exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Linksys WAP54Gv3 Remote Debug Root Shell

Linksys WAP54Gv3 Remote Debug Root Shell
Posted Jun 9, 2010
Authored by Cristofaro Mune | Site icysilence.org

The Linksys WAP54Gv3 has a debug interface allowing for the execution of root privileged shell commands. Hardcoded credentials, that cannot be changed by user, can be used for accessing the debug interface.

tags | exploit, shell, root
SHA-256 | fdf38433a8997957918a85f42b989155a632e3f26c1a3e0c4b124196a974e81a

Linksys WAP54Gv3 Remote Debug Root Shell

Change Mirror Download
Security Advisory

IS-2010-002 - Linksys WAP54Gv3 Remote Debug Root Shell



Advisory Information
--------------------
Published:
2010-06-08

Updated:
2010-06-08

Manufacturer: Linksys
Model: WAP54G
Hardware version: v3.x
Firmware version: ver.3.05.03 (Europe)
ver.3.04.03



Vulnerability Details
---------------------
Class:
Remote Code Execution


Public References:
Not Assigned


Platform:
Succesfully tested on Linksys WAP54Gv3 loaded with firmware version
Ver.3.05.03 (Europe)
Vulnerability present also on firmware ver.3.04.03 (US)
Other models and/or firmware versions may be also affected.


Background Information:
Linksys WAP54G is a wireless access points that allow wireless clients
connectivity to wired networks.
Supported 802.11b and 802.11g protocols, with data rates up to 54Mbit/s.


Summary:
A debug interface allowing for the execution of root privileged shell
commands is available on dedicated web pages on the device.
Hardcoded credentials, that cannot be changed by user, can be used for
accessing the debug interface.


Details:
A web page that allows executing shell commands on device is available
at the following URLs:

http://AP_IP_ADDR/Debug_command_page.asp
http://AP_IP_ADDR/debug.cgi

where AP_IP_ADDR is the IP address of the device.
Authentication is required in order to access the aforementioned URLS,
but the configured admin credentials used for accessing the
administration interface, will not be sufficient for a successful
authentication.
The following credentials must be supplied in order to be authenticated:

User: Gemtek
Password: gemtekswd

and access a debug web page that can be used for submitting shell
commands via a dedicated web form.
Such credentials are hardcoded in the firmware and cannot be changed by
user by any means available on the administration web interface.
They can be used for accessing only the debug web pages specified above,
and cannot be used for authenticating to the administration web interface.

Submitted commands are included within data1 form variable, sent via a
POST request to the web server, and executed with the httpd web server
privileges, that is running with root privileges on the system, allowing
for complete remote control of the access point.
Two additional variables, data2 and data3 are processed by web server
code, but are not present in the form on the debug web page.
Command injection is also possible in data2 and data3 payload by using
typical shell commands concatenation.

Impacts:
Remote access and modifications to access point settings and configuration.
Remote extraction of sensitive information such as credentials for
logging into the administration interface, Wi-FI SSIDs and passphrases.
Remote download and execution of malicious applications.
"Remote blind" attacks, where malicious web pages are used by an
attacker over the Internet to execute code on a victim access point with
private addressing, by leveraging an user browser as a 3rd party
"reflector", may be also possible.
Effectiveness of the aforementioned attack scenarios is increased
because of the hardcoded credentials.


Solutions & Workaround:
Not available



Additional Information
----------------------
Timeline:
09/11/2009: Requested Point of Contact to Linksys
10/11/2009: Received Point of Contact
10/11/2009: Vulnerability details sent
11/12/2009: Received clarification request on firmware version
11/12/2009: Additional details sent
16/01/2010: Requested update on vulnerability status.
----------- No update received -----------
26/05/2010: Vulnerability disclosed at CONFidence 2010
08/06/2010: This advisory


Additional information available at http://www.icysilence.org

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close