A serious flaw in a Belkin router could be exploited locally by an unauthenticated attacker to gain full control over affected devices. The company has already issued a patch to fix the vulnerability, but the number of users that install router firmware updates is small.
The flaw, coded as CVE-2014-1635, affects the guest network Web interface of the Belkin model N750 DB Wi-Fi Dual-Band N+ Gigabit Router running the firmware version F9K1103_WW_1.10.16m.
According to Marco Vaz of Integrity Labs the flaw is a simple buffer overflow, this specific model of Belkin router has enabled by default the guest network functionality and it doesn’t require authentication.
To solve the problem, Belkin urges users to upgrade their firmware to the newer version F9K1103_WW_1.10.17m.
Marco Vaz explained in a blog post that the vulnerability was discovered after a series of tests, the researcher discovered that the parameter “jump” used in the requests is affected by a buffer overflow, causing the overflow the process is killed.
“Fuzzing plays an important role in vulnerability discovery and this time was not different. After some fuzzed requests I noticed that the POST parameter “jump” suffered from a classic buffer overflow with a payload containing 5000 bytes. After the referred buffer overflow the process died.”
Once discovered the flaw, Vaz worked to the creation of an exploit, to do this he virtualized the router process so that he would be able to debug the mips32 process in an x86 machine.
The researcher used additional binaries to bypass configuration access limitations on his virtualized router running in a QEMU emulator.
The expert discovered that a remote unauthenticated attacker could execute root-level commands into the router just by sending a specially crafted POST requests to the httpd (Apache HyperText Transfer Protocol server program). The httpd implements the authentication agent guest network logins.
Mar Vaz has also developed a Metasploit module to exploit the flaw as explained in the post:
“I have developed a Metasploit module to exploit this vulnerability that also executes iptables commands so that it is possible to access telnet server directly from the guest network to the root shell. You can get it here: belkin_rce_cve-2014-1635.rb.”
Integrity Labs reported the vulnerability to Belkin on Jan. 24, the company issued an updated version of their firmware to fix the flaw on March 31.
Security Affairs – (Belkin, router)