The Linksys WAP54Gv3 has a debug interface allowing for the execution of root privileged shell commands. Hardcoded credentials, that cannot be changed by user, can be used for accessing the debug interface.
fdf38433a8997957918a85f42b989155a632e3f26c1a3e0c4b124196a974e81a
Security Advisory
IS-2010-002 - Linksys WAP54Gv3 Remote Debug Root Shell
Advisory Information
--------------------
Published:
2010-06-08
Updated:
2010-06-08
Manufacturer: Linksys
Model: WAP54G
Hardware version: v3.x
Firmware version: ver.3.05.03 (Europe)
ver.3.04.03
Vulnerability Details
---------------------
Class:
Remote Code Execution
Public References:
Not Assigned
Platform:
Succesfully tested on Linksys WAP54Gv3 loaded with firmware version
Ver.3.05.03 (Europe)
Vulnerability present also on firmware ver.3.04.03 (US)
Other models and/or firmware versions may be also affected.
Background Information:
Linksys WAP54G is a wireless access points that allow wireless clients
connectivity to wired networks.
Supported 802.11b and 802.11g protocols, with data rates up to 54Mbit/s.
Summary:
A debug interface allowing for the execution of root privileged shell
commands is available on dedicated web pages on the device.
Hardcoded credentials, that cannot be changed by user, can be used for
accessing the debug interface.
Details:
A web page that allows executing shell commands on device is available
at the following URLs:
http://AP_IP_ADDR/Debug_command_page.asp
http://AP_IP_ADDR/debug.cgi
where AP_IP_ADDR is the IP address of the device.
Authentication is required in order to access the aforementioned URLS,
but the configured admin credentials used for accessing the
administration interface, will not be sufficient for a successful
authentication.
The following credentials must be supplied in order to be authenticated:
User: Gemtek
Password: gemtekswd
and access a debug web page that can be used for submitting shell
commands via a dedicated web form.
Such credentials are hardcoded in the firmware and cannot be changed by
user by any means available on the administration web interface.
They can be used for accessing only the debug web pages specified above,
and cannot be used for authenticating to the administration web interface.
Submitted commands are included within data1 form variable, sent via a
POST request to the web server, and executed with the httpd web server
privileges, that is running with root privileges on the system, allowing
for complete remote control of the access point.
Two additional variables, data2 and data3 are processed by web server
code, but are not present in the form on the debug web page.
Command injection is also possible in data2 and data3 payload by using
typical shell commands concatenation.
Impacts:
Remote access and modifications to access point settings and configuration.
Remote extraction of sensitive information such as credentials for
logging into the administration interface, Wi-FI SSIDs and passphrases.
Remote download and execution of malicious applications.
"Remote blind" attacks, where malicious web pages are used by an
attacker over the Internet to execute code on a victim access point with
private addressing, by leveraging an user browser as a 3rd party
"reflector", may be also possible.
Effectiveness of the aforementioned attack scenarios is increased
because of the hardcoded credentials.
Solutions & Workaround:
Not available
Additional Information
----------------------
Timeline:
09/11/2009: Requested Point of Contact to Linksys
10/11/2009: Received Point of Contact
10/11/2009: Vulnerability details sent
11/12/2009: Received clarification request on firmware version
11/12/2009: Additional details sent
16/01/2010: Requested update on vulnerability status.
----------- No update received -----------
26/05/2010: Vulnerability disclosed at CONFidence 2010
08/06/2010: This advisory
Additional information available at http://www.icysilence.org