################################################################################
METADATA DETAILS
Title:
ACSA-2015-001
CVE-2016-1555 - Command injection independently discovered by Chen et. al. Original CVE-2016-1555 enumerates only a part of the whole set of affected products.
Timeline:
03 Nov 2014 - [Researcher] discovery
02 Dec 2015 - [Researcher] sends vendor notification at security@netgear.com, public disclosure set for 28 Dec 2015
10 Dec 2015 - [Researcher] sends vendor notification at security@netgear.com with all the details an PoC, public disclosure set for 28 Dec 2015
16 Dec 2015 - [Vendor] replies requesting "a standard 90-days grace period before public disclosure" and to fill "NETGEAR Product Vulnerability Reporting Submission Form.xlsx"
17 Dec 2015 - [Researcher] replies with filled "ACSA-2015-001 - NETGEAR Product Vulnerability Reporting Submission Form.xlsx", agrees to 90-days grace period, asks vendor to created CVE numbers and notify/acknowledge the researcher
12 Jan 2016 - [Researcher] follows-up with the vendor on the status and CVE numbers
04 Mar 2016 - [Researcher] reminds about 90-days grace period and public disclosure 31 Mar 2016
17 Mar 2016 - Expires 90-days grace period
31 Mar 2016 - [Researcher] proceeds to public disclosure
Author:
Andrei Costin, "FIRMWARE.RE" project
andrei@firmware.re
Vulnerability discovered using "FIRMWARE.RE" platform/service
0. Vulnerability:
a) pre-auth Remote Command Execution/Injection (RCE/RCI), effectively gaining root (webserver user) on the device
a*) "web non-admin" authenticated user Remote Command Execution/Injection (RCE/RCI), effectively gaining root (webserver user) on the device
b) pre-auth Cross-Site Scripting (XSS)
b*) "web non-admin" authenticated user Cross-Site Scripting (XSS)
1. NetGear products
WG102
WG103
*WN604
*WNDAP350
*WNDAP360
*WNAP320
*WNAP210
*WNDAP660
*WNDAP620
**WNDAP380R
**WNDAP380R(v2)
**WN370
**WND930
All these products for the bulk of their firmware versions are prone
to "pre-auth command injection via vulnerable web interface module".
Product WG103 is affected by "pre-auth command injection via
vulnerable web interface module" in *ALL* its current firmware versions,
and has no known fix.
Products with (*) have fixes in the last 1-2 version(s), but the fix
does not remove the core issue. The last 1-2 version(s) are prone to
"web non-admin authenticated user Remote Command Execution/Injection" and the issue can be
triggered with any "web non-admin" authenticated user. The "web admin"
and "web non-admin" authenticated users can be exploited with
XSS (in the same module(s) as the one affected by the RCE) to
gain access to their cookie/session and then trigger the "command
injection". The firmware prior to the last 1-2 version(s) are prone to the
original "pre-auth command injection via vulnerable web interface module"
where no web user account is required to trigger the RCE and the XSS in
the affected module(s).
Products with (**) are most likely affected too, but I could not verify them yet.
1.1 Is it for Home / Business / Service Provider, is it a Router, Wifi, Camera, Storage, etc
Mainly Business/Pro devices of Router class.
2. What are the requirements to attack the affected products?
Being able to ping the affected device and open it's web interface
(192.168.1.1 or 192.168.1.254)
Being connected to the Ethernet or WiFi medium of the product, i.e.:
- if WiFi requires WLAN authentication must first WLAN-authenticate;
- if WiFi is open or Ethernet LAN is accessible, then there are no
other requirements then to be able to access the device web interface
(192.168.0.1 or 192.168.1.254)
2.1 Since WWW/WAN is also exposed, does it mean that any device of this sort you can find using Shodan on the Internet can be attacked?
Yes.
https://www.shodan.io/search?query=title%3A%22Netgear%22+PHP
2.2 Does it need to be configured in some way?
No.
2.3 Is the default (factory reset) version of the product affected?
Yes, as far as I have analyzed.
2.4 Is there a configuration change that can make the product unaffected? (turning off UPnP for example?)
No.
Products with (*) have fixes in the last 1-2 version(s), but the fix
does not remove the core issue. The last 1-2 version(s) are prone to
"web non-admin authenticated user Remote Command Execution/Injection" and the issue can be
triggered with any "web non-admin" authenticated user. The web admin and
"web non-admin" users can be exploited with XSS to gain access to their
cookie/session.
