Hacking the Linksys E1000

Tamir Gershberg @ Nov 13, 2022

Hi there, welcome to my first post in my new blog 😄

Recently, while cleaning up at home I have found quite a few routers that used to manage my apartment's internet connection. My first thought was that they were obsolete and I should just get rid of them, but then a few friends suggested I give them another purpose in life - by using them for educational purposes. I thought that was a great idea and so here we are.

First steps

Let's dive into it, and of course we'll start by examining our attack surface. Once powered up and connected we can find the default management interface at http://192.168.1.1:

Admin Login

Now, let's assume we don't know the credentials to login to the router, and the defaults do not work ( for the sake of challenge 😉).

If so, this page isn't very helpful... Let's see what else we have to work with. Using nmap we can scan the ports of the router to find out any other possible entry points. After running

nmap -Pn -p1-65535 192.168.1.1

we get the following result:

Starting Nmap 7.80 ( https://nmap.org ) at 2022-11-13 22:34 IST
Nmap scan report for 192.168.1.1
Host is up (0.028s latency).
Not shown: 65531 filtered ports
PORT      STATE SERVICE
80/tcp    open  http
1780/tcp  open  dpkeyserv
1990/tcp  open  stun-p1
52000/tcp open  unknown

That 52000 port seems kinda odd... Let's check it out:

Setup Page

Oh wow 😯

Exploring the attack surface

The admin panel just pops up, without any authentication! Looks like we don't need any credentials after all... This opens up a whole world of possible entry points, but let's check the classic one first. Usually in routers like this one there is a ping feature which is almost always vulnerable to some code injection. The ping feature in this router can be found under Administration > Diagnostics:

Setup Page

Here, the easiest guess would be that the backend of this webpage takes the provided IP address and just uses it as an argument in a command similar to

ping -c $count -s $packet_size $target_ip

In that case, if we manage to sneak in a pair of &'s after the IP address we could execute any command we'd like! I would like to believe that the devs of this software have at least implemented client side input validation, but let's make sure:

Setup Page Client Side Validations

As expected, this input did not pass the client side validations. To bypass those validations we can use a proxy tool, such as Burp Suite. Burp will allow us to intercept the request being sent from the client to the backend and modify it, as such:

Burp With Intercepted Request

Of course we use the URL encoded version of & which is %26. Once Forward is clicked, the following window pops up:

Modified Ping Resonse

We can't see the result of the command, but we also can't see any errors, which is probably a good sign. Let's try a different command, one that will tell us for sure we managed to execute it, reboot for example. After modifying the request the same way as we did above, just with reboot instead of ls as the injected command, the router indeed reboots 🎉