Linksys MR9600 and MX4200 OS Command Injection Vulnerability via TLS-SRP Handshake

A command injection vulnerability has been identified in the Linksys MR9600 and MX4200 routers, specifically in versions 1.0.4.205530 and 1.0.13.210200, respectively. The issue arises from the 'sct_server' service, which runs on TCP port 6060. This service, used for integrating mesh devices into the network, accepts TLS-SRP connections but fails to properly sanitize input. As a result, OS commands can be injected through the username field of the TLS-SRP handshake. These commands are executed with root privileges, without requiring a valid username or password.

Impact

Exploitation of this vulnerability allows for arbitrary OS command execution as the root user.

Reproduction

The vulnerability can be reproduced by establishing a TLS-SRP connection to the affected router's 'sct_server' service on port 6060. During the handshake, inject a command into the username field. The injected command will be executed on the router as the root user. For example, using the 'tlslite-ng' library, a command can be injected that changes the LED indicator color, confirming successful execution.