3. Regarding the "Pre Auth OS Command Injection" what are the requirements?
- Being able to ping the affected device and open it's web interface
(192.168.1.1 or 192.168.1.254)
3.1 What commands can be injected?
Any.
3.2 Can parameters to this command be provided?
Yes.
3.3 Is there any restrictions on the command line "characters", for example you can only provide alpha numeric characters?
No restrictions as far as I have tested and analyzed.
################################################################################
TECHNICAL DETAILS
The mentioned products ship with a set of vulnerable PHP scripts, namely:
boardDataWW.php
boardDataNA.php
boardDataJP.php
boardData102.php
boardData103.php
The "boardData102.php" and "boardData103.php" are mainly shipped in WG103.
The other files ship with the other products in the list, and the file
"boardDataJP.php" is present only in the latest versions though.
These scripts take a vulnerable input in the "macAddress" GET field and
use it without sanitization.
***
a) In one case, these scripts use the "macAddress" input to prepopulate an
input field, which results in XSS.
b) At the same time, these scripts use the "macAddress" to write some
manufacturer data to the board, via an insecure call to PHP's "exec()" without
properly sanitizing the input:
exec("wr_mfg_data -m ".$_REQUEST['macAddress']." -c ".$_REQUEST['reginfo'],$dummy,$res);
which results in RCE.
***
Normally, the access to the vulnerable PHP scripts listed above is UNAUTHENTICATED.
The latest versions of firmware for products marked with (*) introduced
the "session_check()" call to check for authenticated users.
However, they did not fix the root cause of these vulnerabilities, namely
sanitizatio of "macAddress" and "reginfo" parameters.
The PHP's "echo" and "exec" are still called with UNSANITIZED inputs.
This can be abused by users without administrative privileges on the
web-interface (non-admin users) to execute code on the affected devices.
Also, the XSS vulnerability can be used on authenticated users of the device
to steal their session token and then execute code via the RCE vulnerability.
################################################################################
POC DETAILS
http://NETGEAR-DEVICE-IP/boardDataNA.php?writeData=true®info=0&macAddress=%20001122334455%20-c%200%20;cp%20/etc/passwd%20/tmp/cmdinjfirm-file-touch;%20echo%20#
http://NETGEAR-DEVICE-IP/boardDataNA.php?macAddress=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
################################################################################
WG103
Latest FW version: 2.0.37
pre-auth RCE
Kernel-space:
Linux "2.6.23-WG103_V2.0.37 mod_unload R4X00 32BIT"
User-space:
BusyBox 1.11.0 2011-07-05 10:46:01 IST
/bin
addgroup busybox chgrp cp delgroup echo fgrep gunzip ip login mknod mount nice pipe_progress pwd sed stat tar umount vi
adduser cat chmod date df egrep getopt gzip kill ls mktemp mountpoint pidof printenv rm sh su touch uname watch
ash catv chown dd dmesg false grep hostname ln mkdir more mv ping ps rmdir sleep sync true usleep zcat
/usr/bin
[ bddatard clear diff du flash_erase fuser ipcs less mkfifo passwd renice setsid sys_reset tftp unix2dos which xargs
[[ bunzip2 cmp dirname dumpleases fold head killall logger nmeter pgrep reset sha1sum tail time uptime who yes
ar bzcat crontab dos2unix env free hexdump killall5 logname nohup printf resize sort tee top watchdog whoami
awk bzip2 cut dropbearconvert expr ftpget id last md5sum od printmd scp ssh telnet tty wc wifidog
basename cksum dbclient dropbearkey find ftpput ipcrm length mesg panel_led readlink seq strings test uniq wget wr_mfg_data
/sbin
