IS-2010-006 - D-Link DAP-1160 formFilter buffer overflow
Security Advisory IS-2010-006 - D-Link DAP-1160 formFilter buffer overflow Advisory Information Published: 2010-07-14 Updated: 2010-07-14 Manufacturer: D-Link Model: DAP-1160 Firmware version: 1.20b06 1.30b10 1.31b01 Vulnerability Details - Public References: Not Assigned Platform: Successfully tested on D-Link DAP-1160 loaded with firmware versions: v120b06, v130b10, v131b01. Other models and/or firmware versions may be also affected. Note: Only firmware version major numbers are displayed on the administration web interface: 1.20, 1.30, 1.31 Background Information: D-Link DAP-1160 is a wireless access points that allow wireless clients connectivity to wired networks. Supported 802.11b and 802.11g protocols. WEP, WPA and WPA2 supported. Summary: A buffer overflow condition can be triggered by setting URL filtering for an overly long URL, leading to possible arbitrary code execution or denial of service. Successful authentication is required in order to exploit the vulnerability, but attackers can leverage other vulnerabilities for achieving unauthenticated remote exploitation. Details: Changing the device configuration involves sending a properly formatted POST request to the following URL: http://IP_ADDR/apply.cgi?formhandler_func where IP_ADDR is the device IP address and the formhandler_func is a function, specific to the task to be accomplished, that will handle the POST parameters present in the request body. The formFilter() function can be used for applying specific filters to the communication going through the Access Point, and is not accessible through any of the links available on the device administration interface. Nonetheless, the web page available at the following URL http://IP_ADDR/adv_webfilter.htm relies on such function for applying URL filters. One of the functionalities formFilter function allows for is URL filtering performed on a specific URL, submitted via the above mentioned web page or by sending a properly formatted POST request. The provided URL is copied on the stack in a fixed sizer buffer, allowing for buffer overflow and possible arbitrary code execution with root privileges, if an overly long URL is provided. A successful authentication is required in order to be able to to trigger the vulnerability, but an attacker may leverage DCC protocol and authentication bypass vulnerability for achieving unauthenticated remote exploitation. Impacts: Arbitrary code execution Denial of service Solutions Workaround: Not available Additional Information -- Timeline (dd/mm/yy): 17/02/2010: Vulnerability discovered 17/02/2010: No suitable technical/security contact on Global/Regional website. No contact available on OSVDB website 18/02/2010: Point of contact requested to customer service --- No response --- 26/05/2010: Vulnerability disclosed at CONFidence 2010 14/07/2010: This advisory Additional information available at http://www.icysilence.org
IS-2010-005 - D-Link DAP-1160 Authentication Bypass
Security Advisory IS-2010-005 - D-Link DAP-1160 Authentication Bypass Advisory Information Published: 2010-06-29 Updated: 2010-06-29 Manufacturer: D-Link Model: DAP-1160 Firmware version: 1.20b06 1.30b10 1.31b01 Vulnerability Details - Public References: Not Assigned Platform: Successfully tested on D-Link DAP-1160 loaded with firmware versions: v120b06, v130b10, v131b01. Other models and/or firmware versions may be also affected. Note: Only firmware version major numbers are displayed on the administration web interface: 1.20, 1.30, 1.31 Background Information: D-Link DAP-1160 is a wireless access points that allow wireless clients connectivity to wired networks. Supported 802.11b and 802.11g protocols. WEP, WPA and WPA2 supported. Summary: Administration interface authentication can be bypassed by accessing a specific URL shortly after device reboot Details: Accessing the device web administration interface requires a successful authentication with proper login credentials. But if the following URL address: http://IP_ADDR/tools_firmw.htm is accessed as a first URL and within a short time (~40 seconds) after the device web server has started, then no authentication is required to access device web interface. The device can then be freely reconfigured and sensitive information can be extracted and/or modified, such as Wi-Fi SSID and passphrases. A remote attacker may be able to achieve deterministic authentication bypass, without waiting for the device to be rebooted, by remotely rebooting the device via the DCC protocol. This can be performed in unauthenticated manner, as described in the advisory IS-2010-004 - D-Link DAP-1160 Unauthenticated Remote Configuration Impacts: Remote extraction of sensitive information Modification of existing device configuration Solutions Workaround: Not available Additional Information -- Timeline (dd/mm/yy): 17/02/2010: Vulnerability discovered 17/02/2010: No suitable technical/security contact on Global/Regional website. No contact available on OSVDB website 18/02/2010: Point of contact requested to customer service --- No response --- 26/05/2010: Vulnerability disclosed at CONFidence 2010 29/06/2010: This advisory Additional information available at http://www.icysilence.org
IS-2010-004 - D-Link DAP-1160 Unauthenticated Remote Configuration
