## Key Information Summary ### Vulnerability Overview - **Vendor**: Linksys - **Affected Products**: RE6500, RE6300, RE3500, RE7000, RE9000, etc. - **Versions**: RE6500(1.0.1.3001), RE6300(2.0.4.001), RE3500(2.07.001), RE3500(2.04.001), RE7000(1.1.36.003), RE9000(2.04.002) - **Vulnerability Type**: Remote Code Execution (RCE) - **Author**: Jianan Peng - **Organization**: Institute of Information Engineering, Chinese Academy of Sciences ### Vulnerability Description - A command injection vulnerability was discovered in the firmware of Linksys routers, allowing attackers to remotely execute arbitrary OS commands via carefully crafted requests. - The vulnerability resides in the `um_form.awk` and `um_wan.sh` scripts, where input is not properly validated, leading to command injection. ### Key Code Snippets #### `um_form.awk` ```awk if ($1 == "wan_staticip") { cmd = sub_cmd("staticip", $2); call_um_red_file(cmd); } ``` #### `um_red` ```bash um_red -d 0 -i 3 1 ``` #### `um_wan.sh` ```bash if [ "$wan_staticip" ]; then echo "Set Static IP..." ifconfig eth0 $wan_staticip netmask $wan_netmask up fi ``` ### PoC - Exploitation Method: Send a request to `http://192.168.2.2/basewx/wanctrl?cmd=wan_staticip&value=$(whoami)`, causing the router to execute the `whoami` command. ### Result - Successfully obtained a shell, demonstrating the feasibility of remote code execution.