10.42.42.9: Created page with " Our WiFi access point was located at one end of the space, in the hacklab, and the workshop is all the way on the other side. Sure, we could easily just move the a..."

2011-10-01T23:24:28Z

Created page with " <noautolink> Our WiFi access point was located at one end of the space, in the hacklab, and the workshop is all the way on the other side. Sure, we could easily just move the a..."

New page

<noautolink>
Our WiFi access point was located at one end of the space, in the hacklab, and
the workshop is all the way on the other side. Sure, we could easily just move
the access point over, but if you can borrow an expensive dedicated access
point, why not try that one first? So, the new shiny metal box was mounted to the wall in a few minutes and the fun began.

It turns out the WNDAP350 from NETGEAR was really easy to configure. It has the
usual open-wifi-by-default design flaw, but that's quickly remedied using the
web interface. Apart from having two radios (2.4 GHz and 5 GHz) that can be
active simultaneously, the device is well endowed with software features,
ranging from RADIUS support to SSH. The wifi throughput is good, even at the other end of our space, so in terms of signal and bandwidth it easily outperforms the access point that we already had.

The SSH support works out of the box and is enabled by default. You can log in
as "admin" to get a configuration CLI or as "root" to get a BusyBox shell. The
password is whatever you configured, or "password" by default.

The device turns out to be a Linux box running on an Atheros chip. Its web
interface is powered by lighttpd and PHP. Obviously, I had to read the source
of those PHP files, and sure enough they were as crappy as I had expected.
Several parts of the code would not be out of place on a site like http://thedailywtf.com/. But when I
read downloadFile.php, my jaw just dropped. This is the single most insecure
Linux based device that I have encountered in the past few years.

The NETGEAR WNDAP350 is targeted at businesses and costs � 250. For that price
you get something that is utterly unsafe to use in your corporate environment,
or even your home network. The security hole is so extremely simple
to exploit that really anyone with even the slightest knowledge of PHP and
Linux could find it even without any help. It is for that reason that I don't
think I'm doing any more damage by publishing this information.

This product was clearly released without ANY security review. That's a
terrible shame because I am, in general, a big fan of their products and their
friendliness toward the open source community.

downloadFile.php lets you do exactly that: download a file. You can only choose
from a preset list of files, though. But that doesn't matter, as this list
includes /var/config, which contains the admin password and the WPA secrets in
clear text. And once you have the admin password, which is also the root
password, you can just get everything else from SSH.

downloadFile.php works even if you have no login cookie; it just doesn't check
whether you've logged in.

And in case one giant hole wasn't enough, NETGEAR added a second one just like
it: BackupConfig.php, which is practically the same, but will only let you
download /var/config. You know, the file that contains the passwords you need
to gain access to the rest of the system.

So just browsing to either http://192.168.0.237/downloadFile.php or
http://192.168.0.237/BackupConfig.php is enough to get the following:

(excerpt from /var/config)
<pre>
system:basicSettings:sysMacAddress 00-00-00-00-00-00
system:basicSettings:sysVersion 1.0
system:basicSettings:sysCountryRegion 528
system:basicSettings:adminName admin
system:basicSettings:adminPasswd ourpassword
system:basicSettings:dhcpClientStatus 0
system:basicSettings:ipAddr 192.168.0.237
system:basicSettings:netmaskAddr 255.255.255.0
(...)
system:vapSettings:vapSettingTable:wlan0:vap1:ssid revspace-workshop-2.4GHz-WPA
system:vapSettings:vapSettingTable:wlan0:vap1:hideNetworkName 0
system:vapSettings:vapSettingTable:wlan0:vap1:vlanID 1
system:vapSettings:vapSettingTable:wlan0:vap1:clientSeparation 0
system:vapSettings:vapSettingTable:wlan0:vap1:authenticationType 32
system:vapSettings:vapSettingTable:wlan0:vap1:encryption 4
system:vapSettings:vapSettingTable:wlan0:vap1:presharedKey ourpresharedkey
</pre>

The WNDAP350 came with firmware version 2.0.1. An upgrade to 2.0.9 is
available from the NETGEAR website. But alas, both PHP files are still present
and will still present the passwords to anyone who wants them.

Since the filesystem of the WNDAP350 is read only, you can't just remove the files and be done with it. One way to prevent web users from accessing your passwords is to log in as root and =killall lighttpd= to disable the web interface. It will be back when the thing reboots, though, so it doesn't help if the user can access the power plug, or trigger any circuit breaker (e.g. a fuse or a power switch) for it.

Oh, by the way, NETGEAR, if you're reading this: =accesslog.filename= doesn't work if you disable mod_accesslog. The warning from lighttpd is a dead giveaway:
<pre>
1999-12-31 16:39:18: (server.c.918) WARNING: unknown config-key: accesslog.filename (ignored)
</pre>

Hm, and why is /var/messages executable and setuid? It's a log file, and nonmalicious users typically never need to execute those...
<pre>
[root@netgear /var]# ls -l messages
-r-srw---- 1 root root 65224 Dec 31 17:05 messages*
</pre>
</noautolink>

NewsItem11x05x30x0 - Revision history

10.42.42.9: Created page with " Our WiFi access point was located at one end of the space, in the hacklab, and the workshop is all the way on the other side. Sure, we could easily just move the a..."