what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

MediaLink MWN-WAPR300N Insecure Session

MediaLink MWN-WAPR300N Insecure Session
Posted May 24, 2016
Authored by David Spector

MediaLink router MWN-WAPR300N suffers from multiple session related issues such as not being able to logout and sessions do not time out. Insecure transport is another issue.

tags | exploit
SHA-256 | d083f82d3886c34b608717c7e62cbdb88123448dd50ef58ccf95bfc5317898cc

MediaLink MWN-WAPR300N Insecure Session

Change Mirror Download
*MediaLink router MWN-WAPR300N - Several Vulnerabilities*

The vulnerabilities reported here are for the firmware version currently
being shipped by Amazon.com. This is hardware version 2.0, firmware
version V5.07.51_en_MDL01 . I have no knowledge of the behavior of
previous versions of this router. U.S. CERT/CC states that the
vulnerabilities I am reporting here have not previously been reported to
them.

*About*

The MediaLink wireless router is a product sold by Mediabridge Products,
a Chinese company with a U.S. office at 1951 Old Cuthbert Road, Suite
301, Cherry Hill, NJ 08034 (see www.mediabridgeproducts.com/contact/).
This is a low-cost (under $20) wireless router for home network use. The
router inputs the ethernet WAN output of a cable or other modem or WAN
source and outputs an Access Point LAN radio transceiver and four
ethernet LAN device connections. This router appears to work reliably in
my home in the N band on channel 8, connecting principally two computers
and two printers.

*Vulnerability Description*

Note: vulnerabilities described elsewhere, such as the usual
predefinition of "admin" and "admin" for the username and password for
logging into the router control panel web page, are not included in this
document. See CERT Coordination Center VU#630872 ("Mediabridge Medialink
Wireless-N Broadband Router MWN-WAPR300N contains multiple
vulnerabilities").

1. This vulnerability is that there is no Logout or Logoff button or
link on any page of the router control panel (accessed locally through
the browser). In fact, although it is possible to configure the router
with a management username and password, there is actually no way to log
out of the control panel once one is logged in. This vulnerability has
been confirmed by MediaLink technical support as follows:

"MAY 02, 2016 | 08:53AM EDT
*Tim* replied:
...You are correct that at this time, our latest router firmware does
not have a "Log Out Button". I will forward this to our engineers who
handle the firmware revisions for future reference.
Thanks,
Tim M
Mediabridge Products, LLC"

2. There is no timeout for the current login session. Once someone is
logged in, the control panel is freely available through the logged-in
session and browser at the LAN IP address for the control panel (by
default, 192.168.8.1).

MediaLink technical support comments, "It is true that there is not a
logout button in the interface. But closing the browser [or using a
different computer in the network] accomplishes the logout." However,
closing and reopening the Firefox browser (version 46.0.1) restores a
tab showing the control panel, with all controls and interfaces still
functional. This proves that no logout was done when the browser was closed.

The same effect happens when a tab containing the control panel is
closed, and then another tab containing the control panel is created.
The new control panel tab is still in a logged-in state.

However, the control panel is indeed logged-out when opened by a
different browser, such as Chrome or Internet Explorer, or from a
different computer on the LAN, as stated by Mediabridge.

3. The username and password to allow control panel administration and
configuration of the router are stored in cleartext in configuration
files exported by the control panel's Backup operation.

4. The router control panel uses HTTP access, not HTTPS, so WAN sniffing
can eavesdrop on control panel operations.

Respectfully submitted,

David Spector,
Springtime Software
Portland, Maine
www.springtimesoftware.com/contact.php



Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close