D-Link DWL-900AP+ Security Hole

["Jason Tedesco" <jtedesco () request com au>]

Overview
---------
The DWL-900AP+ is a wireless access point manufactured by D-Link which is capable of speeds up to 22Mbps.

With the realese of a new the new v2.5 firmware for this device comes the latest realese of the D-Link AirPlus Access 
Point Manager.  With this tool you can upgrade the firmware of an access point without being prompted for a password.

Affected Services
------------------
Dlink V2.2 V2.3 or earlier

Impact
-------
After upgrading the firmware on the DWL-900AP+, the access point returns to factory default settings.  The outcomes of 
this are obvious.

Details
--------
You must have installed the D-Link AirPlus Access Point Manager program which is included in the v2.5 firmware update.  
Once the program is launched click on the firmware upgrade setting.  There are two panes on this window.  The bottom 
pane being "Aveliable AP".  I found these to be AP's running the v2.5 firmware.  The top pane "Upgrage AP" displays a 
list of access points which you can upgrade.  You simply highlight the one you wish to upgrade, you must then browse 
and find the firmware you want to upgrade and click the upgrade button.  It will not prompt you for any passwords and 
will simply tftp the new firmware onto the access point.  Once the firmware has been uploaded the access point resets 
and returns back to factory default settings.


Jason Tedesco
ICQ: 40573753