Title: Sitecom WLM-3500 backdoor accounts
Discovery date: 24/03/2013
Release date: 16/04/2013
Credits: Roberto Paleari, Emaze Networks S.p.A (@rpaleari)
Vulnerability Information
Class: Authentication bypass
Affected Products
We confirm the presence of the security vulnerability on the following products/firmware versions:
- Sitecom WLM-3500, firmware versions < 1.07
Vulnerability Details
Sitecom WLM-3500 routers contain an undocumented access backdoor that can be abused to bypass existing authentication mechanisms.
More in detail, attackers can access the web interface of the affected devices
using two distinct hard-coded users:
Account 1
username: qwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyui
password: 12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678
Account 2
username: user3
password: 12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678
These hard-coded accounts are persistently stored inside the device firmware image. Despite these users cannot access all the pages of the web interface, they can still access page "/romfile.cfg", the (clear-text) configuration file of the device that contains, among the other things, also the password for the "admin" user; thus, escalating to administrative privileges is trivial.
To conclude, please consider that in order to reproduce this issue it is required to leverage a web browser that supports 128-character long usernames and passwords (e.g., some versions of IE truncate such a long user/password).
More in detail, attackers can access the web interface of the affected devices
using two distinct hard-coded users:
Account 1
username: qwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyui
password: 12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678
Account 2
username: user3
password: 12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678
These hard-coded accounts are persistently stored inside the device firmware image. Despite these users cannot access all the pages of the web interface, they can still access page "/romfile.cfg", the (clear-text) configuration file of the device that contains, among the other things, also the password for the "admin" user; thus, escalating to administrative privileges is trivial.
To conclude, please consider that in order to reproduce this issue it is required to leverage a web browser that supports 128-character long usernames and passwords (e.g., some versions of IE truncate such a long user/password).
Remediation
The device manufacturer has released an updated firmware version (v1.07) that disables the hard-coded accounts.
Copyright
Copyright(c)
Emaze Networks S.p.A. 2013, All rights reserved worldwide. Permission
is hereby granted to redistribute this advisory, providing that no
changes are made and that the copyright notices and disclaimers remain
intact.
Emaze
Networks S.p.A. is not responsible for the misuse of the information
provided in our security advisories. These advisories are a service to
the professional security community. There are NO WARRANTIES with regard
to this information. Any application or distribution of this
information constitutes acceptance AS IS, at the user's own risk. This
information is subject to change without notice.