Wednesday, January 30, 2013

Broadcom UPnP Remote Preauth Root Code Execution Vulnerability

During the security evaluation of Cisco Linksys routers for a client, we have discovered a critical
security vulnerability that allows remote unauthenticated attacker to remotely execute arbitrary code
under root privileges.
Upon initial vulnerability announcement a few weeks ago Cisco spokesman stated that only one router
model is vulnerable - WRT54GL.
We have continued with our research and found that, in fact, same vulnerable firmware component
is also used in at least two other Cisco Linksys models - WRT54G3G and probably WRT310N.
Could be others.

Moreover, vulnerability turns out even more dangerous, since we have discovered that same vulnerable
firmware component is also used across many other big-brand router manufacturers and many
smaller vendors.

Vulnerability itself is located in Broadcom UPnP stack, which is used by many router manufacturers
that produce or produced routers based on Broadcom chipset.
We have contacted them with vulnerability details and we expect patches soon.
However, we would like to point out that we have sent more than 200 e-mails to various router
manufacturers and various people, without much success.

Some of the manufacturers contacted regarding this vulnerability are:
- Broadcom
- Asus
- Cisco
- TP-Link
- Zyxel
- D-Link
- Netgear
- US Robotics
- and so on.

Full vulnerability description is available here:

Leon Juranic

Thursday, January 17, 2013

DefenseCode Security Advisory (UPCOMING): Cisco Linksys Remote Preauth 0day Root Exploit Follow-Up

Starting a few hours ago, we began a quick analysis as to how many Linksys models might be vulnerable.
From what we can tell so far, at least one other (not just the WRT54GL) Linksys model is probably vulnerable.

Moreover, during the analysis we discovered clues that network devices from other manufacturers might
also contain the same vulnerability. We are still investigating.

Regarding the Cisco case, we are looking forward to the vulnerability fix. In the meantime, we have again approached them about a few other potential vulnerabilities in the Linksys equipment.

Leon Juranic

Friday, January 11, 2013

DefenseCode Security Advisory (UPCOMING): Cisco Linksys Remote Preauth 0day Root Exploit

Story behind the vulnerability...

Months ago, we've contacted Cisco about a remote preauth (root access) vulnerability
in default installation of their Linksys routers that we've discovered. We gave them
detailed vulnerability description along with the PoC exploit for the vulnerability.

They said that this vulnerability was already fixed in latest firmware release...
Well, not this particular vulnerability, since the latest official Linksys firmware -
4.30.14, and all previous versions are still vulnerable.

Exploit shown in this video has been tested on Cisco Linksys WRT54GL, but other 
Linksys versions/models are probably also affected.
Cisco Linksys is a very popular router with more than 70,000,000 routers sold.
That's why we think that this vulnerability deserves attention.

According to our vulnerability disclosure policy, the vulnerability details will be
disclosed in following 2 weeks on , BugTraq and
Full Disclosure.
Due to the severity of this vulnerability, once again we would like to urge Cisco
to fix this vulnerability.

The vulnerability is demonstrated in the following video:

Kind Regards,