Linksys MR9600 Command Injection Vulnerability in JNAP Action Handler

A command injection vulnerability has been identified in the Linksys MR9600 router, specifically in the firmware version 2.0.6.206937. The issue arises within the JNAP Action Handler, in a function called BTRequestGetSmartConnectStatus. The vulnerability is triggered by manipulating the 'pin' argument, which is passed to a Bluetooth management function and then concatenated into a shell command executed by the router's operating system. This flaw allows authenticated attackers to inject arbitrary commands that are executed with root privileges.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device, with root privileges.

Reproduction

To reproduce this vulnerability, first set the device to 'Master' mode. Once in the correct mode, send a request to the JNAP action 'BTRequestGetSmartConnectStatus' with a crafted 'pin' parameter that includes a command injection payload. The injected command will be executed on the device's operating system.