HomeCVEMy second CVE, LinkSys- WRT ACS- CVE-2019-7579 (or as i call it…acceptance…no one considers security by design)
My second CVE, LinkSys- WRT ACS- CVE-2019-7579 (or as i call it…acceptance…no one considers security by design)
June 9, 2019
So for my second time ever I’ve submitted another CVE request for yet another security flaw within the Linksys WRT 1300 ACS router. Before i get into the technical details I will admit i’m a bit disappointed in Linksys …or belkin…or whomever. My assumption was that my very expensive router would have security at heart in its design and to find a second flaw…and notably one that would allow someone to break into my network and get free WiFi access is a bit annoying. Anyways….onto the breakdown.
An unauthenticated user can join to the guest WiFi network presented by the router and if the guest password has not been changed they can brute force passed the captive portal login using one of a handful default passwords that are combined with a 2 digit number.
The router seems to generally suffer from a series of issues related to unauthenticated access of its base lighttpd web server. Specifically for this issue a .js file can be reached without authentication which seems to contain the scheme for which passwords are created on the guest network of the device.
As quoted in my official CVE publication…….
“An issue was discovered on Linksys WRT1900ACS 184.108.40.206766 devices. An ability exists for an unauthenticated user to browse a confidential ui/220.127.116.11766/dynamic/js/setup.js.localized file on the router’s webserver, allowing for an attacker to identify possible passwords that the system uses to set the default guest network password. An attacker can use this list of 30 words along with a random 2 digit number to brute force their access onto a router’s guest network.”
But in short it takes the above list of words and attempts to find a combination + a random 2 digit number(00-99) that provides a 200 OK response
The implications for this flaw are mild. The LinkSys router makes use of an embedded linux distro combined with a software based router (zebra) and a few other tricks to isolate guest network onto its own vlan. This should provide some safety from a rouge hacker gaining access to this network. The biggest concern would be the unfettered use of your WiFi/Internet by someone who dont know and didn’t authorize to use your network.
How Did I find It?
By having too much time on my hands and scanning for accessible directories and files on the router prior to authentication (BURP, Dirbuster, GoBuster)