Apple AirPort Administrative Password Obfuscation (a051203-1)

From: _at_stake Advisories (_at_stake)
Date: 05/12/03

  • Next message: Angelo Rosiello: "Unix Version of the Pi3web DoS"
    Date: Mon, 12 May 2003 11:57:01 -0400
    To: bugtraq@securityfocus.com
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

                                    @stake, Inc.
                                  www.atstake.com

                                 Security Advisory

    Advisory Name: Apple AirPort Administrative Password Obfuscation
     Release Date: 05/12/2003
      Application: AirPort Base Station (ALL)
         Platform: AirPort Base Station
         Severity: Sensitive information disclosure
           Author: Jeremy Rauch <jrauch@atstake.com>
                   Dave G. <daveg@atstake.com>
    Vendor Status: Notified, see response below
    CVE Candidate: CAN-2003-0270
        Reference: www.atstake.com/research/advisories/2003/a051203-1.txt

    Overview:

    Apple's AirPort device is a wireless access point, providing
    802.11 services to network clients. Authentication credentials are
    obfuscated, and then sent over the network. If an AirPort is
    administered over the Ethernet interface or via an insecure (non WEP)
    wireless connection, an attacker that can sniff the network can
    obtain administrative access to the AirPort.
          
     
    Details:

    Apple's AirPort device is a wireless access point, providing
    802.11 services to network clients. This device is managed through a
    proprietary administrative protocol over a TCP port (5009/tcp).
    Authentication credentials are obfuscated, and then sent over the
    network.

    The authentication credentials, a password with a maximum length of
    32 characters, are XOR'd against a predefined key. When sent over
    the network, the password is sent out in a 32 byte fixed block.
    @stake was able to determine the key by setting a one character
    password and monitoring the network traffic. This revealed 31 bytes
    of the XOR 'key'. The final byte can be obtained by XORing the
    obfuscated first byte against the first character of the plaintext
    password.

    If an AirPort is administered over the Ethernet interface or via an
    insecure (non WEP) wireless connection, an anonymous attacker that
    can sniff the network can obtain administrative access to the
    AirPort. If WEP is enabled, then the attack is limited to WEP
    authenticated attackers.

    Vendor Response:

    The recommendation is to administer the AirPort Base Station either
    via a wired connection or via a WEP-protected wireless connection.

    Recommendation:

    The only way to securely administer the AirPort Base Station is by
    connecting to it via a cross-over cable. In environments where this
    is not practical, it is advised that the AirPort Base Station be
    managed through the Ethernet network, and not the wireless network.

    Common Vulnerabilities and Exposures (CVE) Information:

    The Common Vulnerabilities and Exposures (CVE) project has assigned
    the following names to these issues. These are candidates for
    inclusion in the CVE list (http://cve.mitre.org), which standardizes
    names for security problems.

      CAN-2003-0270 Apple AirPort Administrative Password Obfuscation

    @stake Vulnerability Reporting Policy:
    http://www.atstake.com/research/policy/

    @stake Advisory Archive:
    http://www.atstake.com/research/advisories/

    PGP Key:
    http://www.atstake.com/research/pgp_key.asc

    @stake is currently seeking application security experts to fill
    several consulting positions. Applicants should have strong
    application development skills and be able to perform application
    security design reviews, code reviews, and application penetration
    testing. Please send resumes to jobs@atstake.com.

    Copyright 2003 @stake, Inc. All rights reserved.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0

    iQA+AwUBPr+6AUe9kNIfAm4yEQKLIQCgs7QHABeuD5xQkx2V+n+lGqPzqnoAljk5
    wSw2iptcVgJtq6NnFMUT8R8=
    =lyTk
    -----END PGP SIGNATURE-----
     


  • Next message: Angelo Rosiello: "Unix Version of the Pi3web DoS"

    Relevant Pages

    • [NEWS] Apple AirPort Administrative Password Obfuscation
      ... services to network clients. ... insecure wireless connection, ... The recommendation is to administer the AirPort Base Station either via a ... The only way to securely administer the AirPort Base Station is by ...
      (Securiteam)
    • [VulnWatch] Apple AirPort Administrative Password Obfuscation (a051203-1)
      ... and then sent over the network. ... The recommendation is to administer the AirPort Base Station either ... Common Vulnerabilities and Exposures (CVE) Information: ...
      (VulnWatch)
    • Re: Adding back-up with LanMan98
      ... The airport base station has an Iomega hard drive attached that is ... know the IP address and the passwords for the airport and the network. ... They seemed to be to do with the interrogation of the Lacie ...
      (comp.sys.acorn.networking)
    • Re: Website Hosting Using Airport Base Station
      ... network to make it available to the world wide web. ... Airport base station is set up so that people within the LAN of the ... Port Mapping tab ... Use the whatismyip.com address to connect to your web server. ...
      (comp.sys.mac.system)