Hofbrau
@rr.com
|  Remotely Exploitable Vulnerability In All D-Link Gateways
»www.eeye.com/html/Research/Upcom···dex.html
Vendor: D-Link
Severity: High (Remote Code Execution)
Date Reported: February 27, 2006
Days Since Initial Report: 109
Date Reported:
February 27, 2006
Vendor: D-Link
Description: A vulnerability in D-Link routers allows for code execution and the compromise of the router.
Severity: High (Remote Code Execution)
Software Affected: D-Link firmware
D-Link were notificd back in February, and nary a word or firmware update has been made available to address this issue.
This vulnerability apparently affects all (or several) gateway models.
It does allow remote code execution, which means complete control over the gateway (and any/all network traffic/data).
Due to eEye's adherence to "responsible disclosure" protocols for security vulnerabilities, specific details are not available, and, therefore, users and admins networks/connections are left completely at risk.
That means that aside from replacing (permanently or temporarily) the D-Link gateway, nothing can be knowingly done to prevent exploitation.
Users should be aware continued usage of any/all D-Link gateways models puts their networks/internet connections at risk of complete compromise, until such time as firmware updates are released thart specifically address this critical vulnerability.
Cogitate,
Hofbrau |
|
latinuser_uy
join:2004-07-15
UY
| I saw this one about the DWL-2100ap (havent tested it myself):
»www.intruders.com.br/adv0206en.html
»www.securitytracker.com/alerts/2···234.html
SecurityTracker Alert ID: 1016234
SecurityTracker URL: »securitytracker.com/id?1016234
CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)
Date: Jun 6 2006
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information
Fix Available: Yes Exploit Included: Yes Vendor Confirmed: Yes
Version(s): D-Link DWL-2100ap; firmware version 2.10na
Description: A vulnerability was reported in the D-Link DWL-2100ap wireless router. A remote user can obtain sensitive information from the target device.
A remote user can directly request files in the '/cgi-bin/' directory with a '.cfg' file extension to obtain the device configuration.
A demonstration exploit URL is provided:
»[target]/cgi-bin/Intruders.cfg
Wendel Guglielmetti Henrique and the Intruders Tiger Team Security discovered this vulnerability.
The original advisory is available at:
»www.intruders.com.br/adv0206en.html
Impact: A remote user can obtain the device configuration, including password information.
Solution: The vendor has reportedly issued a firmware patch, available at:
»www.dlink.com.br/internet/downlo···0343.tfp
Vendor URL: www.dlink.com/ (Links to External Site)
Cause: Access control error
Message History: None. |
|
DLinkSupprt3
join:2002-10-02
Fountain Valley, CA
| reply to Hofbrau
Although there has been no official notification, we have released firmware for a few of the affected router models that fixes this vulnerability. The models with firmware posted on our support site are the DI-604, DI-784, and EBR-2310. For the models that a fix has not yet been released, we are currently in the process of testing firmwares and will be releasing them as soon as they are ready.
--
D-Link Building Networks for People |
|
michaelr7
join:2004-03-26
Tucson, AZ
| reply to Hofbrau
DLinkSupprt3,
Is a list of affected router models available so that users may take precautions until a firmware with the fix is available? If not the only recourse is to pull all D-Link devices from our/our clients networks.
--
Tucson, AZ (W) - Sedona, AZ (H) |
|
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
 ·Comcast
 ·AT&T Southwest
| reply to DLinkSupprt3
said by DLinkSupprt3  :Although there has been no official notification, we have released firmware for a few of the affected router models that fixes this vulnerability. The models with firmware posted on our support site are the DI-604, DI-784, and EBR-2310. For the models that a fix has not yet been released, we are currently in the process of testing firmwares and will be releasing them as soon as they are ready. I have a DI-784 but the current firmware on the site hasn't changed since v2.40, 3/22/2006. Surely this is not a release for the 784 that fixes the vulnerability. Unless the fixed firmware is at another location on the site...Beta?? |
|
joe_dude
join:2005-06-17
Winnipeg, MB
| reply to Hofbrau
Woah! How did this fly under the radar?!?
