lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <f9dabe220606080922l1937bfb5u3505526d954d5a68@mail.gmail.com>
Date: Thu Jun  8 17:22:39 2006
From: maxxess at gmail.com (Niklas)
Subject: Advisory - D-Link Access Point

This "flaw" also affects DWL-7100 (tested) and most likely DWL-7000 and
possibly other ap:s. D-Link has no fw updates since 1.5 yrs back for the
7100/7000-series. Time to get one out now...

/N


On 6/7/06, news <news@...urityopensource.org.br> wrote:
>
>
> INTRUDERS TIGER TEAM SECURITY - SECURITY ADVISORY
>
> http://www.intruders.com.br/
> http://www.intruders.org.br/
>
>
> ADVISORY/0206 - D-Link Wireless Access-Point (DWL-2100ap)
>
>
> PRIORITY: HIGH
>
>
> I - INTRUDERS:
> ----------------
>
>
>
> Intruders Tiger Team Security is a project entailed with
> Security Open Source (http://www.securityopensource.org.br).
>
> The Intruders Tiger Team Security (ITTS) is a group of researchers
> with more than 10 years of experience, specialized in the development
> of intrusion projects (Pen-Test) and in special security projects.
>
>
> All the projects of intrusion (Pen-Test) realized until the moment by
> the Intruders Tiger Team Security had 100% of success.
>
>
> II - INTRODUCTION:
> ------------------
>
>
>
> D-Link AirPlus XtremeG 2.4GHz Wireless Access Point, 54Mbps/108Mbps (
> 802.11g):
>
> D-Link, the industry pioneer in wireless networking, introduces a
> performance
> breakthrough in wireless connectivity ? D-Link AirPlus Xtreme GTM series
> of
> high-speed devices now capable of delivering transfer rates up to 15x
> faster
> than the standard 802.11b with the new D-Link 108G. With the new AirPlus
> Xtreme
> G DWL-2100AP Wireless Access Point, D-Link sets a new standard for
> wireless access
> points.
>
> D-Link DWL-2100ap is one of the most popular Access Point in the world.
>
>
> III - DESCRIPTION:
> ------------------
>
>
>
> Intruders Tiger Team Security identified during an intrusion project
> (Pen-Test) an
> unknown vulnerability in the Access Point D-Link DWL-2100ap, that allows
> an attacker
> to read device's configuration, without authentication with web server.
>
> Extremely sensible informations are avaible in the configuration of the
> Access Point
> D-Link DWL-2100ap, for example:
>
> - User and password used to manage the device.
> - Password used in WEP and WPA.
> - SSID, IP, subnet mask, MAC Address filters, etc.
>
>
> IV - ANALISYS:
> ---------------
>
>
>
> Making a HTTP request to the /cgi-bin/ directory, the Web server will
> return error 404 (Page not found).
>
> Making a HTTP request to the /cgi-bin/AnyFile.htm, the Web server will
> return error 404 (Page not found).
>
> However, making a HTTP request to any file in /cgi-bin/ directory, with
> .cfg extension, will
> return all the device configuration.
>
>
> For example, making the following request:
>
> http://dlink-DWL-2100ap/cgi-bin/Intruders.cfg<http://dlink-dwl-2100ap/cgi-bin/Intruders.cfg>
>
> We would have a result equivalent to the following:
>
> # Copyright (c) 2002 Atheros Communications, Inc., All Rights Reserved
> # DO NOT EDIT -- This configuration file is automatically generated
> magic Ar52xxAP
> fwc: 34
> login admin
> DHCPServer
> Eth_Acl
> nameaddr
> domainsuffix
> IP_Addr 10.0.0.30
> IP_Mask 255.0.0.0
> Gateway_Addr 10.0.0.1
> RADIUSaddr
> RADIUSport 1812
> RADIUSsecret
> password IntrudersTest
> passphrase
> wlan1 passphrase AnewBadPassPhrase
> # Several lines removed.
>
> D-Link DWL-2100ap Access Point does not allow disable the Web server, not
> even has options to
> filter ports.
>
> We remember that the D-Link DWL-2100ap Access Point comes configured with
> default user /
> password (user:admin and no password).
>
>
>
> V. DETECTION:
> -------------
>
>
>
> Intruders Tiger Team Security confirmed the existence of this
> vulnerability in all firmwares
> tested, also the last version 2.10na.
>
> Possibly other(s) D-Link Access Point model(s) can be vulnerable also.
>
>
> VI. SUGESTION:
> --------------
>
>
> D-Link company:
>
>
> 1 - Use strong cookies to guarantee that only authorized users will get
> access to configuration.
>
> 2 - Store sensible configurations like password(s) using hash(s).
>
> 3 - Allow create firewall politics and rules to filters port(s) and IP(s).
>
> 4 - Request to the user change the default user/password on the first
> logon, and not allow
>     change the password to the last one used.
>
> 5 - Use HTTP with SSL (HTTPS).
>
> 6 - Contracts specialized companies in Pen-Test and security audit, aiming
> homologate the
>     security of D-Link products.
>
>
> D-Link customers:
>
>
> 1 - Upgrade the firmware of D-Link DWL-2100ap Access Point.
>     Direct link to download is
> http://www.dlinkbrasil.com.br/internet/downloads/Wireless/DWL-2100AP/DWL2100AP-firmware-v210na-r0343.tfp
>
>
> VII - CHRONOLOGY:
> -----------------
>
>
>
> 11/02/2006 - Vulnerability discovered during a Pen-Test.
> 15/02/2006 - D-Link World Wide Team Contacted.
> 17/02/2006 - No response.
> 18/02/2006 - D-Link World Wide Team re-contacted.
> 24/02/2006 - No response.
> 25/02/2006 - D-Link World Wide Team last try of contact.
> 29/02/2006 - No response.
> 29/02/2006 - D-Link Brazil Team Contacted.
> 02/03/2006 - No response.
> 03/03/2006 - D-Link Brazil Team re-contacted.
> 06/03/2006 - D-Link Brazil Team responsed.
> 09/03/2006 - Patch created.
> 14/03/2006 - Patch added to D-Link Brazil download site.
> 06/06/2006 - published advisory.
>
>
> VIII - CREDITS:
> ---------------
>
>
>
> Wendel Guglielmetti Henrique and Intruders Tiger Team Security had
> discovered this vulnerability.
>
> Gratefulness to Glaudson Ocampos (Intruders Tiger Team Security), Waldemar
> Nehgme, Jo?o
> Arquimedes (Security Open Source) and Ricardo N. Ferreira (Security Open
> Source).
>
> Visit our website:
>
> http://www.intruders.com.br/
> http://www.intruders.org.br/
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060608/538c618c/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