DefenseCode researchers have uncovered a remote root access vulnerability in the default installation of Linksys routers.


They contacted Cisco and shared a detailed vulnerability description along with the PoC exploit for the vulnerability. Cisco claimed that the vulnerability was already fixed in the latest firmware release, which turned out the be incorrect. The latest Linksys firmware (4.30.14) and all previous versions are still vulnerable.

Leon Juranic, DefenseCode CEO, comments for Help Net Security: "According to numbers available on the Internet, Cisco Linksys is a very popular router with more than 70,000,000 routers sold. This creates an immense playground for anyone in possession of a 0-day exploit."

The vulnerability itself was discovered during a Cisco Linksys product security evaluation for a client and it took the researchers 12 days to develop a fully working exploit. That includes hardware hacking for router debugging, vulnerability analysis, memory analysis and exploit development.

After the researchers posted their findings online, Cisco finally got in touch again. They are expected to release a fix in time for the full advisory, which should see the light of day in about 10 days.

The video below shows the exploit tested on a Cisco Linksys WRT54GL:



Update: Friday, January 18, 2013.
Although Cisco claims that the vulnerability exists only in their Linksys WRT54GL router, DefenseCode started investigating their claim and from what they can tell so far, at least one other (not just the WRT54GL) Linksys model is probably vulnerable.

Moreover, during the analysis they discovered clues that network devices from other manufacturers might also contain the same vulnerability. They are still investigating.