[NEWS] D-Link Access Point DWL-900AP+ TFTP Vulnerability

From: support@securiteam.com
Date: 10/22/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 22 Oct 2002 00:03:12 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  D-Link Access Point DWL-900AP+ TFTP Vulnerability
------------------------------------------------------------------------

SUMMARY

D-Link DWL-900AP+ Access Point/Bridge, has been found to contain severe
vulnerability that could be exploited by a potential intruder to gain full
administrative access to the device.

DETAILS

Vulnerable systems:
 * DWL-900AP+ B1 version 2.1 and 2.2

Possibly vulnerable (developed by the same manufacture):
 * ALLOY GL-2422AP-S
 * EUSSO GL2422-AP
 * LINKSYS WAP11-V2.2
 * WISECOM GL2422AP-0T

D-Link's DWL-900AP+ is a WiFi/802.11b Access Point with enhanced 22Mbps
transfer mode (a.k.a. "802.11b+") and proprietary bridging functions,
typically targeted at SOHO installation. The device can be connected to an
existing wired network by mean of a standard 10/100 Ethernet port and can
be configured by using a JavaScript-enabled HTTP client (WEB browser)
pointed at its IP address.

Although partly documented, the device features also an embedded TFTP
(Trivial File Transfer Protocol) server which can be used to obtain
critical data: by requesting a file named "config.img", an intruder
receive a binary image of the device configuration which contains, among
others, the following information:

 - The "admin" password required by the HTTP user interface
 - The WEP encryption keys
 - The network configuration data (addresses, SSID, etc).

Such data are returned in clear text and may be accessed by any
wired/wireless client. Note that if the device is configured to use a
"public" IP address and a valid "gateway" (connected to the Internet) is
specified in the wired LAN configuration screen, the TFTP service (hence
the critical data) could be accessed world-wide.

Additional info:
In addition to the above mentioned "config.img", the following
undocumented files are also accessible via the TFTP protocol:

 - eeprom.dat
 - mac.dat
 - wtune.dat
 - rom.img
 - normal.img

The latest one being the (compressed) firmware image as uploaded to the
device. We did not investigate further, so the above list is to be
intended as NOT exhaustive.

Solutions:
There are NO known solutions or workarounds at the moment. A firmware
upgrade is urged from the vendor. A complete report of the vulnerability
was sent to <mailto:techs@dlinksupport.com> D-Link's International
Support on Mon, 14 Oct 2002 and was assigned the case-id: DL204488.

ADDITIONAL INFORMATION

The information has been provided by <mailto:rock@rionero.com> Rocco
Rionero.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages