Linksys MR9600 and MX4200 SQL Injection Vulnerability via TLS-SRP Handshake

A SQL injection vulnerability has been identified in the Linksys MR9600 and MX4200 routers, specifically in versions 1.0.4.205530 and 1.0.13.210200, respectively. The issue arises from improper handling of special characters, allowing SQL statements to be injected through the handshake of a TLS-SRP connection. This injection can be exploited to insert known credentials into the router's database, which can then be used to access protected services.

Impact

Exploitation of this vulnerability allows for SQL injection, where arbitrary SQL commands can be executed against the router's database. This could lead to unauthorized access to protected services by injecting and manipulating credential data.

Reproduction

The vulnerability can be reproduced by establishing a TLS-SRP connection to the router's service running on TCP port 6060. During the handshake, inject a crafted username that includes SQL commands to manipulate the database. After injecting the credentials, the SQL injection can be confirmed by accessing the service using the injected credentials.