Hello Everyone,
Just something to be aware for your public (NYCwireless) nodes.
-Ben
-----Original Message-----
From: Roger Weeks [mailto:rjw@;sonic.net]
Sent: Monday, October 21, 2002 2:20 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: [NoCatNet] D-Link Access Point DWL-900AP+ TFTP Vulnerability
>From the bugtraq mailing list. Note that the WAP11 is potentially
vulnerable
but it was not tested by these folks.
Roger
----------------------------------------------------------------------
ETHEREANET-NCC Security Report EN-NCC-20021014-04
D-Link Access Point DWL-900AP+ TFTP Vulnerability
Date discovered: Fri, 11 Oct 2002
Vendor notified on: Mon, 14 Oct 2002
Date published: Mon, 21 Oct 2002
Vendor Reference: D-Link US Support Case-ID DL204488
----------------------------------------------------------------------
Overview
--------
While evaluating the D-Link DWL-900AP+ Access Point/Bridge, we discovered a
severe vulnerability that could be exploited by a potential intruder to gain
full administrative access to the device.
Description
-----------
D-Link's DWL-900AP+ is a WiFi/802.11b Access Point with enhanced 22Mbps
transfer mode (aka "802.11b+") and proprietary bridging functions, tipically
targeted at SOHO installation. The device can be connected to an existing
wired network by mean of a standard 10/100 ethernet port and can be
configured by using a javascript-enabled HTTP client (WEB browser) pointed
at
its IP address.
Although undocumented, the device features also an embedded TFTP (Trivial
File Transfer Protocol) server which can be used to obtain critical data: by
requesting a file named "config.img", an intruder receive a binary image of
the device configuration which contains, among others, the following
informations:
- the "admin" password required by the HTTP user interface
- the WEP encryption keys
- the network configuration data (addresses, SSID, etc.)
Such data are returned in cleartext and may be accessed by any
wired/wireless
client. Note that if the device is configured to use a "public" IP address
and a valid "gateway" (connected to the Internet) is specified in the wired
LAN configuration screen, the TFTP service (hence the crititical data) could
be accessed world-wide.
Additional info
---------------
In addition to the above mentioned "config.img", the following undocumented
files are also accessible via the TFTP protocol:
- eeprom.dat
- mac.dat
- wtune.dat
- rom.img
- normal.img
the latest one being the (compressed) firmware image as uploaded to the
device. We did not investigate further, so the above list is to be intended
as NOT exaustive.
Tested devices
--------------
Model No: DWL-900AP+ (FCC-ID: KA2DWL900AP-PLUS)
H/W: B1
F/W: 2.1 & 2.2
The vulnerability has been observed with both 2.1 & 2.2 firmware revisions.
Solutions
---------
There are NO known solutions or workarounds at the moment. A firmware
upgrade
is urged from the vendor. A complete report of the vulnerability was sent to
D-Link's International Support <[EMAIL PROTECTED]> on Mon, 14 Oct 2002
and was assigned the case-id: DL204488.
Discovered by
-------------
Rocco Rionero, <[EMAIL PROTECTED]>
Note about potentially affected re-branded devices (NOT VERIFIED)
-----------------------------------------------------------------
The DWL-900AP+ appears to be based on a device originally developed
by "Global Sun Technology Inc.": as the same device is also sold with other
brands, the vulnerability MAY apply to any of them. Potentially affected
devices include the following access points:
- ALLOY GL-2422AP-S
- EUSSO GL2422-AP
- LINKSYS WAP11-V2.2
- WISECOM GL2422AP-0T
Please, note: NONE of the above was tested.
Disclaimer
----------
All information in this report are subject to change without any advanced
notices neither mutual consensus; the report itself is released as it is.
Neither the author, nor the parts (if any) involved in the distributions of
this report are responsible for any risks of occurrences caused by applying
the information included.
----------------------------------------------------------------------
ETHEREANET Control Center <[EMAIL PROTECTED]>
ETHEREANET Security Administration <[EMAIL PROTECTED]>
RIONERO Network Security Administration <[EMAIL PROTECTED]>
--
NYCwireless - http://www.nycwireless.net/
Un/Subscribe: http://lists.nycwireless.net/mailman/listinfo/nycwireless/
Archives: http://lists.nycwireless.net/pipermail/nycwireless/
