IS-2010-002 - Linksys WAP54Gv3 Remote Debug Root Shell


Security Advisory IS-2010-002 - Linksys WAP54Gv3 Remote Debug Root Shell Advisory Information -------------------- Published: 2010-06-08 Updated: 2010-06-08 Manufacturer: Linksys Model: WAP54G Hardware version: v3.x Firmware version: ver.3.05.03 (Europe) ver.3.04.03 Vulnerability Details --------------------- Class: Remote Code Execution Public References: Not Assigned Platform: Succesfully tested on Linksys WAP54Gv3 loaded with firmware version Ver.3.05.03 (Europe) Vulnerability present also on firmware ver.3.04.03 (US) Other models and/or firmware versions may be also affected. Background Information: Linksys WAP54G is a wireless access points that allow wireless clients connectivity to wired networks. Supported 802.11b and 802.11g protocols, with data rates up to 54Mbit/s. Summary: A debug interface allowing for the execution of root privileged shell commands is available on dedicated web pages on the device. Hardcoded credentials, that cannot be changed by user, can be used for accessing the debug interface. Details: A web page that allows executing shell commands on device is available at the following URLs: http://AP_IP_ADDR/Debug_command_page.asp http://AP_IP_ADDR/debug.cgi where AP_IP_ADDR is the IP address of the device. Authentication is required in order to access the aforementioned URLS, but the configured admin credentials used for accessing the administration interface, will not be sufficient for a successful authentication. The following credentials must be supplied in order to be authenticated: User: Gemtek Password: gemtekswd and access a debug web page that can be used for submitting shell commands via a dedicated web form. Such credentials are hardcoded in the firmware and cannot be changed by user by any means available on the administration web interface. They can be used for accessing only the debug web pages specified above, and cannot be used for authenticating to the administration web interface. Submitted commands are included within data1 form variable, sent via a POST request to the web server, and executed with the httpd web server privileges, that is running with root privileges on the system, allowing for complete remote control of the access point. Two additional variables, data2 and data3 are processed by web server code, but are not present in the form on the debug web page. Command injection is also possible in data2 and data3 payload by using typical shell commands concatenation. Impacts: Remote access and modifications to access point settings and configuration. Remote extraction of sensitive information such as credentials for logging into the administration interface, Wi-FI SSIDs and passphrases. Remote download and execution of malicious applications. "Remote blind" attacks, where malicious web pages are used by an attacker over the Internet to execute code on a victim access point with private addressing, by leveraging an user browser as a 3rd party "reflector", may be also possible. Effectiveness of the aforementioned attack scenarios is increased because of the hardcoded credentials. Solutions & Workaround: Not available Additional Information ---------------------- Timeline: 09/11/2009: Requested Point of Contact to Linksys 10/11/2009: Received Point of Contact 10/11/2009: Vulnerability details sent 11/12/2009: Received clarification request on firmware version 11/12/2009: Additional details sent 16/01/2010: Requested update on vulnerability status. ----------- No update received ----------- 26/05/2010: Vulnerability disclosed at CONFidence 2010 08/06/2010: This advisory Additional information available at http://www.icysilence.org