Linksys E1200 V2 Unauthenticated Command Injection Vulnerability

A command injection vulnerability has been identified in the Linksys E1200 V2 router, specifically in the HTTP daemon (httpd) within the Start_EPI function. This vulnerability allows remote attackers to execute arbitrary commands on the device without authentication. The issue arises because user-supplied CGI parameters are concatenated into system command strings without proper sanitization, and then executed via a command execution function. The vulnerable firmware version is E1200_v2.0.11.001_us.tar.gz.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/cgi-bin/Start_EPI' endpoint. The request must include the 'wl_ant', 'wl_ssid', 'wl_rate', 'ttcp_num', 'ttcp_ip', and 'ttcp_size' parameters. The 'wl_ant' parameter can be used to inject commands, such as creating a file in the '/tmp' directory.