[EXPL] Lucent ORiNOCO Registry Decryption
From: support@securiteam.comDate: 12/13/01
- Previous message: support@securiteam.com: "[TOOL] ID Password Recovery (IPR)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Thu, 13 Dec 2001 23:22:13 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Lucent ORiNOCO Registry Decryption
------------------------------------------------------------------------
SUMMARY
Lucent <http://www.orinocowireless.com/> ORiNOCO Client Manager stores
SSID and WEP secret for all known profiles in the Windows registry. The
WEP secret is encrypted and the algorithm was not publicly documented.
However, this algorithm can be reversed and this opens the product to
attack.
DETAILS
Vulnerable systems:
ORiNOCO version 1.18
There are at least two (bad) things an attacker can do to obtain access to
the WaveLan:
1. It is possible to copy the values right off from one laptop into
another and then connect to the WaveLan. Thus, the result of the
encryption is neither salted nor unique to the installation.
2. It is possible to reverse the encryption to get the plain text WEP
secret and then use it to configure another card.
Algorithm:
The algorithm is short:
It runs in blocks of three plain text characters. They are expanded into a
block of 5 cipher text characters. Every plain text character, affects two
characters in a cipher text block (but cipher text character 2 is only
affected by plain text character 1). The last plain text character in one
block also affects the first cipher text character of the next block.
Thus the blocks are chained together, i.e. they cannot be decrypted
independently of each other. The start value for the very first plain text
block may be seen as an IV. For each of the three plain text characters in
a plain text block there is a separate permutation, mask, and addition.
Program:
A small tool has been written that can be used to encrypt WEP secrets into
registry values or to decrypt registry values into plain text WEP secrets.
This was tested on ORiNOCO Client Manager version. 1.18 and Windows 2000.
ADDITIONAL INFORMATION
The tool to decrypt/encrypt can be downloaded from:
<http://www.cqure.net/tools03.html> http://www.cqure.net/tools03.html
The information has been provided by <mailto:ingeborn@ixsecurity.com>
Anders Ingeborn and <mailto:patrik.karlsson@ixsecurity.com> Patrik
Karlsson.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[TOOL] ID Password Recovery (IPR)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
