lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu Jun 8 17:22:39 2006 From: maxxess at gmail.com (Niklas) Subject: Advisory - D-Link Access Point This "flaw" also affects DWL-7100 (tested) and most likely DWL-7000 and possibly other ap:s. D-Link has no fw updates since 1.5 yrs back for the 7100/7000-series. Time to get one out now... /N On 6/7/06, news <news@...urityopensource.org.br> wrote: > > > INTRUDERS TIGER TEAM SECURITY - SECURITY ADVISORY > > http://www.intruders.com.br/ > http://www.intruders.org.br/ > > > ADVISORY/0206 - D-Link Wireless Access-Point (DWL-2100ap) > > > PRIORITY: HIGH > > > I - INTRUDERS: > ---------------- > > > > Intruders Tiger Team Security is a project entailed with > Security Open Source (http://www.securityopensource.org.br). > > The Intruders Tiger Team Security (ITTS) is a group of researchers > with more than 10 years of experience, specialized in the development > of intrusion projects (Pen-Test) and in special security projects. > > > All the projects of intrusion (Pen-Test) realized until the moment by > the Intruders Tiger Team Security had 100% of success. > > > II - INTRODUCTION: > ------------------ > > > > D-Link AirPlus XtremeG 2.4GHz Wireless Access Point, 54Mbps/108Mbps ( > 802.11g): > > D-Link, the industry pioneer in wireless networking, introduces a > performance > breakthrough in wireless connectivity ? D-Link AirPlus Xtreme GTM series > of > high-speed devices now capable of delivering transfer rates up to 15x > faster > than the standard 802.11b with the new D-Link 108G. With the new AirPlus > Xtreme > G DWL-2100AP Wireless Access Point, D-Link sets a new standard for > wireless access > points. > > D-Link DWL-2100ap is one of the most popular Access Point in the world. > > > III - DESCRIPTION: > ------------------ > > > > Intruders Tiger Team Security identified during an intrusion project > (Pen-Test) an > unknown vulnerability in the Access Point D-Link DWL-2100ap, that allows > an attacker > to read device's configuration, without authentication with web server. > > Extremely sensible informations are avaible in the configuration of the > Access Point > D-Link DWL-2100ap, for example: > > - User and password used to manage the device. > - Password used in WEP and WPA. > - SSID, IP, subnet mask, MAC Address filters, etc. > > > IV - ANALISYS: > --------------- > > > > Making a HTTP request to the /cgi-bin/ directory, the Web server will > return error 404 (Page not found). > > Making a HTTP request to the /cgi-bin/AnyFile.htm, the Web server will > return error 404 (Page not found). > > However, making a HTTP request to any file in /cgi-bin/ directory, with > .cfg extension, will > return all the device configuration. > > > For example, making the following request: > > http://dlink-DWL-2100ap/cgi-bin/Intruders.cfg<http://dlink-dwl-2100ap/cgi-bin/Intruders.cfg> > > We would have a result equivalent to the following: > > # Copyright (c) 2002 Atheros Communications, Inc., All Rights Reserved > # DO NOT EDIT -- This configuration file is automatically generated > magic Ar52xxAP > fwc: 34 > login admin > DHCPServer > Eth_Acl > nameaddr > domainsuffix > IP_Addr 10.0.0.30 > IP_Mask 255.0.0.0 > Gateway_Addr 10.0.0.1 > RADIUSaddr > RADIUSport 1812 > RADIUSsecret > password IntrudersTest > passphrase > wlan1 passphrase AnewBadPassPhrase > # Several lines removed. > > D-Link DWL-2100ap Access Point does not allow disable the Web server, not > even has options to > filter ports. > > We remember that the D-Link DWL-2100ap Access Point comes configured with > default user / > password (user:admin and no password). > > > > V. DETECTION: > ------------- > > > > Intruders Tiger Team Security confirmed the existence of this > vulnerability in all firmwares > tested, also the last version 2.10na. > > Possibly other(s) D-Link Access Point model(s) can be vulnerable also. > > > VI. SUGESTION: > -------------- > > > D-Link company: > > > 1 - Use strong cookies to guarantee that only authorized users will get > access to configuration. > > 2 - Store sensible configurations like password(s) using hash(s). > > 3 - Allow create firewall politics and rules to filters port(s) and IP(s). > > 4 - Request to the user change the default user/password on the first > logon, and not allow > change the password to the last one used. > > 5 - Use HTTP with SSL (HTTPS). > > 6 - Contracts specialized companies in Pen-Test and security audit, aiming > homologate the > security of D-Link products. > > > D-Link customers: > > > 1 - Upgrade the firmware of D-Link DWL-2100ap Access Point. > Direct link to download is > http://www.dlinkbrasil.com.br/internet/downloads/Wireless/DWL-2100AP/DWL2100AP-firmware-v210na-r0343.tfp > > > VII - CHRONOLOGY: > ----------------- > > > > 11/02/2006 - Vulnerability discovered during a Pen-Test. > 15/02/2006 - D-Link World Wide Team Contacted. > 17/02/2006 - No response. > 18/02/2006 - D-Link World Wide Team re-contacted. > 24/02/2006 - No response. > 25/02/2006 - D-Link World Wide Team last try of contact. > 29/02/2006 - No response. > 29/02/2006 - D-Link Brazil Team Contacted. > 02/03/2006 - No response. > 03/03/2006 - D-Link Brazil Team re-contacted. > 06/03/2006 - D-Link Brazil Team responsed. > 09/03/2006 - Patch created. > 14/03/2006 - Patch added to D-Link Brazil download site. > 06/06/2006 - published advisory. > > > VIII - CREDITS: > --------------- > > > > Wendel Guglielmetti Henrique and Intruders Tiger Team Security had > discovered this vulnerability. > > Gratefulness to Glaudson Ocampos (Intruders Tiger Team Security), Waldemar > Nehgme, Jo?o > Arquimedes (Security Open Source) and Ricardo N. Ferreira (Security Open > Source). > > Visit our website: > > http://www.intruders.com.br/ > http://www.intruders.org.br/ > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060608/538c618c/attachment.html
Powered by blists - more mailing lists