exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Sitecom N300 / N600 Access Bypass

Sitecom N300 / N600 Access Bypass
Posted Aug 19, 2013
Authored by Roberto Paleari, Alessandro Di Pinto

Sitecom N300 and N600 devices suffer from multiple issues that allow for access bypass. These include an undocumented telnet service, weak WPA2 password generation, and hard-coded credentials.

tags | exploit, bypass
SHA-256 | 99804c0b7e1c70777811daae7e8627c0958d447242528aba044f1060b71f0b4d

Sitecom N300 / N600 Access Bypass

Change Mirror Download

Multiple vulnerabilities on Sitecom N300/N600 devices
=====================================================

[ADVISORY INFORMATION]
Title: Multiple vulnerabilities on Sitecom N300/N600 devices
Discovery date: 01/06/2013
Release date: 19/08/2013
Credits: Roberto Paleari (roberto.paleari@emaze.net, @rpaleari)
Alessandro Di Pinto (alessandro.dipinto@emaze.net, @adipinto)
Advisory URL: http://blog.emaze.net/2013/08/multiple-vulnerabilities-on-sitecom.html

[AFFECTED PRODUCTS]
We confirm the presence of the security vulnerability on the following
products/firmware versions:
* Sitecom WLM-3500 v2 001, firmware 1.07
* Sitecom WLM-5500 v1 001, firmware 1.15
Other device models and firmware versions are probably also vulnerable, but
they were not checked.

[VULNERABILITY DETAILS]
The firmware running on the affected devices is prone to multiple security
issues that allow attackers to bypass existing authentication mechanisms and
gain administrative access to the device, with root privileges.

In detail, affected firmware versions generate the default WPA2 key and access
credentials starting from publicly-accessible information, such as the MAC
address for the Wi-Fi interface. In addition, there is an undocumented URL that
enables the Telnet service on the WAN site; attackers can then login using an
hard-coded (and unchangeable) username/password combination.

Details about these vulnerabilities are given next.

a) WPA2/admin password generation algorithm

The WPA2 passphrase and the password for the administrative web user are
generated starting from the MAC address of the wireless interface
card. Attackers located nearby the device (i.e., within the Wi-Fi network
range) can calculate the default wireless password and access the device (if
the passphrase has not been changed by the user). A Python implementation
of the key generation algorithm is provided on Emaze blog (see the initial
"Advisory information" section for the URL).

b) Undocumented Telnet service

Unauthenticated remote users can enable the Telnet server by accessing the
following (undocumented) URL:

http://<target-ip>/cgi-bin/telnetControl.cgi

This URL can be also accessed on the WAN side, allowing Internet-based
attackers to enable the Telnet server. After activation, the service remains
open until the next reboot. Additionally, due to the hard-coded credentials
shown in the next paragraphs, attackers can easily login to the Telnet daemon.

c) Hard-coded credentials

A user can login to the Telnet service (with root privileges) using the
hard-coded credential "admin:1234". This administrative account is hard-coded
and cannot be changed by a normal user.

[REMEDIATION]
Sitecom has promptly released updated firmware versions to address the Telnet
issue. Patched software images are now distributed to end-users through the
automatic firmware upgrade feature. The security patches have been included
inside the following firmware versions:
- WLM-3500v2001, v1.08
- WLM-5501v1001, v2.01

In addition, Sitecom confirmed that the algorithm for the generation of
WPA2/admin passphrases discussed in the present report is valid only for
WLM-3500 and WLM-5501 devices. New device models should not be affected by the
same issue.

[COPYRIGHT]
Copyright(c) Emaze Networks S.p.A 2013, All rights reserved worldwide.
Permission is hereby granted to redistribute this advisory, providing that no
changes are made and that the copyright notices and disclaimers remain intact.

[DISCLAIMER]
Emaze Networks S.p.A is not responsible for the misuse of the information
provided in our security advisories. These advisories are a service to the
professional security community. There are NO WARRANTIES with regard to this
information. Any application or distribution of this information constitutes
acceptance AS IS, at the user's own risk. This information is subject to change
without notice.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close