arp halt ifrename insmod iwlist lighttpd lsmod poweroff route sulogin syslogd
freeramdisk ifconfig ifup iwconfig iwpriv logread modprobe reboot runlevel switch_root udhcpc
getty ifdown init iwevent klogd losetup pivot_root rmmod start-stop-daemon sysctl vconfig
/usr/local/bin
80211debug destroy_secondary_ip firmware-upgrade-file ntpclient-wrapper set_timezone.sh timezone wpa_supplicant
assign_static_ip dhcp firmware-upgrade-ftp hostapd_tr password snmp TZ.sh
athdebug dns firmware-upgrade-stage2 http_redirect_tr php ssh udhcpc_wrapper
awddebug dumpregs firmware-upgrade-tftp nmbd_tr restart-nmbd support-debug.sh urlValidate.php
bridge_and_vlan_translator ethtool_tr firmware-upgrade-wget ntp restart-wifidog syslog verify-config.sh
date.sh firmware-error-check hostapd ntpclient restore-configuration telnet wlanconfig
################################################################################
WN604
Latest FW version: 3.3.2
"web non-admin" user RCE
Kernel-space:
Linux "2.6.15--LSDK-7.3.0.387-WN604_V3.3.2 MIPS32_R2 32BIT gcc-3.4"
User-space:
BusyBox v1.11.0 (2015-06-26 14:38:15 IST)
/bin
ash cat chown date dmesg egrep fgrep grep hostname kill login md mknod more mv pidof ps rm sed sleep sync touch umount vi
busybox chmod cp dd echo false getopt gunzip ip ln ls mkdir mm mount nice ping pwd rmdir sh su tar true uname zcat
/usr/bin
[ awk bunzip2 crontab dos2unix find fold ftpput id logger mkfifo passwd printmd seq tail test top uptime wget wr_mfg_data
[[ basename bzcat cut env flashcp free fuser killall logname nohup pgrep readlink sort tee tftp tty watchdog which xargs
arping bddatard cksum dirname expr flash_erase ftpget head length md5sum panel_led printf reset_detect strings telnet time unix2dos wc who yes
/sbin
arp halt ifrename insmod iwevent iwpriv lighttpd lsmod poweroff rmmod start-stop-daemon syslogd vconfig
getty ifconfig init iwconfig iwlist klogd logread pivot_root reboot route switch_root udhcpc
/usr/local/bin
80211debug date.sh exr.sh hostapd_cli password sc_radio update_hostapd wpa_and_wpa2_psk
art.sh db_enc firmware-error-check php set_radio_cron update_rfStatus wpa_supplicant
assign_static_ip destroy_secondary_ip firmware-upgrade-file hostapd_tr set_timezone.sh update_wps_configured
athdebug dhcp firmware-upgrade-stage2 nmbd_tr reset_hostapd.sh syslog urlValidate.php
awddebug dns firmware-upgrade-tftp ntp restart-nmbd timezone validate-config-version.sh
bridge_and_vlan_translator dumpregs firmware-upgrade-wget ntpclient restart-wifidog TZ.sh verify-config.sh
client_bridge_tr dxr.sh hostapd ntpclient-wrapper restore-configuration udhcpc_wrapper wlanconfig
################################################################################
WNDAP350
Latest FW version: 3.0.0.7
"web non-admin" user RCE
Kernel-space:
Linux "2.6.23-WNDAP350_V3.0.0.7 mod_unload MIPS32_R2 32BIT"
User-space:
BusyBox v1.11.0 (2015-06-18 21:22:24 IST)
/bin
addgroup busybox chgrp cp delgroup echo fgrep gunzip ip login mkdir mm mountpoint pidof printenv rm sh su touch uname watch
adduser cat chmod date df egrep getopt gzip kill ls mknod more mv ping ps rmdir sleep sync true usleep zcat
ash catv chown dd dmesg false grep hostname ln md mktemp mount nice pipe_progress pwd sed stat tar umount vi
/usr/bin
[ blink_gpio cmp dos2unix find fold hexdump length nandwrite pgrep reset_detect sha1sum telnet unix2dos whoami
[[ bringdown_vaps crontab dropbearconvert firmware_upgrade_led_blink free id less nmeter printf resize sort test uptime wifidog
ar bunzip2 curl dropbearkey flashcp ftpget ipcrm logger nohup printmd scp ssh tftp watchdog wr_mfg_data
arping bzcat cut du flash_erase ftpput ipcs logname od readlink seq strings time wc xargs
awk bzip2 dbclient dumpleases flash_eraseall fuser killall md5sum openssl renice set_ipv6_addr tac top wget yes
basename cksum diff env flash_lock fw_printenv killall5 mesg panel_led reset set_manuinfo tail tty which
bddatard clear dirname expr flash_unlock head last mkfifo passwd reset_button setsid tee uniq who
/sbin
arp getty ifconfig ifrename init iwconfig iwlist klogd logread lsmod pivot_root reboot route start-stop-daemon switch_root syslogd vconfig
freeramdisk halt ifdown ifup insmod iwevent iwpriv lighttpd losetup modprobe poweroff rmmod runlevel sulogin sysctl udhcpc
/usr/local/bin
80211debug date.sh dxr.sh hostapd_tr ntpdate qos_setdb_x snmp upmigration.sh
art.sh db_enc exr.sh http_redirect_tr ntpdate-wrapper radartool ssh urlValidate.php
assign_static_ip destroy_secondary_ip firmware-error-check led_amber pal.netgear reset_hostapd.sh support-debug.sh validate-config-version.sh
assign_static_ipv6 dhcp firmware-upgrade-file led_green pal_translator restart-nmbd syslog verify-config.sh
athdebug dibbler-client.sh firmware-upgrade-stage2 led_off password restart-wifidog sysmonitor.sh versions.sh
awddebug dibbler-server.sh firmware-upgrade-tftp migration.sh php restore-configuration telnet wlanconfig
bridge_and_vlan_translator dns firmware-upgrade-wget nmbd_tr pktCapture sc_radio timezone wpa_supplicant
capture_app dump_config_logs_tr hostapd ntp prnt_wlan_buffs.sh set_radio_cron TZ.sh
config_palcfg dumpregs ntpclient-wrapper qos_delete_qdiscs set_timezone.sh udhcpc_wrapper
################################################################################
WNDAP360
Latest FW version: 3.0.0.7
"web non-admin" user RCE
Kernel-space:
Linux "2.6.23-WNDAP360_V3.0.0.7 mod_unload MIPS32_R2 32BIT"
User-space:
BusyBox v1.11.0 (2015-06-18 21:19:26 IST)
/bin
addgroup busybox chgrp cp delgroup echo fgrep gunzip ip login mkdir mm mountpoint pidof printenv rm sh su touch uname watch
adduser cat chmod date df egrep getopt gzip kill ls mknod more mv ping ps rmdir sleep sync true usleep zcat
ash catv chown dd dmesg false grep hostname ln md mktemp mount nice pipe_progress pwd sed stat tar umount vi
/usr/bin
[ bunzip2 cut dumpleases flash_lock head length nmeter printmd seq tac tty who
[[ bzcat dbclient env flash_unlock hexdump less nohup readlink set_ipv6_addr tail uniq whoami
ar bzip2 diff expr fold id logger od renice set_manuinfo tee unix2dos wifidog
awk cksum dirname find free ipcrm logname openssl reset setsid telnet uptime wr_mfg_data
basename clear dos2unix firmware_upgrade_led_blink ftpget ipcs md5sum panel_led reset_button sha1sum test watchdog xargs
bddatard cmp dropbearconvert flashcp ftpput killall mesg passwd reset_detect sort tftp wc yes
blink_gpio crontab dropbearkey flash_erase fuser killall5 mkfifo pgrep resize ssh time wget
bringdown_vaps curl du flash_eraseall fw_printenv last nandwrite printf scp strings top which
/sbin
arp getty ifconfig ifrename init iwconfig iwlist klogd logread lsmod pivot_root reboot route start-stop-daemon switch_root syslogd vconfig
freeramdisk halt ifdown ifup insmod iwevent iwpriv lighttpd losetup modprobe poweroff rmmod runlevel sulogin sysctl udhcpc
/usr/local/bin
80211debug date.sh dxr.sh ntpclient-wrapper qos_delete_qdiscs set_timezone.sh udhcpc_wrapper
art.sh db_enc exr.sh hostapd_tr ntpdate qos_setdb_x snmp upmigration.sh
assign_static_ip destroy_secondary_ip firmware-error-check http_redirect_tr ntpdate-wrapper radartool ssh urlValidate.php
assign_static_ipv6 dhcp firmware-upgrade-file led_amber pal.netgear reset_hostapd.sh support-debug.sh validate-config-version.sh
athdebug dibbler-client.sh firmware-upgrade-ftp led_green pal_translator restart-nmbd syslog verify-config.sh
awddebug dibbler-server.sh firmware-upgrade-stage2 led_off password restart-wifidog sysmonitor.sh versions.sh
bridge_and_vlan_translator dns firmware-upgrade-tftp migration.sh php restore-configuration telnet wlanconfig
capture_app dump_config_logs_tr firmware-upgrade-wget nmbd_tr pktCapture sc_radio timezone wpa_supplicant
config_palcfg dumpregs hostapd ntp prnt_wlan_buffs.sh set_radio_cron TZ.sh
################################################################################
WNAP320
Latest FW version: 3.0.0.7
"web non-admin" user RCE
Kernel-space:
Linux "2.6.23-WNAP320_V3.0.0.7 mod_unload MIPS32_R2 32BIT"
User-space:
BusyBox v1.11.0 (2015-06-18 21:25:40 IST)
/bin
addgroup busybox catv chown dd dmesg false grep hostname ln mkdir more mv ping ps rmdir sleep sync true usleep zcat
adduser chgrp cp delgroup echo fgrep gunzip ip login mknod mount nice pipe_progress pwd sed stat tar umount vi
ash cat chmod date df egrep getopt gzip kill ls mktemp mountpoint pidof printenv rm sh su touch uname watch
/usr/bin
[ blink_gpio cmp dos2unix find fold hexdump length nandwrite pgrep reset_detect sha1sum telnet unix2dos whoami
[[ bringdown_vaps crontab dropbearconvert firmware_upgrade_led_blink free id less nmeter printf resize sort test uptime wifidog
ar bunzip2 curl dropbearkey flashcp ftpget ipcrm logger nohup printmd scp ssh tftp watchdog wr_mfg_data
arping bzcat cut du flash_erase ftpput ipcs logname od readlink seq strings time wc xargs
awk bzip2 dbclient dumpleases flash_eraseall fuser killall md5sum openssl renice set_ipv6_addr tac top wget yes
basename cksum diff env flash_lock fw_printenv killall5 mesg panel_led reset set_manuinfo tail tty which
bddatard clear dirname expr flash_unlock head last mkfifo passwd reset_button setsid tee uniq who
/sbin
arp getty ifconfig ifrename init iwconfig iwlist klogd logread lsmod pivot_root reboot route start-stop-daemon switch_root syslogd vconfig
freeramdisk halt ifdown ifup insmod iwevent iwpriv lighttpd losetup modprobe poweroff rmmod runlevel sulogin sysctl udhcpc
/usr/local/bin
80211debug date.sh exr.sh http_redirect_tr pal.netgear restart-nmbd sysmonitor.sh wlanconfig
art.sh db_enc firmware-error-check led_amber pal_translator restart-wifidog telnet wpa_supplicant
assign_static_ip destroy_secondary_ip firmware-upgrade-file led_green password restore-configuration timezone
assign_static_ipv6 dhcp firmware-upgrade-ftp led_off php sc_radio TZ.sh
athdebug dibbler-client.sh firmware-upgrade-stage2 migration.sh pktCapture set_radio_cron udhcpc_wrapper
awddebug dibbler-server.sh firmware-upgrade-tftp nmbd_tr prnt_wlan_buffs.sh set_timezone.sh upmigration.sh
bridge_and_vlan_translator dns firmware-upgrade-wget ntp qos_delete_qdiscs snmp urlValidate.php
capture_app dump_config_logs_tr hostapd ntpclient-wrapper qos_setdb_x ssh validate-config-version.sh
client_bridge_tr dumpregs ntpdate radartool support-debug.sh verify-config.sh
config_palcfg dxr.sh hostapd_tr ntpdate-wrapper reset_hostapd.sh syslog versions.sh
################################################################################
WNAP210
Latest FW version: 3.0.0.7
"web non-admin" user RCE
Kernel-space:
Linux "2.6.23-WNAP210_V3.0.0.7 mod_unload MIPS32_R2 32BIT"
User-space:
BusyBox v1.11.0 (2015-06-18 21:34:15 IST)
/bin
addgroup busybox chgrp cp delgroup echo fgrep gunzip ip login mkdir mm mountpoint pidof printenv rm sh su touch uname watch
adduser cat chmod date df egrep getopt gzip kill ls mknod more mv ping ps rmdir sleep sync true usleep zcat
ash catv chown dd dmesg false grep hostname ln md mktemp mount nice pipe_progress pwd sed stat tar umount vi
/usr/bin
[ blink_gpio cmp dos2unix find fold hexdump led-op mkfifo pgrep reset_detect sha1sum telnet unix2dos whoami
[[ bringdown_vaps crontab dropbearconvert firmware_upgrade_led_blink free id length nandwrite printf resize sort test uptime wifidog
ar bunzip2 curl dropbearkey flashcp ftpget ipcrm less nmeter printmd scp ssh tftp watchdog wr_mfg_data
arping bzcat cut du flash_erase ftpput ipcs logger nohup readlink seq strings time wc xargs
awk bzip2 dbclient dumpleases flash_eraseall fuser killall logname od renice set_ipv6_addr tac top wget yes
basename cksum diff env flash_lock fw_printenv killall5 md5sum openssl reset set_manuinfo tail tty which
bddatard clear dirname expr flash_unlock head last mesg passwd reset_button setsid tee uniq who
/sbin
arp getty ifconfig ifrename init iwconfig iwlist klogd logread lsmod pivot_root reboot route start-stop-daemon switch_root syslogd vconfig
freeramdisk halt ifdown ifup insmod iwevent iwpriv lighttpd losetup modprobe poweroff rmmod runlevel sulogin sysctl udhcpc
/usr/local/bin
80211debug date.sh dxr.sh hostapd_tr ntpdate reset_hostapd.sh support-debug.sh validate-config-version.sh
art.sh db_enc exr.sh http_redirect_tr ntpdate-wrapper restart-nmbd syslog verify-config.sh
assign_static_ip destroy_secondary_ip firmware-error-check led_amber pal.netgear restart-wifidog sysmonitor.sh versions.sh
assign_static_ipv6 dhcp firmware-upgrade-file led_green pal_translator restore-configuration telnet wlanconfig
athdebug dibbler-client.sh firmware-upgrade-stage2 led_off password sc_radio timezone wpa_supplicant
awddebug dibbler-server.sh firmware-upgrade-tftp migration.sh php set_radio_cron TZ.sh
bridge_and_vlan_translator dns firmware-upgrade-wget nmbd_tr prnt_wlan_buffs.sh set_timezone.sh udhcpc_wrapper
client_bridge_tr dump_config_logs_tr hostapd ntp qos_delete_qdiscs snmp upmigration.sh
config_palcfg dumpregs ntpclient-wrapper qos_setdb_x ssh urlValidate.php
################################################################################
WNDAP620
Latest FW version: 2.0.8
"web non-admin" user RCE
Kernel-space:
Linux "2.6.36.2-wndap660_620-WNDAP620_V2.0.8 mod_unload PowerPC/cisco4500 32BIT MSB"
User-space:
/bin
addgroup busybox chgrp cp delgroup echo fgrep gunzip ip login mknod mount nice ping6 ps rmdir sleep sync true usleep zcat
adduser cat chmod date df egrep getopt gzip kill ls mktemp mountpoint pidof pipe_progress pwd sed stat tar umount vi
ash catv chown dd dmesg false grep hostname ln mkdir more mv ping printenv rm sh su touch uname watch
/usr/bin
[ bunzip2 dbclient expr free ipcs mesg readlink setsid test wget
[[ bzcat diff find ftpget killall mkfifo renice sha1sum tftp which
ar bzip2 dirname firmware_upgrade_led_blink ftpput killall5 nandwrite reset sort time who
arping cksum dos2unix flashcp fuser last nmeter reset_button ssh top whoami
awk clear dropbearconvert flash_erase fw_printenv length nohup resize strings tty wifidog
basename cmp dropbearkey flash_eraseall head less od passwd scp tac uniq wr_mfg_data
bddatard c_rehash du flash_lock hexdump logger openssl pgrep seq tail unix2dos xargs
blink_gpio crontab dumpleases flash_unlock id logname printf set_ipv6_addr tee uptime yes
bringdown_vaps cut env fold ipcrm md5sum printmd set_manuinfo telnet wc
/sbin
arp halt ifrename init iwevent klogd lldpd lsmod poweroff route sulogin syslogd
freeramdisk ifconfig ifrename-compress-1 insmod iwlist lighttpd logread modprobe reboot runlevel switch_root udhcpc
getty ifdown ifup iwconfig iwpriv lldpctl losetup pivot_root rmmod start-stop-daemon sysctl vconfig
/usr/local/bin
assign_static_ip dibbler-client.sh exr.sh set_radio_cron
assign_static_ipv6 dibbler-relay firmware-error-check libelf.def set_timezone.sh
bridge_and_vlan_translator firmware-upgrade-file libelf.h pktCapture snmp
capture_app dibbler_relay-DHCPRelay.o firmware-upgrade-ftp libelf.so poe_test ssh
date.sh dibbler_relay-dibbler-relay.o firmware-upgrade-stage2 libelf.so.0 migration.sh prnt_wlan_buffs.sh syslog
db_enc dibbler-requestor firmware-upgrade-tftp libelf.so.0.8.13 nmbd_tr qos_delete_qdiscs tc
destroy_secondary_ip dibbler_requestor-Requestor.o firmware-upgrade-wget ntp qos_setdb_x telnet
dhcp dibbler-server hostapd_tr ntpclient qos_translator timezone
dibbler-client http_redirect_tr ntpclient-wrapper radvd TZ.sh
dibbler_server-DHCPServer.o ipsd ntpdate reset_hostapd.sh udhcpc_wrapper
dibbler_server-dibbler-server.o led_amber ntpdate-wrapper restart-nmbd urlValidate.php
dibbler-server.sh led_green password restart-wifidog validate-config-version.sh
dibbler_client-DHCPClient.o dns led_off mailsend php restore-configuration verify-config.sh
dibbler_client-dibbler-client.o dxr.sh libelf.a sc_radio
################################################################################
WNDAP660
Latest FW version: 2.0.5
"web non-admin" user RCE
Kernel-space:
Linux "2.6.36.2-wndap660_620-WNDAP660_V2.0.5 mod_unload PowerPC/cisco4500 32BIT MSB"
User-space:
BusyBox v1.11.0 (2015-05-11 20:42:48 IST)
/bin
addgroup busybox catv chown dd dmesg false grep hostname ln md mktemp mount nice ping6 ps rmdir sleep sync true usleep zcat
adduser chgrp cp delgroup echo fgrep gunzip ip login mkdir mm mountpoint pidof pipe_progress pwd sed stat tar umount vi
ash cat chmod date df egrep getopt gzip kill ls mknod more mv ping printenv rm sh su touch uname watch
/usr/bin
[ bunzip2 dbclient expr free ipcs mesg readlink setsid test wget
[[ bzcat diff find ftpget killall mkfifo renice sha1sum tftp which
ar bzip2 dirname firmware_upgrade_led_blink ftpput killall5 nandwrite reset sort time who
arping cksum dos2unix flashcp fuser last nmeter reset_button ssh top whoami
awk clear dropbearconvert flash_erase fw_printenv length nohup resize strings tty wifidog
basename cmp dropbearkey flash_eraseall head less od passwd scp tac uniq wr_mfg_data
bddatard c_rehash du flash_lock hexdump logger openssl pgrep seq tail unix2dos xargs
blink_gpio crontab dumpleases flash_unlock id logname printf set_ipv6_addr tee uptime yes
bringdown_vaps cut env fold ipcrm md5sum printmd set_manuinfo telnet wc
/sbin
arp halt ifrename init iwevent klogd lldpd lsmod poweroff route sulogin syslogd
freeramdisk ifconfig insmod iwlist lighttpd logread modprobe reboot runlevel switch_root udhcpc
getty ifdown ifup iwconfig iwpriv lldpctl losetup pivot_root rmmod start-stop-daemon sysctl vconfig
/usr/local/bin
assign_static_ip dibbler_client-dibbler-client.o dxr.sh libelf.a sc_radio
assign_static_ipv6 dibbler-client.sh exr.sh set_radio_cron
bridge_and_vlan_translator dibbler-relay firmware-error-check libelf.def set_timezone.sh
capture_app firmware-upgrade-file libelf.h pktCapture snmp
config-chainmask.sh dibbler_relay-DHCPRelay.o firmware-upgrade-ftp libelf.so poe_test ssh
date.sh dibbler_relay-dibbler-relay.o firmware-upgrade-stage2 libelf.so.0 migration.sh prnt_wlan_buffs.sh syslog
db_enc dibbler-requestor firmware-upgrade-tftp libelf.so.0.8.13 nmbd_tr qos_delete_qdiscs tc
destroy_secondary_ip dibbler_requestor-Requestor.o firmware-upgrade-wget ntp qos_setdb_x telnet
dhcp dibbler-server hostapd_tr ntpclient qos_translator timezone
dibbler-client http_redirect_tr ntpclient-wrapper radvd TZ.sh
dibbler_server-DHCPServer.o ipsd ntpdate reset_hostapd.sh udhcpc_wrapper
dibbler_server-dibbler-server.o led_amber ntpdate-wrapper restart-nmbd urlValidate.php
dibbler-server.sh led_green password restart-wifidog validate-config-version.sh
dibbler_client-DHCPClient.o dns led_off mailsend php restore-configuration verify-config.sh
