Vulnerability: D-Link Access Point DWL-900AP+ TFTP
Results 1 to 8 of 8

Thread: Vulnerability: D-Link Access Point DWL-900AP+ TFTP

  1. #1
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584

    Exclamation Vulnerability: D-Link Access Point DWL-900AP+ TFTP

    While evaluating the D-Link DWL-900AP+ Access Point/Bridge, we discovered a severe vulnerability that could be exploited by a potential intruder to gain full administrative access to the device.


    Description
    -----------
    D-Link's DWL-900AP+ is a WiFi/802.11b Access Point with enhanced 22Mbps transfer mode (aka "802.11b+") and proprietary bridging functions, tipically targeted at SOHO installation.
    The device can be connected to an existing wired network by mean of a standard 10/100 ethernet port and can be configured by using a javascript-enabled HTTP client (WEB browser) pointed at its IP address.

    Although undocumented, the device features also an embedded TFTP (Trivial File Transfer Protocol) server which can be used to obtain critical data: by requesting a file named "config.img", an intruder receive a binary image of the device configuration which contains, among others, the following informations:

    - the "admin" password required by the HTTP user interface
    - the WEP encryption keys
    - the network configuration data (addresses, SSID, etc.)

    Such data are returned in cleartext and may be accessed by any wired/wireless client. Note that if the device is configured to use a "public" IP address and a valid "gateway" (connected to the Internet) is specified in the wired LAN configuration screen, the TFTP service (hence the crititical data) could be accessed world-wide.


    Additional info
    ---------------
    In addition to the above mentioned "config.img", the following undocumented files are also accessible via the TFTP protocol:

    - eeprom.dat
    - mac.dat
    - wtune.dat
    - rom.img
    - normal.img

    the latest one being the (compressed) firmware image as uploaded to the device. We did not investigate further, so the above list is to be intended as NOT exaustive.


    Tested devices
    --------------
    Model No: DWL-900AP+ (FCC-ID: KA2DWL900AP-PLUS)
    H/W: B1
    F/W: 2.1 & 2.2

    The vulnerability has been observed with both 2.1 & 2.2 firmware revisions.


    Solutions
    ---------
    There are NO known solutions or workarounds at the moment. A firmware upgrade is urged from the vendor. A complete report of the vulnerability was sent to D-Link's International Support <techs@dlinksupport.com> on Mon, 14 Oct 2002 and was assigned the case-id: DL204488.


    Discovered by
    -------------
    Rocco Rionero, <rock@rionero.com>


    Note about potentially affected re-branded devices (NOT VERIFIED)
    -----------------------------------------------------------------
    The DWL-900AP+ appears to be based on a device originally developed by "Global Sun Technology Inc.": as the same device is also sold with other brands, the vulnerability MAY apply to any of them. Potentially affected devices include the following access points:

    - ALLOY GL-2422AP-S
    - EUSSO GL2422-AP
    - LINKSYS WAP11-V2.2
    - WISECOM GL2422AP-0T

    Please, note: NONE of the above was tested.


    Disclaimer
    ----------
    All information in this report are subject to change without any advanced notices neither mutual consensus; the report itself is released as it is. Neither the author, nor the parts (if any) involved in the distributions of this report are responsible for any risks of occurrences caused by applying the information included.

    Source: http://www.xatrix.org/article2043.html

  2. #2
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    I can confirm the Linksys wap 11 v2.2 has the same vuln.

    You can get anything from the machine with tftp a friend of mine did it a couple of weeks back.
    the password is in plain text format.

    The D-Link and the Linksys only differ in box and firmware, the hardware is the same. You can even flash a linksys with the D-link firmware if they fix this faster then Linksys does.

    The only trouble is, I have heard that the tftp stuff is in the machine's kernel not in the firmware, so perhaps there is no real cure but to block access to that particular port (tftp uses wich port??)
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  3. #3
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584
    hmmm tftp uses port 63 which is the standard and official port. u can block it IF you are not using it.. as for the people using it.. i dont think there is an alternative port. its not like websites where u can change the port from 80 to 8080 or something.

  4. #4
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Sonic, you sure about the port 63? Or is the 63 in reference to what the DLink is using? Don't use the wireless version of the Dlink, but still gonna play around with it at home this evening and see if the problem is a little more widespread...has me curious now.

    From my /etc/services:

    tftp 69/udp


    Thanks for the info.

    Nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  5. #5
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584
    yeah im sure tftp uses port 63. whether D-Link uses 63 or not, thats what i dont know.

  6. #6
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Hmmm...your response has caught me a little off guard...what system uses 63 as its bind port for the tftp service? I did a quick search on snort (a good place to look up ports when they haven't managed to crash it again) and got the following:
    (The main port search page is off of main page, bottom left corner text box)

    From: http://www.snort.org/ports.html?port=63 (Snort Port List, port 63)

    63 63/udp whois++ whois++
    63 63/tcp whois++ whois++
    2979 2979/tcp h263-video H.263 Video Streaming
    2979 2979/udp h263-video H.263 Video Streaming

    http://www.snort.org/ports.html?port=69 (Snort Port List, 69)

    69 69/tcp tftp Trivial File Transfer
    69 69/udp tftp Trivial File Transfer



    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  7. #7
    Senior Member
    Join Date
    Jul 2002
    Posts
    339
    I did a quick search on snort (a good place to look up ports when they haven't managed to crash it again) and got the following:
    What about checking the official list:
    http://www.iana.org/assignments/port-numbers

    nebulus200 is right. tftp uses port 69.

    Peace always,
    <jdenny>
    Always listen to experts. They\'ll tell you what can\'t be done and why. Then go and do it. -- Robert Heinlein
    I\'m basically a very lazy person who likes to get credit for things other people actually do. -- Linus Torvalds


  8. #8
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    I check snort out of habit because the official list will often not include oddball ports for things like trojans and some newer ports/protocols that may not be officially registered. Of course in this case that doesn't really matter, but like I said...habits sometimes are hard to break

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •