26 May, 2014

Amped Wireless AP600EX / SR600EX Backdoor

Today I purchased an Indoor / Outdoor WiFi Range Extender.  It's a re-branded Amped Wireless SR600EX which I picked up brand new for AUD $39.99 (bargain!!)

These devices run Linux, have 4MB SPI flash and 16MB of RAM.  Mine came branded as "Bauhn", which is one of the Aldi brands.  I re-flashed it with the original Amped Wireless firmware, and even though it was released back in 2012, the Amped Wireless firmware seems to work better than the Bauhn-branded firmware.  The features are the same and the layout is almost identical.  It's just a rebranded product.

I opened up the SR600EX and connected a serial console to it.  While looking through the contents of the filesystem, I came across some suspicious looking text in the contents of the flash.  Sure enough, it was a backdoor username and password which allows you to login to the web interface as an admin.

Username: super
Password: super
Firmware version of affected device: 1.2f.05

If you've set your own custom username and password like I have, the credentials above will still let you login as an admin.

I also tried changing the username/password using "super" as the username and a different password. This was rejected by the firmware with the message: "ERROR: Cannot use same user name as supervisor.", so it appears that not only is there a backdoor, but you can't easily change its password either.

Manufacturers should have learnt long ago that backdoors in network hardware are not acceptable and often end up being discovered and made public.  Oops, its just happened again ;)

I should make it clear that this backdoor was in the original firmware that came with the range extender, but continued working once the unit was flashed with the official Amped Wireless SR600EX firmware (v1.2f.05).

To be thorough, I cross-flashed my SR600EX with the AP600EX firmware, turning my range extender into an Access Point.  The same backdoor also works with the AP600EX firmware (version 1.2f.04).

All tested firmwares were the latest versions available from the Amped Wireless website.

Remote Command Execution (as root):


I've just discovered how you can run Linux commands on these devices via the web interface.  It works fairly well, but just note that these devices don't have the 'ls' command available, so if you want to see a directory listing, you need to run "echo *" or "echo /*" or "echo /bin/*" for instance.

To access the remote command execution feature, you can use the following URL:

http://x.x.x.x/syscmd.asp

Replace the x.x.x.x with the IP address of your device.

Example Usage:

This was tested on the SR600EX.  It will probably work on the AP600EX as well.

Alternative Web Interface:


http://x.x.x.x/oemhome.asp

Screenshot:



2 comments:

  1. I have the SR600EX and want to cross-flash it with the AP600EX firmware. Is this a straight forward upgrade or does it require a special approach/technique? Tx!

    ReplyDelete
    Replies
    1. Hi Patrick,

      From memory it was a simple cross-flash through the web interface. This may or may not still be the case with later firmware releases.

      Regards,
      Rob.

      Delete

When commenting, please make sure you tick the "Notify me" checkbox, otherwise you will not be notified when I reply to you!