[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAD-LzdR7o8QdpiiwQsLeYtQMMV31JADogNdg4jPoZVMU37wbCA@mail.gmail.com>
Date: Mon, 22 Jul 2013 08:50:00 -0400
From: kyle Lovett <krlovett@...il.com>
To: bugtraq <bugtraq@...urityfocus.com>
Subject: Full Disclosure - WD My Net N600, N750, N900, N900C - Plain Text
Disclosure of Admin Credentials
Vulnerable Products -
WD My Net N600 HD Dual Band Router Wireless N WiFi Router Accelerate HD
WD My Net N750 HD Dual Band Router Wireless N WiFi Router Accelerate HD
Linux 2.6.3 Kernel
Firmware Ver. 1.03.xx 1.04.xx
Firmware unaffected Ver 1.01.xx
WD My Net N900 HD Dual Band Router Wireless N WiFi Router Accelerate HD
WD My Net N900 Central HD Dual Band Router 2TB Storage WiFi Wireless Router
Firmware Ver. 1.05.xx 1.06.xx
Version 1.07.16 released on 05/2013 does not have this bug
Firmware unaffected Ver. 1.01.xx 1.02.xx 1.03.xx
--------------------------------------------------------------------------------------------------------------
Vulnerabilities -
On the WD My Net N600, N750, N900 and N900C routers, administrative
credentials are stored in plain text and are easily accessible from a
remote location via port 8080 on the WAN side of the router.
On those routers affected by the bug, the following command will
display the password value that openly resides in their php source
code:
curl -s http://<IP>:8080/main_internet.php? -L | egrep -i 'var pass'
During initial setup, the page "main_internet.php" will store in plain
text the admin password as a value of "var pass". Port 8080 is shared
by both the UPnP modules and WAN side HTTP web services which remote
administrative access is set to by default. The inherent difficulty
with writing code to fit the unique requirements for authentication
based tasks (administrative) on the same port as services that are
privileged (UPnP), is quite apparent in the complexity with which each
service is called on these units. Indeed, several of the developers
comments
inside the code, as well as warnings to the end user on the admin GUIs
are made concerning this conflict and the risks involved.
For example, in one line commented out speaking on an api function they state:
/* 80, 443 ports can not
use*//api/1.0/rest/device?owner=admin&pw=&name=" + hostname +
"&rest_method=PUT";
Again, under code to start certain features that call UPnP services,
it warns the end user:
"Conflict with Remote Management service HTTP port"+":
"+XG(XMLrm+"/web")+". "+"This may cause unpredictable problem. Are you
sure you want to override?"
In fact, when a call is made to change the password for the admin
user, or to authenticate a remote administrative user access, a php or
cgi action
will call one of several modules services built into UPnP, in this
case DEVICE.ACCOUNT.
Ex: - Changing the password for admin will issue the following series
of commands:
/tools_admin.php --> /getcfg.php
(SERVICES=DEVICE.ACCOUNT%2CHTTP.WAN-1%2CALERTMSG)--> hedwig.cgi (which
posts the privlidged <postxml> module for
<service>DEVICE.ACCOUNT</service>) --> /pigwidgeon.cgi
(ACTIONS=SETCFG%2CSAVE%2CACTIVATE) --> /getcfg.php(sets the new cookie
value, and finalizes the action)
Conditions -
UPnP and remote administrative access must be enabled for the bug to
be activated.
-------------------------------------------------------------------------------------------------------------------
Vendor Timeline-
Western Digital has not returned any inquires that have been made
regarding the bug.
Patches of Fixes-
On WD My Net N900 and N900C
It is advised that users upgrade to Firmware Version 1.07.16.
On WD My Net N600 and N750
If a restoration to Ver. 1.01.xx firmware is available, and remote
access via the internet is a required feature, it is advised to
contact vendor support for how best to proceed.
Mitigation and Workarounds for those who aren't able to upgrade to
downgrade firmware -
Turn off all remote administrative access to the router
Disable UPnP services
Change the default username and password
--------------------------------------------------------------------------------------------------------------------
Note:
Critical vulnerabilities discovered on UPnP enable routers and other
devices, that have visibility and access to the WAN, have continued to
rise at a very rapid pace over the past year. During Defcon 19 Daniel
Garcia gave a talk about UPnP Port mapping, the risks involved with
the unpredictable nature of UPnP stacks and the danger that NAT
traversal could be a possible outcome.
http://toor.do/DEFCON-19-Garcia-UPnP-Mapping-WP.pdf
Back in January of this year, the security researcher at Rapid7,
HDMoore had written a white paper on UPnP vulnerabilities, warning
that "around 40-50 million network-enabled devices are at risk" which
he explains includes "devices such as routers, printers,
network-attached storage (NAS), media players and smart TVs."
https://community.rapid7.com/docs/DOC-2150 In each of the devices he
mentions, we have seen some exploitable vulnerabilities begin to
surface, and even in some devices not mentioned yet such as DVRs and
IP Web Cameras.
A few vendors have been able to sufficiently mitigate the risks of
UPnP/DLNA services co-existing with their products supporting remote
access capabilities, however, many have not. The growing list of home
router or modem models that are still vulnerable to a known bug, or
have had to issue emergency patches to fix a vulnerability post
production, has risen to alarmingly high numbers. End users should be
urged to check with both their vendor and then with one of the various
vulnerability databases, such as OSVDB who seem to have a very
thorough listing, to see if their model is one of those currently
known to be affected.
Discovered - 07-02-2013
Research Contact - K Lovett
Affiliation - SUSnet
Powered by blists - more mailing lists