Linksys LRT224 Dual WAN Gigabit VPN Router Session Cookie Brute-force

Attacker can easily guess contents of logged in users session cookie

Vulnerability:
An attacker can easily guess the contents of the currently logged in user's session cookie. The contents of the session cookie consist of a base64 encoded string, DefaultX::::admin where X is a single digit from 0-9. The attacker can easily try all 10 possible session cookies to see which is currently valid.

POC Exploit Video:

POC Exploit Script download:
poc.js

Implications:

Attacker can perform all administration actions that do not require password confirmation.
Attacker could possibly upload custom firmware to the device to allow further backdoor usage.

Requirements:

The router admin must be currently logged in.

Vulnerable Systems:

Linksys LRT224 Dual WAN Gigabit VPN Router

Firmware versions tested:

1.0.7.02
1.0.6.04
Earlier versions are also assumed to be vulnerable.

Fix released in FW version 1.0.7.04
An offical firmware update remediating this vulnerability was released March 19, 2019. (see Linksys's official changelog)

go back home