Date: Sat, 21 May 2016 09:48:07 -0400
From: David Spector <fulldisc@...ingtimesoftware.com>
To: fulldisclosure@...lists.org
Subject: [FD] MediaLink router MWN-WAPR300N - Several Vulnerabilities

*MediaLink router MWN-WAPR300N - Several Vulnerabilities*

The vulnerabilities reported here are for the firmware version currently 
being shipped by Amazon.com. This is hardware version 2.0, firmware 
version V5.07.51_en_MDL01 . I have no knowledge of the behavior of 
previous versions of this router. U.S. CERT/CC states that the 
vulnerabilities I am reporting here have not previously been reported to 
them.

*About*

The MediaLink wireless router is a product sold by Mediabridge Products, 
a Chinese company with a U.S. office at 1951 Old Cuthbert Road, Suite 
301, Cherry Hill, NJ 08034 (see www.mediabridgeproducts.com/contact/). 
This is a low-cost (under $20) wireless router for home network use. The 
router inputs the ethernet WAN output of a cable or other modem or WAN 
source and outputs an Access Point LAN radio transceiver and four 
ethernet LAN device connections. This router appears to work reliably in 
my home in the N band on channel 8, connecting principally two computers 
and two printers.

*Vulnerability Description*

Note: vulnerabilities described elsewhere, such as the usual 
predefinition of "admin" and "admin" for the username and password for 
logging into the router control panel web page, are not included in this 
document. See CERT Coordination Center VU#630872 ("Mediabridge Medialink 
Wireless-N Broadband Router MWN-WAPR300N contains multiple 
vulnerabilities").

1. This vulnerability is that there is no Logout or Logoff button or 
link on any page of the router control panel (accessed locally through 
the browser). In fact, although it is possible to configure the router 
with a management username and password, there is actually no way to log 
out of the control panel once one is logged in. This vulnerability has 
been confirmed by MediaLink technical support as follows:

"MAY 02, 2016  |  08:53AM EDT
*Tim* replied:
...You are correct that at this time, our latest router firmware does 
not have a "Log Out Button". I will forward this to our engineers who 
handle the firmware revisions for future reference.
Thanks,
Tim M
Mediabridge Products, LLC"

2. There is no timeout for the current login session. Once someone is 
logged in, the control panel is freely available through the logged-in 
session and browser at the LAN IP address for the control panel (by 
default, 192.168.8.1).

MediaLink technical support comments, "It is true that there is not a 
logout button in the interface. But closing the browser [or using a 
different computer in the network] accomplishes the logout." However, 
closing and reopening the Firefox browser (version 46.0.1) restores a 
tab showing the control panel, with all controls and interfaces still 
functional. This proves that no logout was done when the browser was closed.

The same effect happens when a tab containing the control panel is 
closed, and then another tab containing the control panel is created. 
The new control panel tab is still in a logged-in state.

However, the control panel is indeed logged-out when opened by a 
different browser, such as Chrome or Internet Explorer, or from a 
different computer on the LAN, as stated by Mediabridge.

3. The username and password to allow control panel administration and 
configuration of the router are stored in cleartext in configuration 
files exported by the control panel's Backup operation.

4. The router control panel uses HTTP access, not HTTPS, so WAN sniffing 
can eavesdrop on control panel operations.

Respectfully submitted,

David Spector,
Springtime Software
Portland, Maine
www.springtimesoftware.com/contact.php


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists