<<< Date Index >>>     <<< Thread Index >>>

ADVISORY - D-Link Wireless Access-Point



INTRUDERS TIGER TEAM SECURITY - SECURITY ADVISORY

http://www.intruders.com.br/
http://www.intruders.org.br/


ADVISORY/0206 - D-Link Wireless Access-Point (DWL-2100ap)


PRIORITY: HIGH


I - INTRUDERS:
----------------



Intruders Tiger Team Security is a project entailed with 
Security Open Source (http://www.securityopensource.org.br).

The Intruders Tiger Team Security (ITTS) is a group of researchers 
with more than 10 years of experience, specialized in the development 
of intrusion projects (Pen-Test) and in special security projects.


All the projects of intrusion (Pen-Test) realized until the moment by 
the Intruders Tiger Team Security had 100% of success.


II - INTRODUCTION:
------------------



D-Link AirPlus XtremeG 2.4GHz Wireless Access Point, 54Mbps/108Mbps (802.11g):

D-Link, the industry pioneer in wireless networking, introduces a performance 
breakthrough in wireless connectivity ? D-Link AirPlus Xtreme GTM series of 
high-speed devices now capable of delivering transfer rates up to 15x faster 
than the standard 802.11b with the new D-Link 108G. With the new AirPlus Xtreme 
G DWL-2100AP Wireless Access Point, D-Link sets a new standard for wireless 
access 
points.

D-Link DWL-2100ap is one of the most popular Access Point in the world.


III - DESCRIPTION:
------------------



Intruders Tiger Team Security identified during an intrusion project (Pen-Test) 
an 
unknown vulnerability in the Access Point D-Link DWL-2100ap, that allows an 
attacker 
to read device's configuration, without authentication with web server.

Extremely sensible informations are avaible in the configuration of the Access 
Point 
D-Link DWL-2100ap, for example:

- User and password used to manage the device.
- Password used in WEP and WPA.
- SSID, IP, subnet mask, MAC Address filters, etc.


IV - ANALISYS:
---------------



Making a HTTP request to the /cgi-bin/ directory, the Web server will return 
error 404 (Page not found).

Making a HTTP request to the /cgi-bin/AnyFile.htm, the Web server will return 
error 404 (Page not found).

However, making a HTTP request to any file in /cgi-bin/ directory, with .cfg 
extension, will 
return all the device configuration.


For example, making the following request:

http://dlink-DWL-2100ap/cgi-bin/Intruders.cfg

We would have a result equivalent to the following:

# Copyright (c) 2002 Atheros Communications, Inc., All Rights Reserved
# DO NOT EDIT -- This configuration file is automatically generated
magic Ar52xxAP
fwc: 34
login admin
DHCPServer 
Eth_Acl 
nameaddr
domainsuffix 
IP_Addr 10.0.0.30
IP_Mask 255.0.0.0
Gateway_Addr 10.0.0.1
RADIUSaddr 
RADIUSport 1812
RADIUSsecret 
password IntrudersTest
passphrase 
wlan1 passphrase AnewBadPassPhrase
# Several lines removed.

D-Link DWL-2100ap Access Point does not allow disable the Web server, not even 
has options to 
filter ports. 

We remember that the D-Link DWL-2100ap Access Point comes configured with 
default user /
password (user:admin and no password).



V. DETECTION:
-------------



Intruders Tiger Team Security confirmed the existence of this vulnerability in 
all firmwares 
tested, also the last version 2.10na. 

Possibly other(s) D-Link Access Point model(s) can be vulnerable also.


VI. SUGESTION:
--------------


D-Link company:


1 - Use strong cookies to guarantee that only authorized users will get access 
to configuration.

2 - Store sensible configurations like password(s) using hash(s).

3 - Allow create firewall politics and rules to filters port(s) and IP(s).

4 - Request to the user change the default user/password on the first logon, 
and not allow 
    change the password to the last one used.

5 - Use HTTP with SSL (HTTPS).

6 - Contracts specialized companies in Pen-Test and security audit, aiming 
homologate the 
    security of D-Link products.


D-Link customers:


1 - Upgrade the firmware of D-Link DWL-2100ap Access Point. 
    Direct link to download is 
http://www.dlinkbrasil.com.br/internet/downloads/Wireless/DWL-2100AP/DWL2100AP-firmware-v210na-r0343.tfp


VII - CHRONOLOGY:
-----------------



11/02/2006 - Vulnerability discovered during a Pen-Test.
15/02/2006 - D-Link World Wide Team Contacted.
17/02/2006 - No response.
18/02/2006 - D-Link World Wide Team re-contacted.
24/02/2006 - No response.
25/02/2006 - D-Link World Wide Team last try of contact.
29/02/2006 - No response.
29/02/2006 - D-Link Brazil Team Contacted.
02/03/2006 - No response.
03/03/2006 - D-Link Brazil Team re-contacted.
06/03/2006 - D-Link Brazil Team responsed.
09/03/2006 - Patch created.
14/03/2006 - Patch added to D-Link Brazil download site.
06/06/2006 - published advisory.


VIII - CREDITS:
---------------



Wendel Guglielmetti Henrique and Intruders Tiger Team Security had discovered 
this vulnerability.

Gratefulness to Glaudson Ocampos (Intruders Tiger Team Security), Waldemar 
Nehgme, João
Arquimedes (Security Open Source) and Ricardo N. Ferreira (Security Open 
Source).

Visit our website:

http://www.intruders.com.br/
http://www.intruders.org.br/