Vulnwatch mailing list archives

Previous By Date Next
Previous By Thread Next

Advisory - D-Link Access Point

From: news <news () securityopensource org br>
Date: Tue, 6 Jun 2006 22:09:46 -0300 (BRT)

 INTRUDERS TIGER TEAM SECURITY - SECURITY ADVISORYhttp://www.intruders.com.br/http://www.intruders.org.br/ADVISORY/0206 
- D-Link Wireless Access-Point (DWL-2100ap)PRIORITY: HIGHI - INTRUDERS:----------------Intruders Tiger Team Security is 
a project entailed with Security Open Source (http://www.securityopensource.org.br).The Intruders Tiger Team Security 
(ITTS) is a group of researchers with more than 10 years of experience, specialized in the development of intrusion 
projects (Pen-Test) and in special security projects.All the projects of intrusion (Pen-Test) realized until the moment 
by the Intruders Tiger Team Security had 100% of success.II - INTRODUCTION:------------------D-Link AirPlus XtremeG 
2.4GHz Wireless Access Point, 54Mbps/108Mbps (802.11g):D-Link, the industry pioneer in wireless networking, introduces 
a performance breakthrough in wireless connectivity – D-Link AirPlus Xtreme GTM series of high-speed devices now 
capable of delivering transfer rates up to 15x faster than the standard 802.11b with the new D-Link 108G. With the new 
AirPlus Xtreme G DWL-2100AP Wireless Access Point, D-Link sets a new standard for wireless access points.D-Link 
DWL-2100ap is one of the most popular Access Point in the world.III - DESCRIPTION:------------------Intruders Tiger 
Team Security identified during an intrusion project (Pen-Test) an unknown vulnerability in the Access Point D-Link 
DWL-2100ap, that allows an attacker to read device's configuration, without authentication with web server.Extremely 
sensible informations are avaible in the configuration of the Access Point D-Link DWL-2100ap, for example:- User and 
password used to manage the device.- Password used in WEP and WPA.- SSID, IP, subnet mask, MAC Address filters, etc.IV 
- ANALISYS:---------------Making a HTTP request to the /cgi-bin/ directory, the Web server will return error 404 (Page 
not found).Making a HTTP request to the /cgi-bin/AnyFile.htm, the Web server will return error 404 (Page not 
found).However, making a HTTP request to any file in /cgi-bin/ directory, with .cfg extension, will return all the 
device configuration.For example, making the following request:http://dlink-DWL-2100ap/cgi-bin/Intruders.cfgWe would 
have a result equivalent to the following:# Copyright (c) 2002 Atheros Communications, Inc., All Rights Reserved# DO 
NOT EDIT -- This configuration file is automatically generatedmagic Ar52xxAPfwc: 34login adminDHCPServer Eth_Acl 
nameaddrdomainsuffix IP_Addr 10.0.0.30IP_Mask 255.0.0.0Gateway_Addr 10.0.0.1RADIUSaddr RADIUSport 1812RADIUSsecret 
password IntrudersTestpassphrase wlan1 passphrase AnewBadPassPhrase# Several lines removed.D-Link DWL-2100ap Access 
Point does not allow disable the Web server, not even has options to filter ports. We remember that the D-Link 
DWL-2100ap Access Point comes configured with default user /password (user:admin and no password).V. 
DETECTION:-------------Intruders Tiger Team Security confirmed the existence of this vulnerability in all firmwares 
tested, also the last version 2.10na. Possibly other(s) D-Link Access Point model(s) can be vulnerable also.VI. 
SUGESTION:--------------D-Link company:1 - Use strong cookies to guarantee that only authorized users will get access 
to configuration.2 - Store sensible configurations like password(s) using hash(s).3 - Allow create firewall politics 
and rules to filters port(s) and IP(s).4 - Request to the user change the default user/password on the first logon, and 
not allow     change the password to the last one used.5 - Use HTTP with SSL (HTTPS).6 - Contracts specialized 
companies in Pen-Test and security audit, aiming homologate the     security of D-Link products.D-Link customers:1 - 
Upgrade the firmware of D-Link DWL-2100ap Access Point.     Direct link to download is 
http://www.dlinkbrasil.com.br/internet/downloads/Wireless/DWL-2100AP/DWL2100AP-firmware-v210na-r0343.tfpVII - 
CHRONOLOGY:-----------------11/02/2006 - Vulnerability discovered during a Pen-Test.15/02/2006 - D-Link World Wide Team 
Contacted.17/02/2006 - No response.18/02/2006 - D-Link World Wide Team re-contacted.24/02/2006 - No response.25/02/2006 
- D-Link World Wide Team last try of contact.29/02/2006 - No response.29/02/2006 - D-Link Brazil Team 
Contacted.02/03/2006 - No response.03/03/2006 - D-Link Brazil Team re-contacted.06/03/2006 - D-Link Brazil Team 
responsed.09/03/2006 - Patch created.14/03/2006 - Patch added to D-Link Brazil download site.06/06/2006 - published 
advisory.VIII - CREDITS:---------------Wendel Guglielmetti Henrique and Intruders Tiger Team Security had discovered 
this vulnerability.Gratefulness to Glaudson Ocampos (Intruders Tiger Team Security), Waldemar Nehgme, JoãoArquimedes 
(Security Open Source) and Ricardo N. Ferreira (Security Open Source).Visit our 
website:http://www.intruders.com.br/http://www.intruders.org.br/
Previous By Date Next
Previous By Thread Next

Current thread: