SecuriTeam - D-Link Access Point DWL-900AP+ TFTP Vulnerability

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

D-Link DWL-900AP+ Access Point/Bridge, has been found to contain severe vulnerability that could be exploited by a potential intruder to gain full administrative access to the device.

Credit:
The information has been provided by Rocco Rionero.

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable systems:
* DWL-900AP+ B1 version 2.1 and 2.2

Possibly vulnerable (developed by the same manufacture):
* ALLOY GL-2422AP-S
* EUSSO GL2422-AP
* LINKSYS WAP11-V2.2
* WISECOM GL2422AP-0T

D-Link's DWL-900AP+ is a WiFi/802.11b Access Point with enhanced 22Mbps transfer mode (a.k.a. "802.11b+") and proprietary bridging functions, typically targeted at SOHO installation. The device can be connected to an existing wired network by mean of a standard 10/100 Ethernet port and can be configured by using a JavaScript-enabled HTTP client (WEB browser) pointed at its IP address.

Although partly documented, the device features also an embedded TFTP (Trivial File Transfer Protocol) server which can be used to obtain critical data: by requesting a file named "config.img", an intruder receive a binary image of the device configuration which contains, among others, the following information:

- The "admin" password required by the HTTP user interface
- The WEP encryption keys
- The network configuration data (addresses, SSID, etc).

Such data are returned in clear text and may be accessed by any wired/wireless client. Note that if the device is configured to use a "public" IP address and a valid "gateway" (connected to the Internet) is specified in the wired LAN configuration screen, the TFTP service (hence the critical data) could be accessed world-wide.

Additional info:
In addition to the above mentioned "config.img", the following undocumented files are also accessible via the TFTP protocol:

- eeprom.dat
- mac.dat
- wtune.dat
- rom.img
- normal.img

The latest one being the (compressed) firmware image as uploaded to the device. We did not investigate further, so the above list is to be intended as NOT exhaustive.

Solutions:
There are NO known solutions or workarounds at the moment. A firmware upgrade is urged from the vendor. A complete report of the vulnerability was sent to D-Link's International Support on Mon, 14 Oct 2002 and was assigned the case-id: DL204488.

	SugarCRM Online Document Cross-Site Scripting (XSS) Vulnerability
	Skype URI Processing Arbitrary XML File Deletion Vulnerability
	Skype Protocol Handler Datapath Argument Injection Credential Disclosure Vulnerability
	LedgerSMB Multiple Vulnerabilities
	Kaspersky Lab Multiple Products Local Privilege Escalation Vulnerability
	Piwik Cookie Unserialize Vulnerability
	Invision Power Board SQL PHP File Inclusion and SQL Injection
	U.S. Defense Information Systems Agency (DISA) Unix Security Readiness Review (SRR) Vulnerability
	DevIL DICOM Buffer Overflow Vulnerability
	Marvell Driver Multiple Information Element Overflows
	HP Data Protector Express and Single Server Edition (SSE) DoS and Code Execution
	HP Color LaserJet Printers Unauthorized Access to Data and DoS
	KDE KDELibs Remote Array Overrun with Arbitrary Code Execution
	Gimp BMP Image Parsing Integer Overflow Vulnerability
	Avast aswRdr.sys Kernel Pool Corruption and Local Privilege Escalation