Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

iXsecurity-Cryptanalysis Lucent Orinoco CM

From: ingeborn () ixsecurity com
Date: Mon, 12 Nov 2001 14:49:14 +0100



iXsecurity November 9th 2001

-[ SUMMARY ]-

Lucent Orinoco Client Manager stores SSID and WEP secret for all known profiles
in the Windows registry. The WEP secret is encrypted and the algorithm is not,
as far as we know and up until today, publicly documented.

During an assignment, a client asked about the risks of losing a configured
laptop :-) There are at least two (bad) things an attacker can do to obtain
access to the WaveLan:

1. It is possible to copy the values right off from one laptop into another
   and then connect to the WaveLan. Thus, the result of the encryption is
   not salted nor unique to the installation.
2. It is possible to reverse the encryption to get the plain text WEP secret
   and then use it to configure another card.

-[ ALGORITHM ]-

The algorithm is short and we give an overview here.

It runs in blocks of three plain text characters. They are expanded into a
block of 5 cipher text characters. Every plain text character, affects two
characters in a cipher text block (but cipher text character 2 is only
affected by plain text character 1). The last plain text character in one
block also affects the first cipher text character of the next block.

Thus the blocks are chained together, i.e. they cannot be decrypted
independently of each other. The start value for the very first plain text
block may be seen as an IV. For each of the three plain text characters in
a plain text block there is a separate permutation, mask and addition.

-[ PROGRAM ]-

We have written a program that can be used to encrypt WEP secrets into
registry values or to decrypt registry values into plain text WEP secrets.
To test this, we use ORiNOCO Client Manager ver. 1.18 and Windows 2000.
The program is available at http://www.cqure.net/lrc/

Anders Ingeborn, ingeborn () ixsecurity com
Patrik Karlsson, patrik.karlsson () ixsecurity com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: