Linksys MR9600 OS Command Injection Vulnerability in SmartConnect Configuration

A command injection vulnerability has been identified in the Linksys MR9600 router running firmware version 2.0.6.206937. The issue arises in the SmartConnect.lua file, specifically within the smartConnectConfigure function. This vulnerability allows remote execution of operating system commands by manipulating the configApSsid, configApPassphrase, srpLogin, and srpPassword parameters. The injected commands are executed with root privileges, leading to a full compromise of the device.

Impact

Exploitation of this vulnerability allows for authenticated remote code execution on the affected device, with the executed commands running in the root context.

Reproduction

To reproduce this vulnerability, first restore the device's configuration to an unconfigured state by uploading a crafted JNAP action that resets the smart_mode parameter. Once the device is in an unconfigured state, the vulnerability can be exploited by sending a JNAP request to the SmartConnectConfigure action with injected command payloads in the specified parameters. After the command is executed, the output can be retrieved by querying the device's ping status, which will contain the results of the executed command.