Exploit released for vulnerability targeted by Linksys router worm

Technical details about a vulnerability in Linksys routers that’s being exploited by a new worm were released Sunday along with a proof-of-concept exploit and a larger than earlier expected list of potentially vulnerable device models.

Last week, security researchers from the SANS Institute’s Internet Storm Center identified a self-replicating malware program that exploits an authentication bypass vulnerability to infect Linksys routers. The worm has been named TheMoon.

The initial report from SANS ISC said the vulnerability is located in a CGI script that’s part of the administration interface of multiple Linksys’ E-Series router models. However, the SANS researchers didn’t name the vulnerable CGI script at the time.

On Sunday, a Reddit user identified four CGI scripts that he believed were likely to be vulnerable. An exploit writer, who uses the online alias Rew, later confirmed that at least two of those scripts are vulnerable and published a proof-of-concept exploit.

“I was hoping this would stay under wraps until a firmware patch could be released, but it appears the cat is out of the bag,” Rew wrote in the exploit notes.

The exploit also contains a list of Linksys routers that Rew believes might be vulnerable based on strings extracted from the original TheMoon malware. The list includes not only models from the Linksys E-Series, but also from the Wireless-N product line.

The following models are listed: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900, E300, WAG320N, WAP300N, WAP610N, WES610N, WET610N, WRT610N, WRT600N, WRT400N, WRT320N, WRT160N and WRT150N. However, Rew notes that the list might not be accurate or complete.

Linksys owner Belkin confirmed that some Wireless-N routers are also affected, but didn’t name the exact models.

“Linksys is aware of the malware called ‘The Moon’ that has affected select older Linksys E-Series routers and select older Wireless-N access points and routers,” said Karen Sohl, director of global communications at Belkin, in an emailed statement Sunday. “The exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled. Linksys ships these products with the Remote Management Access feature turned off by default.”

Sohl said customers can disable the remote management feature and reboot their routers to remove the malware, which suggests that the worm is not persistent across reboots.

Linksys published a technical article on its website with instructions on how to install the latest firmware version and disable remote management on affected devices. This solution might not be practical for router administrators who need to manage devices deployed in remote locations, but so far it appears to be the only official mitigation strategy offered by the vendor.

“Linksys will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks,” Sohl said.

The public release of a proof-of-concept exploit exposes the vulnerable routers to potential opportunistic and targeted attacks in addition to TheMoon malware threat. Cyber criminals have recently started compromising home routers to launch attacks against online banking users, suggesting the risk associated with serious vulnerabilities in routers is not just theoretical.