[MLB-WIRELESS] FW: [Syd-Wireless] FYI - insecurity in TI based devices...

Robert Tchia robert.tchia at palantir.com.au
Fri Oct 25 01:36:18 EST 2002



-----Original Message-----
From: syd-wireless-admin at lists.sydneywireless.com
[mailto:syd-wireless-admin at lists.sydneywireless.com] On Behalf Of Nick
Adams
Sent: Tuesday, 22 October 2002 8:18 PM
To: syd-wireless at lists.sydneywireless.com
Subject: Re: [Syd-Wireless] FYI - insecurity in TI based devices...

I can confirm this works on WAP11 v2.2.  "SHIT!"

Nick.
----- Original Message ----- 
From: "evilbunny" <evilbunny at sydneywireless.com>
To: <syd-wireless at lists.sydneywireless.com>
Sent: Tuesday, October 22, 2002 11:00 AM
Subject: [Syd-Wireless] FYI - insecurity in TI based devices...


> 
> 
> -- 
> Best regards,
>  evilbunny
mailto:evilbunny at sydneywireless.com
> 
> http://www.cacert.org - Free Security Certificates
> http://www.sydneywireless.com - Telecommunications Freedom
> 
> This is a forwarded message
> From: Ben Serebin <ben at nycwireless.net>
> To: nycwireless at lists.spack.org
> Date: Tuesday, October 22, 2002, 6:23:31 AM
> Subject: [nycwireless] D-Link Access Point DWL-900AP+ TFTP
Vulnerability
> 
> ===8<==============Original message text===============
> Hello Everyone,
> 
>         Just something to be aware for your public (NYCwireless)
nodes.
> 
> -Ben
> 
> 
> -----Original Message-----
> From: Roger Weeks [mailto:rjw at sonic.net]
> Sent: Monday, October 21, 2002 2:20 PM
> To: nocat at pez.oreillynet.com; nocatnet at pez.oreillynet.com
> Subject: [NoCatNet] D-Link Access Point DWL-900AP+ TFTP Vulnerability
> 
> 
> From the bugtraq mailing list.  Note that the WAP11 is potentially
> vulnerable
> but it was not tested by these folks.
> 
> Roger
> 
> ----------------------------------------------------------------------
> ETHEREANET-NCC Security Report EN-NCC-20021014-04
> D-Link Access Point DWL-900AP+ TFTP Vulnerability
> 
> Date discovered:    Fri, 11 Oct 2002
> Vendor notified on: Mon, 14 Oct 2002
> Date published:     Mon, 21 Oct 2002
> 
> Vendor Reference:   D-Link US Support Case-ID DL204488
> ----------------------------------------------------------------------
> 
> 
> Overview
> --------
> While evaluating the D-Link DWL-900AP+ Access Point/Bridge, we
discovered a
> severe vulnerability that could be exploited by a potential intruder
to gain
> full administrative access to the device.
> 
> 
> Description
> -----------
> D-Link's DWL-900AP+ is a WiFi/802.11b Access Point with enhanced
22Mbps
> transfer mode (aka "802.11b+") and proprietary bridging functions,
tipically
> targeted at SOHO installation. The device can be connected to an
existing
> wired network by mean of a standard 10/100 ethernet port and can be
> configured by using a javascript-enabled HTTP client (WEB browser)
pointed
> at
> its IP address.
> 
> Although undocumented, the device features also an embedded TFTP
(Trivial
> File Transfer Protocol) server which can be used to obtain critical
data: by
> requesting a file named "config.img", an intruder receive a binary
image of
> the device configuration which contains, among others, the following
> informations:
> 
>   - the "admin" password required by the HTTP user interface
>   - the WEP encryption keys
>   - the network configuration data (addresses, SSID, etc.)
> 
> Such data are returned in cleartext and may be accessed by any
> wired/wireless
> client. Note that if the device is configured to use a "public" IP
address
> and a valid "gateway" (connected to the Internet) is specified in the
wired
> LAN configuration screen, the TFTP service (hence the crititical data)
could
> be accessed world-wide.
> 
> 
> Additional info
> ---------------
> In addition to the above mentioned "config.img", the following
undocumented
> files are also accessible via the TFTP protocol:
> 
>   - eeprom.dat
>   - mac.dat
>   - wtune.dat
>   - rom.img
>   - normal.img
> 
> the latest one being the (compressed) firmware image as uploaded to
the
> device. We did not investigate further, so the above list is to be
intended
> as NOT exaustive.
> 
> 
> Tested devices
> --------------
> Model No: DWL-900AP+ (FCC-ID: KA2DWL900AP-PLUS)
> H/W:      B1
> F/W:      2.1 & 2.2
> 
> The vulnerability has been observed with both 2.1 & 2.2 firmware
revisions.
> 
> 
> Solutions
> ---------
> There are NO known solutions or workarounds at the moment. A firmware
> upgrade
> is urged from the vendor. A complete report of the vulnerability was
sent to
> D-Link's International Support <techs at dlinksupport.com> on Mon, 14 Oct
2002
> and was assigned the case-id: DL204488.
> 
> 
> Discovered by
> -------------
> Rocco Rionero, <rock at rionero.com>
> 
> 
> Note about potentially affected re-branded devices (NOT VERIFIED)
> -----------------------------------------------------------------
> The DWL-900AP+ appears to be based on a device originally developed
> by "Global Sun Technology Inc.": as the same device is also sold with
other
> brands, the vulnerability MAY apply to any of them. Potentially
affected
> devices include the following access points:
> 
>   - ALLOY GL-2422AP-S
>   - EUSSO GL2422-AP
>   - LINKSYS WAP11-V2.2
>   - WISECOM GL2422AP-0T
> 
> Please, note: NONE of the above was tested.
> 
> 
> Disclaimer
> ----------
> All information in this report are subject to change without any
advanced
> notices neither mutual consensus; the report itself is released as it
is.
> Neither the author, nor the parts (if any) involved in the
distributions of
> this report are responsible for any risks of occurrences caused by
applying
> the information included.
> 
> 
> ----------------------------------------------------------------------
> ETHEREANET Control Center <ncc at ethereanet.net>
> ETHEREANET Security Administration <security at ethereanet.net>
> RIONERO Network Security Administration <security at rionero.com>
> 
> 
> 
> --
> NYCwireless - http://www.nycwireless.net/
> Un/Subscribe:
http://lists.nycwireless.net/mailman/listinfo/nycwireless/
> Archives: http://lists.nycwireless.net/pipermail/nycwireless/
> 
> 
> ===8<===========End of original message text===========
> 
_______________________________________________
Syd-Wireless mailing list
Syd-Wireless at lists.sydneywireless.com
For account administration (such as removing yourself from the mailing
list and changing your email address)
http://lists.sydneywireless.com/mailman/listinfo/syd-wireless


To unsubscribe: send mail to majordomo at wireless.org.au
with "unsubscribe melbwireless" in the body of the message



More information about the Melbwireless mailing list