Security Advisory IS-2010-004 - D-Link DAP-1160 Unauthenticated Remote Configuration Advisory Information Published: 2010-06-28 Updated: 2010-06-28 Manufacturer: D-Link Model: DAP-1160 Firmware version: 1.20b06 1.30b10 1.31b01 Vulnerability Details - Public References: Not Assigned Platform: Successfully tested on D-Link DAP-1160 loaded with firmware versions: v120b06, v130b10, v131b01. Other models and/or firmware versions may be also affected. Note: Only firmware version major numbers are displayed on the administration web interface: 1.20, 1.30, 1.31 Background Information: D-Link DAP-1160 is a wireless access points that allow wireless clients connectivity to wired networks. Supported 802.11b and 802.11g protocols. WEP, WPA and WPA2 supported. Summary: Unauthenticated access and modification of several device parameters, including Wi-Fi SSID, keys and passphrases is possible. Unauthenticated remote reboot of the device can be also performed. Details: DCCD is an UDP daemon that listens on port UDP 2003 of the device, that is likely used for easy device configuration via the DCC (D-Link Click 'n Connect) protocol. By sending properly formatted UDP datagrams to dccd daemon it is possible to perform security relevant operation without any previous authentication. It is possible to remotely retrieve sensitive wireless configuration parameters, such as Wi-Fi SSID, Encryption types, keys and passphrases, along with other additional information. It is also possible to remotely modify such parameters and configure the device without any knowledge of the web administration password. Remote reboot is another operation that an attacker may perform in an unauthenticated way, possibly triggering a Denial-of-Service condition. POC: - Remote reboot python -c 'print \x05 + \x00 * 7' | nc -u IP_ADDR 2003 - Retrieving Wi-Fi SSID python -c 'print \x03 + \x00 * 7 + \x21\x27\x00' | nc -o ssid.txt -u IP_ADDR 2003 cat ssid.txt (cleartext SSID displayed after 21 27 xx xx in the received datagram) - Retrieving WPA2 PSK python -c 'print \x03 + \x00 * 7 + \x23\x27\x00\x00\x24\x27\x00' | nc -u -o pass.txt IP_ADDR 2003 cat pass.txt (cleartext WPA2 PSK displayed after 24 27 xx xx in the received datagram) Impacts: Remote extraction of sensitive information Modification of existing device configuration POssible Denial-of-Service Solutions Workaround: Not available Additional Information -- Timeline (dd/mm/yy): 17/02/2010: Vulnerability discovered 17/02/2010: No suitable technical/security contact on Global/Regional website. No contact available on OSVDB website 18/02/2010: Point of contact requested to customer service --- No response --- 26/05/2010: Partial disclosure at CONFidence 2010 28/06/2010: This advisory Additional information available at http://www.icysilence.org
IS-2010-003 - Linksys WAP54Gv3 debug.cgi Cross-Site Scripting
Security Advisory IS-2010-003 - Linksys WAP54Gv3 debug.cgi Cross-Site Scripting Advisory Information Published (dd/mm/yy): 23/06/2010 Updated (dd/mm/yy): 23/06/2010 Manufacturer: Linksys Model: WAP54G Hardware version: v3.x Firmware version: ver.3.05.03 (Europe) ver.3.04.03 (US) Vulnerability Details - Class: Cross-Site Scripting Public References: Not Assigned Platform: Successfully tested on Linksys WAP54Gv3 loaded with firmware version Ver.3.05.03 (Europe) Vulnerability present also on firmware ver.3.04.03 (US) Other models and/or firmware versions may be also affected. Background Information: Linksys WAP54G is a wireless access points that allow wireless clients connectivity to wired networks. Supported 802.11b and 802.11g protocols, with data rates up to 54Mbit/s. Summary: A cross-site scripting vulnerability is present in the debug.cgi page, that is accessible by using proper debug credentials Details: The debug.cgi page act as debug interface for the Linksys WAP54Gv3 and is accessible by authenticating with proper debug credentials at the following URL: http://AP_IP_ADDR/debug.cgi where AP_IP_ADDR is the IP address of the device. Commands to be executed by the system are sent within the data1 POST variable, while the command output is returned within a textarea tag in the output html page. Output is not sanitized in any way, allowing for a Cross-site scripting condition that can be triggered by any command that includes a /textarea closing tag in its output. Additional text following such tag will be interpreted as regular HTML by the accessing user browser, allowing for injection of Javascript code, that will be run in the context of the presented web page. Proof of Concept: echo /textareascriptalert('XSS');/script Impacts: The vulnerability may allow an attacker to access the output of commands during a Remote blind attack, where malicious web pages are used by the attacker over the Internet to execute code on a victim access point with private addressing, by leveraging an user browser as a 3rd party reflector. This would also allow an attacker to extract information and configuration stored on devices that are not even able to access the Internet (eg: firewall policy, gateway not configured) Solutions Workaround: Not available Additional Information -- Timeline (dd/mm/yy): 09/11/2009: Requested Point of Contact to Linksys 10/11/2009: Received Point of Contact 10/11/2009: Vulnerability details sent 12/11/2009: Received clarification request on firmware version 12/11/2009: Additional details sent 16/01/2010: Requested update on vulnerability status. --- No update received --- 23/06/2010: This advisory Additional information available at http://www.icysilence.org
IS-2010-002 - Linksys WAP54Gv3 Remote Debug Root Shell
Security Advisory IS-2010-002 - Linksys WAP54Gv3 Remote Debug Root Shell Advisory Information Published: 2010-06-08 Updated: 2010-06-08 Manufacturer: Linksys Model: WAP54G Hardware version: v3.x Firmware version: ver.3.05.03 (Europe) ver.3.04.03 Vulnerability Details - Class: Remote Code Execution Public References: Not Assigned Platform: Succesfully tested on Linksys WAP54Gv3 loaded with firmware version Ver.3.05.03 (Europe) Vulnerability present also on firmware ver.3.04.03 (US) Other models and/or firmware versions may be also affected. Background Information: Linksys WAP54G is a wireless access points that allow wireless clients connectivity to wired networks. Supported 802.11b and 802.11g protocols, with data rates up to 54Mbit/s. Summary: A debug interface allowing for the execution of root privileged shell commands is available on dedicated web pages on the device. Hardcoded credentials, that cannot be changed by user, can be used for accessing the debug interface. Details: A web page that allows executing shell commands on device is available at the following URLs: http://AP_IP_ADDR/Debug_command_page.asp http://AP_IP_ADDR/debug.cgi where AP_IP_ADDR is the IP address of the device. Authentication is required in order to access the aforementioned URLS, but the configured admin credentials used for accessing the administration interface, will not be sufficient for a successful authentication. The following credentials must be supplied in order to be authenticated: User: Gemtek Password: gemtekswd and access a debug web page that can be used for submitting shell commands via a dedicated web form. Such credentials are hardcoded in the firmware and cannot be changed by user by any means available on the administration web interface. They can be used for accessing only the debug web pages specified above, and cannot be used for authenticating to the administration web interface. Submitted commands are included within data1 form variable, sent via a POST request to the web server, and executed with the httpd web server privileges, that is running with root privileges on the system, allowing for complete remote control of the access point. Two additional variables, data2 and data3 are processed by web server code, but are not present in the form on the debug web page. Command injection is also possible in data2 and data3 payload by using typical shell commands concatenation. Impacts: Remote access and modifications to access point settings and configuration. Remote extraction of sensitive information such as credentials for logging into the administration interface, Wi-FI SSIDs and passphrases. Remote download and execution of malicious applications. Remote blind attacks, where malicious web pages are used by an attacker over the Internet to execute code on a victim access point with private addressing, by leveraging an user browser as a 3rd party reflector, may be also possible. Effectiveness of the aforementioned attack scenarios is increased because of the hardcoded credentials. Solutions Workaround: Not available Additional Information -- Timeline: 09/11/2009: Requested Point of Contact to Linksys 10/11/2009: Received Point of Contact 10/11/2009: Vulnerability details sent 11/12/2009: Received clarification request on firmware version 11/12/2009: Additional details sent 16/01/2010: Requested update on vulnerability status. --- No update received --- 26/05/2010: Vulnerability disclosed at CONFidence 2010 08/06/2010: This advisory Additional information available at http://www.icysilence.org
IS-2010-001 - Netgear WG602v4 Saved Pass Stack Overflow
Security Advisory IS-2010-001 - Netgear WG602v4 Saved Pass Stack Overflow Advisory Information Published: 2010-05-30 Updated: 2009-05-30 Manufacturer: Netgear Model: WG602v4 Firmware version: V1.1.0 (Europe) Vulnerability Details - Class: Buffer Overflow Code Execution: Yes Public References: Not Assigned Successfully tested on: Netgear WG602v4 loaded with firmware version 1.1.0 (Europe) Other models and/or firmware versions may be also affected. Summary: A stack based buffer overflow can be triggered by choosing an overly long admin password. Details: A buffer overflow condition can be triggered during the authentication process to the device web interface. Such process is handled by function auth_authorize(), where password saved in flash memory is used for validating submitted credentials, and is copied into a fixed size buffer on the stack, without performing any length check. Buffer overflow can be triggered by saving an admin password longer than 128 characters and occurs at each authentication attempt before the submitted credentials are validated, potentially allowing for unauthenticated remote exploitation. But, valid credentials are required in order to change administrator password and save it in flash memory, hence, for vulnerability exploitation. Password can be changed via a dedicated web page on the management interface: client side restrictions present on on the password lenght can be easily bypassed by an attacker. Impact: Remote code execution with root level privileges. Solutions Workaround: Not available Additional Information - Available at http://www.icysilence.org