Executive Summary

[{'type': 'paragraph', 'content': 'This vulnerability is a path traversal issue affecting Linksys MR9600 and MX4200 Wi-Fi mesh routers. It occurs because the script responsible for mounting USB drive partitions shared via SMB does not properly sanitize the partition names. An attacker can name a USB partition with special path elements like "../" to cause the system to mount the partition in an arbitrary location in the file system.'}, {'type': 'paragraph', 'content': 'For example, by naming a USB partition "../../tmp/cron/cron.everyminute" and placing a malicious shell script on it, the router mounts the partition in a cron directory where scripts are executed regularly. This leads to execution of the attacker\'s shell script with root privileges, effectively allowing remote code execution as root.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts as it allows an attacker to execute arbitrary shell scripts with root privileges on the affected router. This means the attacker can take full control of the device remotely by inserting a specially crafted USB drive.

• Remote code execution as root user
• Potential full compromise of the router
• Ability to execute malicious commands or scripts on the device
• Possible network compromise or further attacks on connected devices

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the device mounts USB partitions with path traversal strings that allow mounting in arbitrary filesystem locations. Specifically, look for mounts under /tmp/anon_smb/ that include special path elements like "../".'}, {'type': 'paragraph', 'content': 'You can inspect the mount points on the device to see if any USB partitions are mounted outside the expected directory. For example, use the command:'}, {'type': 'list_item', 'content': 'mount | grep /tmp/anon_smb/'}, {'type': 'paragraph', 'content': 'Additionally, check for suspicious directory names or mounts that include path traversal sequences such as "../../" which could indicate exploitation attempts.'}, {'type': 'paragraph', 'content': 'You may also want to check the contents of the /etc/init.d/service_tsmb.sh script for improper sanitization of mount paths.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

As of the public disclosure date, no fix or mitigation has been provided by the manufacturer.

Immediate steps include avoiding the use of USB drives on affected devices (Linksys MR9600 version 1.0.4.205530 and MX4200 version 1.0.13.210200) to prevent an attacker from exploiting the path traversal vulnerability.

Monitor the device for any suspicious mounts or unexpected execution of scripts, and restrict physical access to the device to prevent unauthorized USB insertion.

Consider isolating the affected devices from untrusted networks until a patch or official mitigation is released.

Useful 0 Not Useful 0