TUCoPS :: Network Appliances :: wlan5770.htm

D-Link Access Point DWL-900AP+ TFTP Vulnerability
22th Oct 2002 [SBWID-5770]
COMMAND

	D-Link Access Point DWL-900AP+ TFTP Vulnerability

SYSTEMS AFFECTED

	Model No: DWL-900AP+ (FCC-ID: KA2DWL900AP-PLUS) H/W: B1, F/W: 2.1  &
	2.2
	

	The DWL-900AP+ appears to be based on a device originally  developed  by
	"Global Sun Technology Inc.": as the  same  device  is  also  sold  with
	other brands, the vulnerability MAY apply to any  of  them.  Potentially
	affected devices include the following access points:
	

	  - ALLOY GL-2422AP-S

	  - EUSSO GL2422-AP

	  - LINKSYS WAP11-V2.2

	  - WISECOM GL2422AP-0T

	

	Please, note: NONE of the above was tested.

PROBLEM

	Rocco   Rionero   of    RIONERO    Network    Security    Administration
	[security@rionero.com] says :
	

	D-Link's DWL-900AP+ is a WiFi/802.11b Access Point with enhanced  22Mbps
	transfer mode  (aka  "802.11b+")  and  proprietary  bridging  functions,
	tipically targeted at SOHO installation. The device can be connected  to
	an existing wired network by mean of a  standard  10/100  ethernet  port
	and can be configured by using a  javascript-enabled  HTTP  client  (WEB
	browser) pointed at its IP address.
	

	Although  undocumented,  the  device  features  also  an  embedded  TFTP
	(Trivial File Transfer Protocol) server which  can  be  used  to  obtain
	critical data: by requesting a  file  named  "config.img",  an  intruder
	receive a binary image  of  the  device  configuration  which  contains,
	among others, the following informations:
	

	  - the "admin" password required by the HTTP user interface

	  - the WEP encryption keys

	  - the network configuration data (addresses, SSID, etc.)

	

	Such data  are  returned  in  cleartext  and  may  be  accessed  by  any
	wired/wireless client. Note that if the device is configured  to  use  a
	"public" IP address and a valid "gateway" (connected  to  the  Internet)
	is specified in the wired LAN configuration  screen,  the  TFTP  service
	(hence the crititical data) could be accessed world-wide.
	

	

	 Additional info

	 ---------------

	

	In  addition  to  the  above  mentioned  "config.img",   the   following
	undocumented files are also accessible via the TFTP protocol:
	

	  - eeprom.dat

	  - mac.dat

	  - wtune.dat

	  - rom.img

	  - normal.img

	

	the latest one being the (compressed) firmware image as uploaded to  the
	device. We did not investigate further, so  the  above  list  is  to  be
	intended as NOT exaustive.

SOLUTION

	There are NO known solutions or workarounds at the  moment.  A  firmware
	upgrade  is  urged  from  the  vendor.  A   complete   report   of   the
	vulnerability   was   sent    to    D-Link's    International    Support
	<techs@dlinksupport.com> on Mon, 14 Oct 2002  and  was  assigned  the
	case-id: DL204488.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH