Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] Gateway 7001 Unregulated Functionality Access

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] Gateway 7001 Unregulated Functionality Access
Date: 8 Nov 2005 10:47:03 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Gateway 7001 Unregulated Functionality Access
------------------------------------------------------------------------


SUMMARY

The IEEE 802.11 family of standards define the channels that a device is 
allowed to operate on for specific geographic regions in order to comply 
with different country's radio frequency usage regulations.

Input validation flaws in Gateway 7001 allows anyone authenticated with 
the product to configure the device to use channels not regulated for 
802.11a/b/g use in their geographic region.

DETAILS

The web management interface for the Gateway 7001 A/B/G AP contains an 
input validation vulnerability that allows anyone authenticated with the 
device's built-in web server to configure the device to use channels not 
regulated for 802.11a/b/g use in their geographic region.

The potential impact is that a user could configure the device to operate 
outside the allocated bandwidth for 802.11 within their country, thus 
causing interference to other radio systems. In addition, the device will 
not be visible to other 802.11 devices operating in the area.

The IEEE 802.11 standards provide guidance on the channels that a device 
may operate on in order to comply with a country's radio frequency usage 
regulations.  As is common on many access points, the Gateway 7001 A/B/G 
AP provides a web based interface for configuring the device.  This can be 
used to set the channel that the AP operates on.

The POST form in the web-management interface used to set the channel 
includes a form element called "RegulatoryDomain." Through experimentation 
it appears that this parameter affects input validation operations on the 
channel supplied in the request. For example, if the regulatory domain 
parameter is set to FCC, then the device's firmware will only change 
channels if the channel value in the request is from 1 to 11.  Anything 
outside this range, such as channel 13 (a European channel), will be 
rejected.

However, if the regulatory domain parameter is changed, then the firmware 
will allow the device's channel to be changed to any channel allowed in 
the specified domain.  This can cause the device to create interference 
with non-802.11 devices in the  vicinity as well as allow devices to be 
configured to elude 802.11 security walk-through by operating on 
frequencies that the detection equipment is incapable of monitoring.

In addition to POST requests, the web interface will accept the same 
parameters in the form of a GET request. The web-based management software 
for the Gateway 7001 A/B/G AP uses a request string of the following form 
to set configuration parameters:

http://192.168.2.1/index.cgi?r1Mode=IEEE+802.11g&r1RegulatoryDomain=FCC&; 
r1Channel=1&r2Mode=IEEE+802.11a&r2RegulatoryDomain=FCC&r2Channel=36 
&r1b1s1Ssid=NetChemLabs&r1b2s1Ssid=NetChemLabs-Guest&page=wireless.html 
&Update=Update 
(without linebreaks)

To change the frequencies of operation available all that needs to be done 
is to simply change the RegulatoryDomain parameter.  For instance to 
operate on Japanese channels, the string "FCC" would  be changed to "MKK." 
 This allows the channel parameters corresponding to the 802.11b/g and 
802.11a radios to be changed to channels such as 14 and 34 respectively, 
which the management software will apply to the underlying hardware:

http://192.168.2.1/index.cgi?r1Mode=IEEE+802.11g&r1RegulatoryDomain=MKK 
&r1Channel=14&r2Mode=IEEE+802.11a&r2RegulatoryDomain=MKK&r2Channel=34 
&r1b1s1Ssid=NetChemLabs+&r1b2s1Ssid=NetChemLabs-Guest&page=wireless.html 
&Update=Update
(without linebreaks)

It was also verified that European channels were settable when changing 
the RegulatoryDomain parameter to "ETSI."  To verify that the device is 
indeed operating on non-FCC channels, special 802.11 sensor hardware was 
used to monitor the device on the specified channels.

The Gateway 7001 A/B/G AP makes use of DeviceScape's Instant802 Wireless 
Infrastructure Platform for configuration and management.  It is unknown 
at this time whether this issue affects other devices utilizing this 
software, due to the fact that we have only tested  the Gateway 7001 A/B/G 
AP at this point. Gateway also produces an 802.11 b/g version of the 
Gateway 7001 AP.  It is also unknown whether this model is affected.

It should be noted that Gateway does not provide a firmware upgrade for 
the affected AP.

Disclosure Timeline:
19.09.05 - Made contact with DeviceScape
20.09.05 - Received follow-up response from DeviceScape
21.09.05 - Made contact with Gateway Support: told someone would follow-up
26.09.05 - Contacted Gateway: No response received
28.09.05 - Contacted DeviceScape to confirm they had observed the issue: 
No response received
04.10.05 - Contacted Gateway: No response received
21.10.05 - Contacted DeviceScape: No response received
21.10.05 - Contacted Gateway: No response received


References:
Gateway 7001 A/B/G AP product support page:
 
<http://support.gateway.com/s/Servers/COMPO/NETWORK/7005082/7005082nv.shtml> 
http://support.gateway.com/s/Servers/COMPO/NETWORK/7005082/7005082nv.shtml
Instant802 WIP product page:
 <http://www.devicescape.com/products/wip_landing.php> 
http://www.devicescape.com/products/wip_landing.php


ADDITIONAL INFORMATION

The information has been provided by  
<mailto:alockhart@networkchemistry.com> Andrew Lockhart.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] Gateway 7001 Unregulated Functionality Access, SecuriTeam <=
Previous by Date:  [UNIX] MagpieRSS Remote Command Execution, SecuriTeam
Next by Date:  [EXPL] F-Secure Internet Gatekeeper Local Root (Exploit), SecuriTeam
Previous by Thread:  [UNIX] MagpieRSS Remote Command Execution, SecuriTeam
Next by Thread:  [EXPL] F-Secure Internet Gatekeeper Local Root (Exploit), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]