RE: Advisory: WZCS vulnerabilities
From: Brian J. Bartlett (brian.bartlett_at_gmail.com)
To: <email@example.com> Date: Wed, 5 Oct 2005 00:37:55 -0700
Which is why I refuse to go wireless at this point. I've yet to see an
implementation yet that is totally secure, and the vendors are no help to
this point. It sounds good, whichever OS we are talking about, with
whatever they are saying at the moment, but when it comes down to brass
tacks, the security just isn't there.
Brian J. Bartlett
Statistician, Systems Engineer/Analyst/Security, Econometrician
(Why yes, I am a polymath. Sue me.)
From: donctl [mailto:firstname.lastname@example.org]
Sent: Tuesday, October 04, 2005 1:55 AM
Subject: Advisory: WZCS vulnerabilities
"The Wireless Zero Configuration system service enables automatic
configuration for IEEE 802.11 wireless adapters for wireless
There are two closely related vulnerabilities:
* Once the "View Available Wireless Networks" dialogue box is
opened the Pair-wise Master Keys of the WPA pre-shared key
authentication and WEP keys of the given interface can be found in the
memory of the explorer process, even after closing the dialog box.
* The Wireless Zero Configuration Service can be queried by any
user without administrator privilege to get the WEP keys and WPA
Pair-wise Master Keys.
* Windows XP SP2
* Windows XP SP2 with http://support.microsoft.com/?id=893357
Immune Systems: No other than SP2 was tested
The WZCS has an RPC interface with some callable functions.
RpcQueryInterface allows local users to get certain data about a
wireless interface, for example the SSID/key pairs. The WEP keys are
in clear text. The WPA pre-shared key is not disclosed, but the PMK is
enough to connect to a wireless network (e.g. you can use
http://hostap.epitest.fi/wpa_supplicant/ which accepts the PMK as an
I found this vulnerability when I realised that if the "View Available
Wireless Networks" is open, the WPA PMKs and WEP keys can be found in
the memory of the explorer process. The dialog is implemented in
wzcdlg.dll that uses wzcsapi.dll which implements WZCQueryInterface.
If you call the WZQueryInterface with the right parameters you can get
the desired information.
Wzcsapi.dll is not documented in Windows XP. However, you can find
some information in the Windows CE documentation. With some debugging
and the help of the aforementioned documentation writing an exploit
code is not a difficult task.
The vulnerabilities were found and the advisory was published by
László Tóth (donctl at gmail dot com).
Special thanks goes to Lajos Antal and Balázs Boda.
Vulnerabilities were discovered in March, 2005.
Vendor was notified 20th March, 2005.
The vendor stated the vulnerabilities as low security issues. They
said you need "debug program" privilege to access this information (I
tested it, you do not need). Therefore they wrote the following:
"At this point, we are looking at possibly shipping a fix for this
issue in a Service Pack, although, there is a strong likelihood that
we will be looking to addressing the issue in the next version of the
Vendor released a feature enhancement patch
(http://support.microsoft.com/?id=893357) that is not related to
Vendor was notified 9th May, 2005 that the feature enhancement did not
change the behaviour of the WZCS service regarding the
The Vendor stated they did not intend to fix the vulnerabilities with
this patch and they wrote:
"We feel that the most appropriate ship vehicle for this issue is the
next version of the product which is Longhorn in this case."
At this point the decision was made to publish this advisory.
For more information please visit