Linksys MR9600 and MX4200 Path Traversal Vulnerability Allowing Arbitrary File System Mounting

A path traversal vulnerability has been identified in the Linksys MR9600 and MX4200 routers, specifically in the USB sharing feature. This vulnerability allows the contents of a USB drive to be mounted at arbitrary locations within the file system. The issue arises because the script responsible for mounting the USB drive does not properly sanitize partition names, enabling users to exploit this flaw by manipulating the partition name to traverse directories. As a result, it is possible to execute shell scripts with root privileges, potentially leading to unauthorized access or control over the device.

Impact

Exploitation of this vulnerability could allow for the execution of arbitrary shell scripts as the root user, potentially leading to full administrative control over the device.

Reproduction

To reproduce this vulnerability, name the USB drive partition with a path traversal string that includes '../' to navigate the file system. Once the USB drive is plugged into the router, the partition will be mounted at the specified location. For example, mounting a script named 'exploit.sh' into a directory that executes scripts every minute will result in the script being run with root privileges.