[MLB-WIRELESS] FW: [Syd-Wireless] FYI - insecurity in TI based devices...
Robert Tchia
robert.tchia at palantir.com.au
Fri Oct 25 01:36:18 EST 2002
-----Original Message-----
From: syd-wireless-admin at lists.sydneywireless.com
[mailto:syd-wireless-admin at lists.sydneywireless.com] On Behalf Of Nick
Adams
Sent: Tuesday, 22 October 2002 8:18 PM
To: syd-wireless at lists.sydneywireless.com
Subject: Re: [Syd-Wireless] FYI - insecurity in TI based devices...
I can confirm this works on WAP11 v2.2. "SHIT!"
Nick.
----- Original Message -----
From: "evilbunny" <evilbunny at sydneywireless.com>
To: <syd-wireless at lists.sydneywireless.com>
Sent: Tuesday, October 22, 2002 11:00 AM
Subject: [Syd-Wireless] FYI - insecurity in TI based devices...
>
>
> --
> Best regards,
> evilbunny
mailto:evilbunny at sydneywireless.com
>
> http://www.cacert.org - Free Security Certificates
> http://www.sydneywireless.com - Telecommunications Freedom
>
> This is a forwarded message
> From: Ben Serebin <ben at nycwireless.net>
> To: nycwireless at lists.spack.org
> Date: Tuesday, October 22, 2002, 6:23:31 AM
> Subject: [nycwireless] D-Link Access Point DWL-900AP+ TFTP
Vulnerability
>
> ===8<==============Original message text===============
> Hello Everyone,
>
> Just something to be aware for your public (NYCwireless)
nodes.
>
> -Ben
>
>
> -----Original Message-----
> From: Roger Weeks [mailto:rjw at sonic.net]
> Sent: Monday, October 21, 2002 2:20 PM
> To: nocat at pez.oreillynet.com; nocatnet at pez.oreillynet.com
> Subject: [NoCatNet] D-Link Access Point DWL-900AP+ TFTP Vulnerability
>
>
> From the bugtraq mailing list. Note that the WAP11 is potentially
> vulnerable
> but it was not tested by these folks.
>
> Roger
>
> ----------------------------------------------------------------------
> ETHEREANET-NCC Security Report EN-NCC-20021014-04
> D-Link Access Point DWL-900AP+ TFTP Vulnerability
>
> Date discovered: Fri, 11 Oct 2002
> Vendor notified on: Mon, 14 Oct 2002
> Date published: Mon, 21 Oct 2002
>
> Vendor Reference: D-Link US Support Case-ID DL204488
> ----------------------------------------------------------------------
>
>
> Overview
> --------
> While evaluating the D-Link DWL-900AP+ Access Point/Bridge, we
discovered a
> severe vulnerability that could be exploited by a potential intruder
to gain
> full administrative access to the device.
>
>
> Description
> -----------
> D-Link's DWL-900AP+ is a WiFi/802.11b Access Point with enhanced
22Mbps
> transfer mode (aka "802.11b+") and proprietary bridging functions,
tipically
> targeted at SOHO installation. The device can be connected to an
existing
> wired network by mean of a standard 10/100 ethernet port and can be
> configured by using a javascript-enabled HTTP client (WEB browser)
pointed
> at
> its IP address.
>
> Although undocumented, the device features also an embedded TFTP
(Trivial
> File Transfer Protocol) server which can be used to obtain critical
data: by
> requesting a file named "config.img", an intruder receive a binary
image of
> the device configuration which contains, among others, the following
> informations:
>
> - the "admin" password required by the HTTP user interface
> - the WEP encryption keys
> - the network configuration data (addresses, SSID, etc.)
>
> Such data are returned in cleartext and may be accessed by any
> wired/wireless
> client. Note that if the device is configured to use a "public" IP
address
> and a valid "gateway" (connected to the Internet) is specified in the
wired
> LAN configuration screen, the TFTP service (hence the crititical data)
could
> be accessed world-wide.
>
>
> Additional info
> ---------------
> In addition to the above mentioned "config.img", the following
undocumented
> files are also accessible via the TFTP protocol:
>
> - eeprom.dat
> - mac.dat
> - wtune.dat
> - rom.img
> - normal.img
>
> the latest one being the (compressed) firmware image as uploaded to
the
> device. We did not investigate further, so the above list is to be
intended
> as NOT exaustive.
>
>
> Tested devices
> --------------
> Model No: DWL-900AP+ (FCC-ID: KA2DWL900AP-PLUS)
> H/W: B1
> F/W: 2.1 & 2.2
>
> The vulnerability has been observed with both 2.1 & 2.2 firmware
revisions.
>
>
> Solutions
> ---------
> There are NO known solutions or workarounds at the moment. A firmware
> upgrade
> is urged from the vendor. A complete report of the vulnerability was
sent to
> D-Link's International Support <techs at dlinksupport.com> on Mon, 14 Oct
2002
> and was assigned the case-id: DL204488.
>
>
> Discovered by
> -------------
> Rocco Rionero, <rock at rionero.com>
>
>
> Note about potentially affected re-branded devices (NOT VERIFIED)
> -----------------------------------------------------------------
> The DWL-900AP+ appears to be based on a device originally developed
> by "Global Sun Technology Inc.": as the same device is also sold with
other
> brands, the vulnerability MAY apply to any of them. Potentially
affected
> devices include the following access points:
>
> - ALLOY GL-2422AP-S
> - EUSSO GL2422-AP
> - LINKSYS WAP11-V2.2
> - WISECOM GL2422AP-0T
>
> Please, note: NONE of the above was tested.
>
>
> Disclaimer
> ----------
> All information in this report are subject to change without any
advanced
> notices neither mutual consensus; the report itself is released as it
is.
> Neither the author, nor the parts (if any) involved in the
distributions of
> this report are responsible for any risks of occurrences caused by
applying
> the information included.
>
>
> ----------------------------------------------------------------------
> ETHEREANET Control Center <ncc at ethereanet.net>
> ETHEREANET Security Administration <security at ethereanet.net>
> RIONERO Network Security Administration <security at rionero.com>
>
>
>
> --
> NYCwireless - http://www.nycwireless.net/
> Un/Subscribe:
http://lists.nycwireless.net/mailman/listinfo/nycwireless/
> Archives: http://lists.nycwireless.net/pipermail/nycwireless/
>
>
> ===8<===========End of original message text===========
>
_______________________________________________
Syd-Wireless mailing list
Syd-Wireless at lists.sydneywireless.com
For account administration (such as removing yourself from the mailing
list and changing your email address)
http://lists.sydneywireless.com/mailman/listinfo/syd-wireless
To unsubscribe: send mail to majordomo at wireless.org.au
with "unsubscribe melbwireless" in the body of the message
More information about the Melbwireless
mailing list