SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Device (Router/Bridge/Hub)  >   X-Micro Router Vendors:   X-Micro
(An Additional Backdoor Account is Reported) X-Micro WLAN 11b Broadband Router Has Built-in Backdoor Administrator Account
SecurityTracker Alert ID:  1009843
SecurityTracker URL:  http://securitytracker.com/id/1009843
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 17 2004
Impact:   User access via network
Exploit Included:  Yes  
Version(s): 1.2.2, 1.2.2.3, 1.2.2.4, 1.6.0.0, 1.6.0.1
Description:   A vulnerability was reported in the X-Micro WLAN 11b Broadband Router. A remote user can gain access to the administration interface.

Gergely Risko reported that the device contains a built-in username and password. A remote user can connect to the web interface and use these authentication credentials to gain administrative access. The report indicates that the account cannot be disabled.

In versions 1.2.2, 1.2.2.3, 1.2.2.4, and 1.6.0.0, the username and password is reported to be 'super'. In version 1.6.0.1, the username and password is reported to be '1502'.

By default, the web interface is reportedly enabled on all network interfaces.

The vendor has reportedly been notified.

Impact:   A remote user can gain administrative access on the target device.
Solution:   No solution was available at the time of this entry. The author of the report has provided an unofficial fix, available at:

http://xmicro.risko.hu/own-firmwares/xm-11brrg-0.2/

Vendor URL:  www.x-micro.com/wlan-router.htm (Links to External Site)
Cause:   Configuration error

Message History:   This archive entry is a follow-up to the message listed below.
Apr 10 2004 X-Micro WLAN 11b Broadband Router Has Built-in Backdoor Administrator Account



 Source Message Contents

Subject:  [Full-Disclosure] NEW backdoor in X-Micro WLAN 11b Broadband Router


Backdoor in the X-Micro WLAN 11b Broadband Router
ALL VERSIONS ARE AFFECTED (1.6.0.1 too)
Previous bugreport's bugtraq id: 10095

FCC ID: RAFXWL-11BRRG
Firmware Version: 1.2.2, 1.2.2.3, 1.2.2.4, 1.6.0.0, 1.6.0.1
Remote: yes, easily expoitable
Type: administration password, which always works

The following username and password works in every case, even if you
set an other password on the web interface:
1.2.2, 1.2.2.3, 1.2.2.4, 1.6.0.0:
       Username: super
       Password: super

In 1.6.0.1:
       Username: 1502
       Password: 1502

Note: 1.2.2.4 is strictly identical to 1.2.2.3 (md5sum)

The webserver asks the username/password via HTTP auth headers.

By default the builtin webserver is listening on all network
interfaces (if connected to the internet, then it is accessible from
the internet too). Using the webinterface one can install new
firmware, download the old, view your password, etc., so he can:
 - make your board totally unusable, beyond repair
 - install viruses, trojans, sniffers, etc. in your router
 - get your password for your provider and maybe for your emails.

Possible fixes:
1. Set up portforwarding, and forward port 80, this way from the WAN
   interface an attack is impossible. But be aware, that anyone in your
   local LAN (possible over a wireless connection) can login to your
   router.

2. Upload a fixed firmware. I've made an unofficial (but fixed)
   one. You can download it from
   http://xmicro.risko.hu/own-firmwares/xm-11brrg-0.2/
   This firmware is unofficial. NO WARRANTY.
   This firmware also fix other bugs, for a list see:
     http://xmicro.risko.hu/own-firmwares/xm-11brrg-0.2/Changes
     (or below)
   The tool, which used to create the image also released under the
     GPL: http://xmicro.risko.hu/US8181-20040416.tar.gz
     DOCS: http://xmicro.risko.hu/

Optional cutie: 
  If you upload the webpages.bin from my xm-11brrg-0.2 directory, you
get a better topbar, with three nice penguins and a gnu! Screenshot at
http://xmicro.risko.hu/own-firmwares/xm-11brrg-0.2/screenshot.png!

Intresting things:
  Since my last bugtraq mail, Mr. Griswolds from X-Micro contacted me,
and told that what I did, is hurting the intellectual property of
X-Micro. I think, they didn't realized yet, that the base OS and tools
of the router is stolen from GPL projects. More about this things will
be written in an open letter to X-Micro, since this is not the subject
of this list.

Gergely Risko

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC