[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[VulnWatch] Advisory - D-Link Access Point

To: vulnwatch@xxxxxxxxxxxxx
Subject: [VulnWatch] Advisory - D-Link Access Point
From: news <news@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 6 Jun 2006 22:09:46 -0300 (BRT)

 INTRUDERS TIGER TEAM SECURITY - SECURITY 
ADVISORYhttp://www.intruders.com.br/http://www.intruders.org.br/ADVISORY/0206 - 
D-Link Wireless Access-Point (DWL-2100ap)PRIORITY: HIGHI - 
INTRUDERS:----------------Intruders Tiger Team Security is a project entailed 
with Security Open Source (http://www.securityopensource.org.br).The Intruders 
Tiger Team Security (ITTS) is a group of researchers with more than 10 years of 
experience, specialized in the development of intrusion projects (Pen-Test) and 
in special security projects.All the projects of intrusion (Pen-Test) realized 
until the moment by the Intruders Tiger Team Security had 100% of success.II - 
INTRODUCTION:------------------D-Link AirPlus XtremeG 2.4GHz Wireless Access 
Point, 54Mbps/108Mbps (802.11g):D-Link, the industry pioneer in wireless 
networking, introduces a performance breakthrough in wireless connectivity ? 
D-Link AirPlus Xtreme GTM series of high-speed devices now capable of 
delivering transfer rates up to 15x faster than the standard 802.11b with the 
new D-Link 108G. With the new AirPlus Xtreme G DWL-2100AP Wireless Access 
Point, D-Link sets a new standard for wireless access points.D-Link DWL-2100ap 
is one of the most popular Access Point in the world.III - 
DESCRIPTION:------------------Intruders Tiger Team Security identified during 
an intrusion project (Pen-Test) an unknown vulnerability in the Access Point 
D-Link DWL-2100ap, that allows an attacker to read device's configuration, 
without authentication with web server.Extremely sensible informations are 
avaible in the configuration of the Access Point D-Link DWL-2100ap, for 
example:- User and password used to manage the device.- Password used in WEP 
and WPA.- SSID, IP, subnet mask, MAC Address filters, etc.IV - 
ANALISYS:---------------Making a HTTP request to the /cgi-bin/ directory, the 
Web server will return error 404 (Page not found).Making a HTTP request to the 
/cgi-bin/AnyFile.htm, the Web server will return error 404 (Page not 
found).However, making a HTTP request to any file in /cgi-bin/ directory, with 
.cfg extension, will return all the device configuration.For example, making 
the following request:http://dlink-DWL-2100ap/cgi-bin/Intruders.cfgWe would 
have a result equivalent to the following:# Copyright (c) 2002 Atheros 
Communications, Inc., All Rights Reserved# DO NOT EDIT -- This configuration 
file is automatically generatedmagic Ar52xxAPfwc: 34login adminDHCPServer 
Eth_Acl nameaddrdomainsuffix IP_Addr 10.0.0.30IP_Mask 255.0.0.0Gateway_Addr 
10.0.0.1RADIUSaddr RADIUSport 1812RADIUSsecret password IntrudersTestpassphrase 
wlan1 passphrase AnewBadPassPhrase# Several lines removed.D-Link DWL-2100ap 
Access Point does not allow disable the Web server, not even has options to 
filter ports. We remember that the D-Link DWL-2100ap Access Point comes 
configured with default user /password (user:admin and no password).V. 
DETECTION:-------------Intruders Tiger Team Security confirmed the existence of 
this vulnerability in all firmwares tested, also the last version 2.10na. 
Possibly other(s) D-Link Access Point model(s) can be vulnerable also.VI. 
SUGESTION:--------------D-Link company:1 - Use strong cookies to guarantee that 
only authorized users will get access to configuration.2 - Store sensible 
configurations like password(s) using hash(s).3 - Allow create firewall 
politics and rules to filters port(s) and IP(s).4 - Request to the user change 
the default user/password on the first logon, and not allow     change the 
password to the last one used.5 - Use HTTP with SSL (HTTPS).6 - Contracts 
specialized companies in Pen-Test and security audit, aiming homologate the     
security of D-Link products.D-Link customers:1 - Upgrade the firmware of D-Link 
DWL-2100ap Access Point.     Direct link to download is 
http://www.dlinkbrasil.com.br/internet/downloads/Wireless/DWL-2100AP/DWL2100AP-firmware-v210na-r0343.tfpVII
 - CHRONOLOGY:-----------------11/02/2006 - Vulnerability discovered during a 
Pen-Test.15/02/2006 - D-Link World Wide Team Contacted.17/02/2006 - No 
response.18/02/2006 - D-Link World Wide Team re-contacted.24/02/2006 - No 
response.25/02/2006 - D-Link World Wide Team last try of contact.29/02/2006 - 
No response.29/02/2006 - D-Link Brazil Team Contacted.02/03/2006 - No 
response.03/03/2006 - D-Link Brazil Team re-contacted.06/03/2006 - D-Link 
Brazil Team responsed.09/03/2006 - Patch created.14/03/2006 - Patch added to 
D-Link Brazil download site.06/06/2006 - published advisory.VIII - 
CREDITS:---------------Wendel Guglielmetti Henrique and Intruders Tiger Team 
Security had discovered this vulnerability.Gratefulness to Glaudson Ocampos 
(Intruders Tiger Team Security), Waldemar Nehgme, JoãoArquimedes (Security Open 
Source) and Ricardo N. Ferreira (Security Open Source).Visit our 
website:http://www.intruders.com.br/http://www.intruders.org.br/

Prev by Date: [VulnWatch] Corsaire Security Advisory - VMware ESX Server Cross Site Scripting issue
Next by Date: [VulnWatch] You tube html/javascript code injection
Previous by thread: [VulnWatch] Corsaire Security Advisory - VMware ESX Server Cross Site Scripting issue
Next by thread: [VulnWatch] You tube html/javascript code injection
Index(es):
- Date
- Thread