Hello list!

I want to warn you about security vulnerabilities in D-Link DAP 1150 (WiFi
Access Point and Router).

These are Predictable Resource Location, Brute Force and Cross-Site Request
Forgery vulnerabilities. This is my second advisory from series of
advisories about vulnerabilities in D-Link products.

SecurityVulns ID: 12076.

-------------------------
Affected products:
-------------------------

Vulnerable is the next model: D-Link DAP 1150, Firmware version 1.2.94. This
model with other firmware versions also must be vulnerable.

----------
Details:
----------

Predictable Resource Location (WASC-34):

http://192.168.0.50

The control panel of device is placed at default path with default login and
password (admin:admin). Which allows for local users (which have access to
PC or via LAN) and also for remote users via Internet (via CSRF) to get
access to control panel and change router's settings.

Default above-mentioned settings - it's standard practice of developers of
ADSL routers and other network devices, but D-Link became changing this
situation in their new devices.

For protecting against problems with default password, D-Link made the next
in admin panel: at the first enter to admin panel it's obligatory needed to
change a password. I.e. before changing settings it's needed to change
default password. And all developers of network devices should use such
approach. But Windows-application for configuration of the device, which is
bundled on CD, doesn't change a password, only change other settings of
access point. Thus it's possible to configure the device with leaving of
default password, which will leave the device vulnerable to attacks.

Brute Force (WASC-11):

In login form http://192.168.0.50 there is no protection against Brute Force
attacks. Which allows to pick up password (if it was changed from default),
particularly at local attack. E.g. via LAN malicious users or virus at some
computer can conduct attack for picking up the password, if it was changed.

CSRF (WASC-09):

Lack of protection against Brute Force (such as captcha) also leads to
possibility of conducting of CSRF attacks, which I wrote about in the
article Attacks on unprotected login forms
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html).
It allows to conduct remote login. Which will be in handy at conducting of
attacks on different CSRF vulnerabilities in control panel, which I'll tell
you about later.

------------
Timeline:
------------

2011.11.17 - found vulnerabilities.
2011.12.09 - disclosed at my site.
2011.12.11 - informed developers.

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/5558/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua