Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29273
HistoryApr 22, 2013 - 12:00 a.m.

Sitecom WLM-3500 backdoor accounts

2013-04-2200:00:00
vulners.com
98
JSON

Sitecom WLM-3500 backdoor accounts

[ADVISORY INFORMATION]
Title: Sitecom WLM-3500 backdoor accounts
Discovery date: 24/03/2013
Release date: 16/04/2013
Credits: Roberto Paleari ([email protected], @rpaleari)
Advisory URL: http://blog.emaze.net/2013/04/sitecom-wlm-3500-backdoor-accounts.html

[VULNERABILITY INFORMATION]
Class: Authentication bypass

[AFFECTED PRODUCTS]
We confirm the presence of the security vulnerability on the following
products/firmware versions:

  • Sitecom WLM-3500, firmware versions < 1.07

Other device models and firmware versions are probably also vulnerable, but
they were not checked.

[VULNERABILITY DETAILS]
Sitecom WLM-3500 routers contain an undocumented access backdoor that can be
abused to bypass existing authentication mechanisms.

More in detail, attackers can access the web interface of the affected devices
using two distinct hard-coded users:

Account 1

username: qwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyui
password: 12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678

Account 2

username: user3
password: 12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678

These hard-coded accounts are persistently stored inside the device firmware
image. Despite these users cannot access all the pages of the web interface,
they can still access page "/romfile.cfg", the (clear-text) configuration file
of the device that contains, among the other things, also the password for the
"admin" user; thus, escalating to administrative privileges is trivial.

To conclude, please consider that in order to reproduce this issue it is
required to leverage a web browser that supports 128-character long usernames
and passwords (e.g., some versions of IE truncate such a long user/password).

[REMEDIATION]
The device manufacturer has released an updated firmware version (v1.07) that
disables the hard-coded accounts.

[COPYRIGHT]
Copyright(c) Emaze Networks S.p.A 2013, All rights reserved worldwide.
Permission is hereby granted to redistribute this advisory, providing that no
changes are made and that the copyright notices and disclaimers remain intact.

[DISCLAIMER]
Emaze Networks S.p.A is not responsible for the misuse of the information
provided in our security advisories. These advisories are a service to the
professional security community. There are NO WARRANTIES with regard to this
information. Any application or distribution of this information constitutes
acceptance AS IS, at the user's own risk. This information is subject to change
without notice.

JSON