[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3EBFC44D.7020006@atstake.com>
Date: Mon, 12 May 2003 11:57:01 -0400
From: "@stake Advisories" <advisories@...take.com>
To: bugtraq@...urityfocus.com
Subject: Apple AirPort Administrative Password Obfuscation (a051203-1)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
@stake, Inc.
www.atstake.com
Security Advisory
Advisory Name: Apple AirPort Administrative Password Obfuscation
Release Date: 05/12/2003
Application: AirPort Base Station (ALL)
Platform: AirPort Base Station
Severity: Sensitive information disclosure
Author: Jeremy Rauch <jrauch@...take.com>
Dave G. <daveg@...take.com>
Vendor Status: Notified, see response below
CVE Candidate: CAN-2003-0270
Reference: www.atstake.com/research/advisories/2003/a051203-1.txt
Overview:
Apple's AirPort device is a wireless access point, providing
802.11 services to network clients. Authentication credentials are
obfuscated, and then sent over the network. If an AirPort is
administered over the Ethernet interface or via an insecure (non WEP)
wireless connection, an attacker that can sniff the network can
obtain administrative access to the AirPort.
Details:
Apple's AirPort device is a wireless access point, providing
802.11 services to network clients. This device is managed through a
proprietary administrative protocol over a TCP port (5009/tcp).
Authentication credentials are obfuscated, and then sent over the
network.
The authentication credentials, a password with a maximum length of
32 characters, are XOR'd against a predefined key. When sent over
the network, the password is sent out in a 32 byte fixed block.
@stake was able to determine the key by setting a one character
password and monitoring the network traffic. This revealed 31 bytes
of the XOR 'key'. The final byte can be obtained by XORing the
obfuscated first byte against the first character of the plaintext
password.
If an AirPort is administered over the Ethernet interface or via an
insecure (non WEP) wireless connection, an anonymous attacker that
can sniff the network can obtain administrative access to the
AirPort. If WEP is enabled, then the attack is limited to WEP
authenticated attackers.
Vendor Response:
The recommendation is to administer the AirPort Base Station either
via a wired connection or via a WEP-protected wireless connection.
Recommendation:
The only way to securely administer the AirPort Base Station is by
connecting to it via a cross-over cable. In environments where this
is not practical, it is advised that the AirPort Base Station be
managed through the Ethernet network, and not the wireless network.
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
CAN-2003-0270 Apple AirPort Administrative Password Obfuscation
@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/
@stake Advisory Archive:
http://www.atstake.com/research/advisories/
PGP Key:
http://www.atstake.com/research/pgp_key.asc
@stake is currently seeking application security experts to fill
several consulting positions. Applicants should have strong
application development skills and be able to perform application
security design reviews, code reviews, and application penetration
testing. Please send resumes to jobs@...take.com.
Copyright 2003 @stake, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA+AwUBPr+6AUe9kNIfAm4yEQKLIQCgs7QHABeuD5xQkx2V+n+lGqPzqnoAljk5
wSw2iptcVgJtq6NnFMUT8R8=
=lyTk
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists