INTRUDERS TIGER TEAM SECURITY - SECURITY ADVISORY
ADVISORY/0206 - D-Link Wireless Access-Point (DWL-2100ap)
I - INTRUDERS:
Intruders Tiger Team Security is a project entailed with
Security Open Source (http://www.securityopensource.org.br).
The Intruders Tiger Team Security (ITTS) is a group of researchers
with more than 10 years of experience, specialized in the development
of intrusion projects (Pen-Test) and in special security projects.
All the projects of intrusion (Pen-Test) realized until the moment by
the Intruders Tiger Team Security had 100% of success.
II - INTRODUCTION:
D-Link AirPlus XtremeG 2.4GHz Wireless Access Point, 54Mbps/108Mbps (802.11g):
D-Link, the industry pioneer in wireless networking, introduces a performance
breakthrough in wireless connectivity =96 D-Link AirPlus Xtreme GTM series of
high-speed devices now capable of delivering transfer rates up to 15x faster
than the standard 802.11b with the new D-Link 108G. With the new AirPlus Xtreme
G DWL-2100AP Wireless Access Point, D-Link sets a new standard for wireless access
D-Link DWL-2100ap is one of the most popular Access Point in the world.
III - DESCRIPTION:
Intruders Tiger Team Security identified during an intrusion project (Pen-Test) an
unknown vulnerability in the Access Point D-Link DWL-2100ap, that allows an attacker
to read device's configuration, without authentication with web server.
Extremely sensible informations are avaible in the configuration of the Access Point
D-Link DWL-2100ap, for example:
- User and password used to manage the device.
- Password used in WEP and WPA.
- SSID, IP, subnet mask, MAC Address filters, etc.
IV - ANALISYS:
Making a HTTP request to the /cgi-bin/ directory, the Web server will return error 404 (Page not found).
Making a HTTP request to the /cgi-bin/AnyFile.htm, the Web server will return error 404 (Page not found).
However, making a HTTP request to any file in /cgi-bin/ directory, with .cfg extension, will
return all the device configuration.
For example, making the following request:
We would have a result equivalent to the following:
# Copyright (c) 2002 Atheros Communications, Inc., All Rights Reserved
# DO NOT EDIT -- This configuration file is automatically generated
wlan1 passphrase AnewBadPassPhrase
# Several lines removed.
D-Link DWL-2100ap Access Point does not allow disable the Web server, not even has options to
We remember that the D-Link DWL-2100ap Access Point comes configured with default user /
password (user:admin and no password).
Intruders Tiger Team Security confirmed the existence of this vulnerability in all firmwares
tested, also the last version 2.10na.
Possibly other(s) D-Link Access Point model(s) can be vulnerable also.
1 - Use strong cookies to guarantee that only authorized users will get access to configuration.
2 - Store sensible configurations like password(s) using hash(s).
3 - Allow create firewall politics and rules to filters port(s) and IP(s).
4 - Request to the user change the default user/password on the first logon, and not allow
change the password to the last one used.
5 - Use HTTP with SSL (HTTPS).
6 - Contracts specialized companies in Pen-Test and security audit, aiming homologate the
security of D-Link products.
1 - Upgrade the firmware of D-Link DWL-2100ap Access Point.
Direct link to download is http://www.dlinkbrasil.com.br/internet/downloads/Wireless/DWL-2100AP/DWL2100AP-firmware-v210na-r0343.tfp
VII - CHRONOLOGY:
11/02/2006 - Vulnerability discovered during a Pen-Test.
15/02/2006 - D-Link World Wide Team Contacted.
17/02/2006 - No response.
18/02/2006 - D-Link World Wide Team re-contacted.
24/02/2006 - No response.
25/02/2006 - D-Link World Wide Team last try of contact.
29/02/2006 - No response.
29/02/2006 - D-Link Brazil Team Contacted.
02/03/2006 - No response.
03/03/2006 - D-Link Brazil Team re-contacted.
06/03/2006 - D-Link Brazil Team responsed.
09/03/2006 - Patch created.
14/03/2006 - Patch added to D-Link Brazil download site.
06/06/2006 - published advisory.
VIII - CREDITS:
Wendel Guglielmetti Henrique and Intruders Tiger Team Security had discovered this vulnerability.
Gratefulness to Glaudson Ocampos (Intruders Tiger Team Security), Waldemar Nehgme, Jo=E3o
Arquimedes (Security Open Source) and Ricardo N. Ferreira (Security Open Source).
Visit our website: