There is a bypass authentication vulnerability in the Linksys E2000 router with firmware version Ver.1.0.06 build 1. Hacker can leak the current session of admin to perform authentication bypass on the Linksys E2000.
In the position.js file, the value of session_key
will be obtained by nvram_get
and passed into the variable session_key
and printed out
Taking advantage of the fact that the session_key is written in position.js, hackers can access files that call to position.js to be able to obtain the session.
Environment setup:
Set up the router environment through FirmAE.
Refer to pr0v3rbs/FirmAE: Towards Large-Scale Emulation of IoT Firmware for Dynamic Analysis (github.com) for instructions
Finished
First, in order to leak the admin's current session ID, the attacker needs the admin to log in to the web management interface so that the router can generate a valid session ID string.
Second, once the admin is logged into the web interface, the attacker can send a GET request to the URI: /position.js or any file call to position.js like hset.htm, BlockSite.asp, BlockTime.asp, getconnst.asp in order to retrieve the admin's current session ID.
After obtaining the session, the attacker will use it to log in.