Linksys E2500 / E1200 Command Injection

2016.08.16

Credit: samuelhuntley

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-78

Linksys E2500 and E1200 suffer from missing command injection issue in parental control parameters. This allows an attacker to change the control the device remotely.
Combining the attack of no authorization control, it allows an attacker to actually execute unauthenticated command injection attack and thus control the entire device.
More info at:
http://www.samuelhuntley.com/?p=141
http://www.samuelhuntley.com/?p=135
Initial disclosure date: 04/12/16
Fixed date as per Linksys contact: 7/4/16
Linksys contact: Benjamin Samuels, Calvin Clark (security@linksys.com)

References:

http://www.samuelhuntley.com/?p=141

http://www.samuelhuntley.com/?p=135

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Linksys E2500 / E1200 Command Injection

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.