So would someone from D-Link please list the affected gateway/routers!!!!!
Looking at the description of the new DI-604 firmware, it's a fix for a DoS attack? I thought it was more serious than that.... |
|
funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC
·Verizon Online DSL
 ·Skype
| reply to Hofbrau
I could not reproduce this on my DI-624 using the steps in »www.intruders.com.br/adv0206en.html ...
The alledged output file format is also very usual for that type of router.
Can anyone? |
|
ozzy_0
join:2002-12-04
Kingston, ON | reply to jbob
I am also at a loss in finding the patched firmware for the DI-784 anywhere on the Dlink site. Please advise where we can obtain it. |
|
Hofbrau
@rr.com
| reply to joe_dude
"So would someone from D-Link please list the affected gateway/routers!!!!!"
Notice the supposed D-Link tech didn't list the affected gateway models - only the ones (3..with no qualifications for different revisions for the same model such as the 604) with supposedly "patched" firmware updates.
Considering the lack of communication from D-Link preceding this posting, and from D-Link within this thread, you must assume that every current/recent gateway model is vulnerable.
"Looking at the description of the new DI-604 firmware, it's a fix for a DoS attack? I thought it was more serious than that...."
D-Link is minimizing the extent and nature of the remotely exploitable vulnerability that allows for complete system subjugation of every gateway model they produce/produced?
This would be the same flaw that they have yet to officially and publicly acknowledge of their own accord in any significant and specific and detailed manner, right? (That might be considered minimization as well..perhaps?)
They are clearly taking this seriously, what with the way they have considerately allowed their users to continue to use their extremely vulnerable insecure gateway products none-the-wiser, with no workarounds or mitigation steps being provided or offered.
You can see how seriously they are taking this what with the way they offered a patched firmware for Revision E 604s, but not for any of the earlier revisions. Hey, I know, only the E revision of the 604 is affected, you can read the details about it in their security advisory...oops...what advisory? Never mind.
Nothing like issuing a patch for some revisions of some gateway models for a security vulnerability that exists (apparently) in all revisions of all gateway models, without a security advisory to accompany it to explain the details.
Who says they dont care about or take seriously security?
Surprised?
I know I am.
Cogitate,
Hofbrau |
|
Hofbrau
@rr.com
| reply to funchords
"I could not reproduce this on my DI-624 using the steps in »www.intruders.com.br/adv0206en.html ...
The alledged output file format is also very usual for that type of router.
Can anyone?"
I sure hope no one can, since the vulnerability listed there was pretty specific to the DWL-2100 AP.
I know I cant.
Perhaps because they are two different vulnerabilities, with two different advisories?
Reading works - really.
Perhaps more time should be spent honing up the reading skills rather than apologism and minimization skills, but, that would probably only result in more time spent ambiguously and ignorantly (and amusingly) naysaying the "NAT Traversal" aspect of the UPnP IGD 1.0 specification under the general idea of "UPnP is insecure".
Cogitate,
Hofbrau |
|
Hofbrau
@rr.com
| reply to ozzy_0
"I am also at a loss in finding the patched firmware for the DI-784 anywhere on the Dlink site. Please advise where we can obtain it."
The D-Link tech may be implying that the 2.40 firmware dated as of 3/22/06 fixes the vulnerability.
»support.dlink.com/products/view.···DI%2D784
It does in fact list as the first item "Fixed DOS issue".
(They meant "DoS issue", though, if they took this seriously at all, they would have typed out "Denial-of-Service Security Issue" to be a little more clear. However, thats a minimization of the actual vulnerability which is in fact remotely exploitable and allows for complete system takeover, assuming its the same security issue at all that its referring to. Its not like they have provided any specific documentation or details about the problem/patch.)
Surely, you didnt expect him to come right out and tell you which firmware version for which model/revision addresses the issue, did you?
