[NEWS] Gateway 7001 Unregulated Functionality Access

• Previous message: SecuriTeam: "[UNIX] MagpieRSS Remote Command Execution"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 8 Nov 2005 10:47:03 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Gateway 7001 Unregulated Functionality Access
------------------------------------------------------------------------

SUMMARY

The IEEE 802.11 family of standards define the channels that a device is
allowed to operate on for specific geographic regions in order to comply
with different country's radio frequency usage regulations.

Input validation flaws in Gateway 7001 allows anyone authenticated with
the product to configure the device to use channels not regulated for
802.11a/b/g use in their geographic region.

DETAILS

The web management interface for the Gateway 7001 A/B/G AP contains an
input validation vulnerability that allows anyone authenticated with the
device's built-in web server to configure the device to use channels not
regulated for 802.11a/b/g use in their geographic region.

The potential impact is that a user could configure the device to operate
outside the allocated bandwidth for 802.11 within their country, thus
causing interference to other radio systems. In addition, the device will
not be visible to other 802.11 devices operating in the area.

The IEEE 802.11 standards provide guidance on the channels that a device
may operate on in order to comply with a country's radio frequency usage
regulations. As is common on many access points, the Gateway 7001 A/B/G
AP provides a web based interface for configuring the device. This can be
used to set the channel that the AP operates on.

The POST form in the web-management interface used to set the channel
includes a form element called "RegulatoryDomain." Through experimentation
it appears that this parameter affects input validation operations on the
channel supplied in the request. For example, if the regulatory domain
parameter is set to FCC, then the device's firmware will only change
channels if the channel value in the request is from 1 to 11. Anything
outside this range, such as channel 13 (a European channel), will be
rejected.

However, if the regulatory domain parameter is changed, then the firmware
will allow the device's channel to be changed to any channel allowed in
the specified domain. This can cause the device to create interference
with non-802.11 devices in the vicinity as well as allow devices to be
configured to elude 802.11 security walk-through by operating on
frequencies that the detection equipment is incapable of monitoring.

In addition to POST requests, the web interface will accept the same
parameters in the form of a GET request. The web-based management software
for the Gateway 7001 A/B/G AP uses a request string of the following form
to set configuration parameters:

http://192.168.2.1/index.cgi?r1Mode=IEEE+802.11g&r1RegulatoryDomain=FCC&
r1Channel=1&r2Mode=IEEE+802.11a&r2RegulatoryDomain=FCC&r2Channel=36
&r1b1s1Ssid=NetChemLabs&r1b2s1Ssid=NetChemLabs-Guest&page=wireless.html
&Update=Update
(without linebreaks)

To change the frequencies of operation available all that needs to be done
is to simply change the RegulatoryDomain parameter. For instance to
operate on Japanese channels, the string "FCC" would be changed to "MKK."
 This allows the channel parameters corresponding to the 802.11b/g and
802.11a radios to be changed to channels such as 14 and 34 respectively,
which the management software will apply to the underlying hardware:

http://192.168.2.1/index.cgi?r1Mode=IEEE+802.11g&r1RegulatoryDomain=MKK
&r1Channel=14&r2Mode=IEEE+802.11a&r2RegulatoryDomain=MKK&r2Channel=34
&r1b1s1Ssid=NetChemLabs+&r1b2s1Ssid=NetChemLabs-Guest&page=wireless.html
&Update=Update
(without linebreaks)

It was also verified that European channels were settable when changing
the RegulatoryDomain parameter to "ETSI." To verify that the device is
indeed operating on non-FCC channels, special 802.11 sensor hardware was
used to monitor the device on the specified channels.

The Gateway 7001 A/B/G AP makes use of DeviceScape's Instant802 Wireless
Infrastructure Platform for configuration and management. It is unknown
at this time whether this issue affects other devices utilizing this
software, due to the fact that we have only tested the Gateway 7001 A/B/G
AP at this point. Gateway also produces an 802.11 b/g version of the
Gateway 7001 AP. It is also unknown whether this model is affected.

It should be noted that Gateway does not provide a firmware upgrade for
the affected AP.

Disclosure Timeline:
19.09.05 - Made contact with DeviceScape
20.09.05 - Received follow-up response from DeviceScape
21.09.05 - Made contact with Gateway Support: told someone would follow-up
26.09.05 - Contacted Gateway: No response received
28.09.05 - Contacted DeviceScape to confirm they had observed the issue:
No response received
04.10.05 - Contacted Gateway: No response received
21.10.05 - Contacted DeviceScape: No response received
21.10.05 - Contacted Gateway: No response received

References:
Gateway 7001 A/B/G AP product support page:
 
<http://support.gateway.com/s/Servers/COMPO/NETWORK/7005082/7005082nv.shtml> http://support.gateway.com/s/Servers/COMPO/NETWORK/7005082/7005082nv.shtml
Instant802 WIP product page:
 <http://www.devicescape.com/products/wip_landing.php>
http://www.devicescape.com/products/wip_landing.php

ADDITIONAL INFORMATION

The information has been provided by
<mailto:alockhart@networkchemistry.com> Andrew Lockhart.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[UNIX] MagpieRSS Remote Command Execution"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]