Linksys WAG54G2 router is a (somehow) popular SOHO class device in Poland. It provides ADSL / WiFi / Ethernet interfaces.
The router is based on a linux distrubution which runs on ARM architecture.
If you are interested in more specific hardware description, here is a hint, obtained using OS shell escape from the web management:
# cat /proc/cpuinfo
Processor : ARM1026EJ-Sid(wb)B rev 2 (v5l)
BogoMIPS : 351.43
Features : swp half thumb fastmult edsp java
CPU implementer : 0x41
CPU architecture: 5TEJ
CPU variant : 0x0
CPU part : 0xa26
CPU revision : 2
Cache type : write-back
Cache clean : cp15 c7 ops
Cache lockdown : format C
Cache format : Harvard
I size : 16384
I assoc : 4
I line length : 32
I sets : 128
D size : 8192
D assoc : 4
D line length : 32
D sets : 64
Hardware : Solos CX4615
Revision : 0000
Serial : 000000c002123588
The router can be managed via a management console which is on by default (to LAN users only).
Tested on firmware: V1.00.10 (newest available at the time).
When you are logged in to the web administration, simple injection leads to OS root access.
Many characters lead to injection, including at least:
As you might have noticed, the above request is used with default administration credentials (admin/admin). It can be exploited using CSRF and these credentials (assuming a user did not change default user/password). But it is not as straightforward as in our other research: ASMAX router compromise.
One can still backdoor the router having access to web administration. Another outcome of the bug is an ablility to quite easily examine what services are running on the router, what is its internal configuration, etc. It may be a hint to find some more interesting vulnerabilities.
Also if one could find auth bypass vulnerability in http server / management software it can lead to easy full remote router compromise, as described in the ASMAX case.
UPDATE [31.05.2009]
UPDATE [29.05.2009]: due to some misunderstanding of the issue we clarify that: