[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4C29CC2A.3000508@icysilence.org>
Date: Tue, 29 Jun 2010 12:34:18 +0200
From: Cristofaro Mune <pulsoid@...silence.org>
To: full-disclosure@...ts.grok.org.uk
Subject: IS-2010-005 - D-Link DAP-1160 Authentication
Bypass
Security Advisory
IS-2010-005 - D-Link DAP-1160 Authentication Bypass
Advisory Information
--------------------
Published:
2010-06-29
Updated:
2010-06-29
Manufacturer: D-Link
Model: DAP-1160
Firmware version: 1.20b06
1.30b10
1.31b01
Vulnerability Details
---------------------
Public References:
Not Assigned
Platform:
Successfully tested on D-Link DAP-1160 loaded with firmware versions:
v120b06, v130b10, v131b01.
Other models and/or firmware versions may be also affected.
Note: Only firmware version major numbers are displayed on the
administration web interface: 1.20, 1.30, 1.31
Background Information:
D-Link DAP-1160 is a wireless access points that allow wireless clients
connectivity to wired networks.
Supported 802.11b and 802.11g protocols. WEP, WPA and WPA2 supported.
Summary:
Administration interface authentication can be bypassed by accessing a
specific URL shortly after device reboot
Details:
Accessing the device web administration interface requires a successful
authentication with proper login credentials.
But if the following URL address:
http://IP_ADDR/tools_firmw.htm
is accessed as a first URL and within a short time (~40 seconds) after
the device web server has started, then no authentication is required to
access device web interface.
The device can then be freely reconfigured and sensitive information can
be extracted and/or modified, such as Wi-Fi SSID and passphrases.
A remote attacker may be able to achieve deterministic authentication
bypass, without waiting for the device to be rebooted, by remotely
rebooting the device via the DCC protocol.
This can be performed in unauthenticated manner, as described in the
advisory "IS-2010-004 - D-Link DAP-1160 Unauthenticated Remote
Configuration"
Impacts:
Remote extraction of sensitive information
Modification of existing device configuration
Solutions & Workaround:
Not available
Additional Information
----------------------
Timeline (dd/mm/yy):
17/02/2010: Vulnerability discovered
17/02/2010: No suitable technical/security contact on Global/Regional
website. No contact available on OSVDB website
18/02/2010: Point of contact requested to customer service
----------- No response -----------
26/05/2010: Vulnerability disclosed at CONFidence 2010
29/06/2010: This advisory
Additional information available at http://www.icysilence.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists