Unauthenticated RCE in Motorola's MR2600 Router

(mrbruh.com)

44 points | by MrBruh 4 hours ago

4 comments

  • yukIttEft 1 hour ago
    In Germany we have "Störerhaftung" where routerowners are responsible for everything that happens through their router.

    I wonder how this would hold up in court, couldn't you argue that routers are generally buggy, how can they force any responsibility if they can easily be hacked?

    • nerdsniper 1 hour ago
      Nearly every stock consumer router keeps getting these RCE’s. Perhaps that’s the point, they can get any arbitrary household in trouble if it’s expedient to do so.
    • cynicalsecurity 30 minutes ago
      It won't work. You would need to back up your claim with proof that someone hacked your router. You can't drive a car that is easily breakable and expect the court to clear you of any responsibility if it causes harm because it broke while you were driving.
      • faidit 4 minutes ago
        An allegory here would be someone stealing an easily stealable car (e.g. doing the Kia Challenge) and causing damage or injury. The thief would be liable, not the owner
      • msh 12 minutes ago
        But if it’s the isp delivered router they should carry the responsibility
  • 4llan 40 minutes ago
    Really curious the use of the "zoom.com" domain. However, since the endpoint uses insecure HTTP, maybe this should be a simple endpoint/hostname redirection.

    A search of "router/firmware/query.aspx" leads me to D-Link endpoints who also uses the "wrpd" subdomain.

    • bri3d 21 minutes ago
      Zoom were a very longstanding modem company who expanded into cable and routers and licensed the Motorola brand in 2016.
  • VladVladikoff 1 hour ago
    >42 hosts with remote management

    >vender doesn’t want to fix it

    Sometimes I wonder if the white hat hackers who find such a thing should just take it a step further and patch those hosts. Take the firmware, fix those bugs and update those 42 routers.

    • nerdsniper 1 hour ago
      That would be “gray hat”. It would be illegal, though it has happened in the past and to my knowledge no one has yet been prosecuted for illegally fixing vulnerabilities.

      But it’s definitely not white hat.

    • CrzyLngPwd 1 hour ago
      Probably simpler to brick them, forcing the owners to upgrade to a modern and supported device.
    • itintheory 1 hour ago
      Isn't just as illegal as exploiting them for nefarious purposes? That's a pretty big risk to take to help a few dozen strangers on the Internet. What happens if your fix has an unforeseen interaction with some configuration on a remote system and your actions cause outage or worse?
    • binaryturtle 1 hour ago
      Just flash OpenWRT to them? :) (a script could prepare a matching default config)
  • bri3d 1 hour ago
    Vendor wise, these were never really made by a “Motorola” -this is a Zoom router (thus the domain) that used the Motorola name under license.

    The “old” Motorola router division Motorola Home got sold to Arris _without_ the brand name in 2013, and then the brand name went to Zoom in 2016. Zoom merged with another vendor called Minim, went bankrupt in 2023, and the assets were bought by a company called e2Companies in 2024.

    So e2Companies is who the author should email, but good luck. I’m shocked these were even “maintained” until 2024.