Linksys WAP54Gv3 Remote Debug Root Shell

`Security Advisory  
  
IS-2010-002 - Linksys WAP54Gv3 Remote Debug Root Shell  
  
  
  
Advisory Information  
--------------------  
Published:  
2010-06-08  
  
Updated:  
2010-06-08  
  
Manufacturer: Linksys  
Model: WAP54G  
Hardware version: v3.x  
Firmware version: ver.3.05.03 (Europe)  
ver.3.04.03  
  
  
  
Vulnerability Details  
---------------------  
Class:  
Remote Code Execution  
  
  
Public References:  
Not Assigned  
  
  
Platform:  
Succesfully tested on Linksys WAP54Gv3 loaded with firmware version  
Ver.3.05.03 (Europe)  
Vulnerability present also on firmware ver.3.04.03 (US)  
Other models and/or firmware versions may be also affected.  
  
  
Background Information:  
Linksys WAP54G is a wireless access points that allow wireless clients  
connectivity to wired networks.  
Supported 802.11b and 802.11g protocols, with data rates up to 54Mbit/s.  
  
  
Summary:  
A debug interface allowing for the execution of root privileged shell  
commands is available on dedicated web pages on the device.  
Hardcoded credentials, that cannot be changed by user, can be used for  
accessing the debug interface.  
  
  
Details:  
A web page that allows executing shell commands on device is available  
at the following URLs:  
  
http://AP_IP_ADDR/Debug_command_page.asp  
http://AP_IP_ADDR/debug.cgi  
  
where AP_IP_ADDR is the IP address of the device.  
Authentication is required in order to access the aforementioned URLS,  
but the configured admin credentials used for accessing the  
administration interface, will not be sufficient for a successful  
authentication.  
The following credentials must be supplied in order to be authenticated:  
  
User: Gemtek  
Password: gemtekswd  
  
and access a debug web page that can be used for submitting shell  
commands via a dedicated web form.  
Such credentials are hardcoded in the firmware and cannot be changed by  
user by any means available on the administration web interface.  
They can be used for accessing only the debug web pages specified above,  
and cannot be used for authenticating to the administration web interface.  
  
Submitted commands are included within data1 form variable, sent via a  
POST request to the web server, and executed with the httpd web server  
privileges, that is running with root privileges on the system, allowing  
for complete remote control of the access point.  
Two additional variables, data2 and data3 are processed by web server  
code, but are not present in the form on the debug web page.  
Command injection is also possible in data2 and data3 payload by using  
typical shell commands concatenation.  
  
Impacts:  
Remote access and modifications to access point settings and configuration.  
Remote extraction of sensitive information such as credentials for  
logging into the administration interface, Wi-FI SSIDs and passphrases.  
Remote download and execution of malicious applications.  
"Remote blind" attacks, where malicious web pages are used by an  
attacker over the Internet to execute code on a victim access point with  
private addressing, by leveraging an user browser as a 3rd party  
"reflector", may be also possible.  
Effectiveness of the aforementioned attack scenarios is increased  
because of the hardcoded credentials.  
  
  
Solutions & Workaround:  
Not available  
  
  
  
Additional Information  
----------------------  
Timeline:  
09/11/2009: Requested Point of Contact to Linksys  
10/11/2009: Received Point of Contact  
10/11/2009: Vulnerability details sent  
11/12/2009: Received clarification request on firmware version  
11/12/2009: Additional details sent  
16/01/2010: Requested update on vulnerability status.  
----------- No update received -----------  
26/05/2010: Vulnerability disclosed at CONFidence 2010  
08/06/2010: This advisory  
  
  
Additional information available at http://www.icysilence.org  
  
`