I mean, that would be like, useful support, like, and stuff.
If they were like to do like that, you might like get the idea like that they like take this security stuff like seriously dude.
Cogitate,
Hofbrau |
|
latinuser_uy
join:2004-07-15
UY
1 edit | reply to Hofbrau
HI,
I tested the dwl-2100ap vulnerability, from an unauthenticated browser, tried the url »ip-of-my-dwl2100ap/cgi-bin/config.cfg
I got a config file for download. It contained the wireless key in plain text format, plus the "admin" key in plain text, among other configuration stuff.
Then I tried »ip-of-my-dwl2100ap/cgi-bin/nada.cfg and toto.cfg : same results.
HW DWL-2100AP
FW 2.00
I'm using the DWL-2100ap in AP mode, WPA-PSK. From the PC I was running the browser from, I had another browser which had an expired session (up from yesterday night) to the DWL-2100ap (the 2100ap would ask me for user/password as soon as I click on any option). I'll try again doing this first thing after rebooting my computer. I guess that's going to be after I come back from the office.
There seems to be a 2.2 fw for the dwl2100ap from some non-us site, has anyone tried that one?
Regards. |
|
joe_dude
join:2005-06-17
Winnipeg, MB | reply to Hofbrau
So what happens to other users that have older versions of routers or in different countries?
This could be seriously bad...! |
|
DLinkSupprt3
join:2002-10-02
Fountain Valley, CA
| The routers that could be affected by this are:
DI-524
DI-604
DI-624
DI-784
EBR-2310
WBR-1310
WBR-2310
We have released firmware for the following models:
DI-604 - 3.52
DI-784 - 2.40
EBR-2310 - 1.04
Firmware for the other models is currently being tested. We're not trying to make light of the subject, but the problem found has to do with UPnP, which is a LAN side protocol, so the routers will not be susceptible to WAN side attacks because of it.
--
D-Link Building Networks for People |
|
Anonymous_
Anonymous
Premium
join:2004-06-21
127.0.0.1
clubs: | reply to Hofbrau
um glade to have my linksys |
|
joe_dude
join:2005-06-17
Winnipeg, MB | reply to Hofbrau
Linksys? Not! |
|
Foxbat121
join:2001-04-25
Herndon, VA | reply to Hofbrau
Glad to see good old Hofbrau hasn't changed a bit. |
|
joe_dude
join:2005-06-17
Winnipeg, MB | reply to DLinkSupprt3
DLinkSupprt3, thanks for the update.
IMHO, unlike regular users, I think it helps to let us know what's going on, so we all don't switch to another brand tomorrow.  |
|
JTS33
join:2003-05-03
USA
| reply to DLinkSupprt3
said by DLinkSupprt3 :the problem found has to do with UPnP Ironically, disabling UPnP in the router control panel is what causes many DI-624 Rev. C3 to randomly reboot. |
|
funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC
·Verizon Online DSL
·Skype
| reply to DLinkSupprt3
said by DLinkSupprt3 :The routers that could be affected by this are: DI-524 DI-604 DI-624 DI-784 EBR-2310 WBR-1310 WBR-2310 We have released firmware for the following models: DI-604 - 3.52 DI-784 - 2.40 EBR-2310 - 1.04 Firmware for the other models is currently being tested. We're not trying to make light of the subject, but the problem found has to do with UPnP, which is a LAN side protocol, so the routers will not be susceptible to WAN side attacks because of it. I'm sorry, but this is making no sense to me at all.
First, D-Link does not list the 2100ap above.
Second, the exploit mentioned seems to have nothing to do with UPnP.
I'm perfectly willing to end up with egg on my face -- but is D-Link sure that we're talking about the same vulnerability?
-- Robb the Very Confused
--
Robb Topolski -= funchords.com =- Hillsboro, Oregon USA
~ Keeper of the D-Link FAQ ~ Did you Search? ~ More features, Free! Join BBR! ~ |
|
