094 posts

Posted 09 July 2013 - 07:02 AM

Speaking of access points that make you go WTF!!  EnGenius EAP9550 has ssh enabled with the following default user:pass, Administrator:admin, admin:admin, login:admin, and manager:admin.  SSH isn't a configurable option, and these are burned in accounts.


Encryption is the chicken soup of security,
feel free to apply it if it makes you feel better because it’s not going to make things any worse,
but it may not make things any better either.  
---Peter Gutmann
1JRos2rbs9wKRBMchL9Ahw.png