Linksys E-Series Routers OS Command Injection Vulnerability Allowing Remote Code Execution

A command injection vulnerability has been identified in several models of Linksys E-Series routers, including the E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, and E900, as well as various WAG, WAP, WES, WET, and WRT-series models, and Wireless-N access points and routers. The vulnerability arises in the '/tmUnblock.cgi' and '/hndUnblock.cgi' endpoints over HTTP on port 8080. The affected CGI scripts fail to properly sanitize user input for the 'ttcp_ip' parameter, allowing unauthenticated attackers to inject shell commands. This vulnerability is actively exploited by the 'TheMoon' worm, which delivers a MIPS ELF payload that executes arbitrary code on the router.

Impact

Exploitation of this vulnerability allows for unauthorized OS command execution on the affected router.

Reproduction

The vulnerability can be reproduced by sending a crafted HTTP POST request to the '/tmUnblock.cgi' or '/hndUnblock.cgi' endpoint on port 8080. The 'ttcp_ip' parameter must be included in the request, with the payload URL-encoded to bypass input validation. The injected command is executed on the router's operating system, leading to unauthorized access or control.