Some versions of a popular Wi-Fi router sold under the Linksys brand expose users to a variety of exploits that allow remote attackers to take full control of the devices, a security expert said.
The most severe of the vulnerabilities in the "classic firmware" for the Linksys EA2700 Network Manager is a cross-site request forgery weakness in the browser-based administration panel, according to Phil Purviance, an information security specialist at AppSec Consulting. He said routers running the software also don't require the current password to be entered when the passcode is changed. By exploiting the two weaknesses together, attackers can take full control of the router by luring anyone connected to it to a booby-trapped website. Malicious JavaScript in the end-user's browser resets the password and turns on remote management capabilities. The attacker can then gain administrative privileges over the device.
"If you have this router on your network and you browse [a] malicious website, five seconds later your router now has a new password and is available from the Internet," Purviance told Ars. "So [an attacker] can just log into it as if [he] was on your network." From there, an attacker could do anything a normal administrator could do, including installing a version of the device firmware that contains a backdoor and changing settings to use malicious domain name lookup servers. The security consultant documented more of his findings in a recently published blog post.