lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3EBFC44D.7020006@atstake.com>
Date: Mon, 12 May 2003 11:57:01 -0400
From: "@stake Advisories" <advisories@...take.com>
To: bugtraq@...urityfocus.com
Subject: Apple AirPort Administrative Password Obfuscation (a051203-1)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



                                @stake, Inc.
                              www.atstake.com

                             Security Advisory

Advisory Name: Apple AirPort Administrative Password Obfuscation
 Release Date: 05/12/2003
  Application: AirPort Base Station (ALL)
     Platform: AirPort Base Station
     Severity: Sensitive information disclosure
       Author: Jeremy Rauch <jrauch@...take.com>
               Dave G. <daveg@...take.com>
Vendor Status: Notified, see response below
CVE Candidate: CAN-2003-0270
    Reference: www.atstake.com/research/advisories/2003/a051203-1.txt


Overview:

Apple's AirPort device is a wireless access point, providing
802.11 services to network clients.  Authentication credentials are
obfuscated, and then sent over the network.  If an AirPort is
administered over the Ethernet interface or via an insecure (non WEP)
wireless connection, an attacker that can sniff the network can
obtain administrative access to the AirPort.
      
 
Details:

Apple's AirPort device is a wireless access point, providing
802.11 services to network clients.  This device is managed through a
proprietary administrative protocol over a TCP port (5009/tcp). 
Authentication credentials are obfuscated, and then sent over the
network. 

The authentication credentials, a password with a maximum length of
32 characters, are XOR'd against a predefined key.  When sent over
the network, the password is sent out in a 32 byte fixed block. 
@stake was able to determine the key by setting a one character
password and monitoring the network traffic.  This revealed 31 bytes
of the XOR 'key'.  The final byte can be obtained by XORing the
obfuscated first byte against the first character of the plaintext
password.

If an AirPort is administered over the Ethernet interface or via an
insecure (non WEP) wireless connection, an anonymous attacker that
can sniff the network can obtain administrative access to the
AirPort.  If WEP is enabled, then the attack is limited to WEP
authenticated attackers.


Vendor Response:

The recommendation is to administer the AirPort Base Station either
via a wired connection or via a WEP-protected wireless connection.


Recommendation:

The only way to securely administer the AirPort Base Station is by
connecting to it via a cross-over cable.  In environments where this
is not practical, it is advised that the AirPort Base Station be
managed through the Ethernet network, and not the wireless network. 


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues.  These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

  CAN-2003-0270 Apple AirPort Administrative Password Obfuscation


@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

@stake is currently seeking application security experts to fill
several consulting positions.  Applicants should have strong
application development skills and be able to perform application
security design reviews, code reviews, and application penetration
testing.  Please send resumes to jobs@...take.com.

Copyright 2003 @stake, Inc. All rights reserved.





-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA+AwUBPr+6AUe9kNIfAm4yEQKLIQCgs7QHABeuD5xQkx2V+n+lGqPzqnoAljk5
wSw2iptcVgJtq6NnFMUT8R8=
=lyTk
-----END PGP SIGNATURE-----
 



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