RE: Advisory: WZCS vulnerabilities

From: Brian J. Bartlett (brian.bartlett_at_gmail.com)
Date: 10/05/05

  • Next message: NGSSoftware Insight Security Research: "Patches available for critical flaws in HP Openview"
    To: <bugtraq@securityfocus.com>
    Date: Wed, 5 Oct 2005 00:37:55 -0700
    
    

    Which is why I refuse to go wireless at this point. I've yet to see an
    implementation yet that is totally secure, and the vendors are no help to
    this point. It sounds good, whichever OS we are talking about, with
    whatever they are saying at the moment, but when it comes down to brass
    tacks, the security just isn't there.

    Brian J. Bartlett
    Statistician, Systems Engineer/Analyst/Security, Econometrician
    (Why yes, I am a polymath. Sue me.)

    -----Original Message-----
    From: donctl [mailto:donctl@gmail.com]
    Sent: Tuesday, October 04, 2005 1:55 AM
    To: bugtraq@securityfocus.com
    Subject: Advisory: WZCS vulnerabilities

    Summary

    "The Wireless Zero Configuration system service enables automatic
    configuration for IEEE 802.11 wireless adapters for wireless
    communication."

    There are two closely related vulnerabilities:

        * Once the "View Available Wireless Networks" dialogue box is
    opened the Pair-wise Master Keys of the WPA pre-shared key
    authentication and WEP keys of the given interface can be found in the
    memory of the explorer process, even after closing the dialog box.

        * The Wireless Zero Configuration Service can be queried by any
    user without administrator privilege to get the WEP keys and WPA
    Pair-wise Master Keys.

    Details

    Remote: No
    Risk: low
    Vulnerable Systems:

        * Windows XP SP2

        * Windows XP SP2 with http://support.microsoft.com/?id=893357

    Immune Systems: No other than SP2 was tested
    Published: 04.10.2005

    The WZCS has an RPC interface with some callable functions.
    RpcQueryInterface allows local users to get certain data about a
    wireless interface, for example the SSID/key pairs. The WEP keys are
    in clear text. The WPA pre-shared key is not disclosed, but the PMK is
    enough to connect to a wireless network (e.g. you can use
    http://hostap.epitest.fi/wpa_supplicant/ which accepts the PMK as an
    authentication data).

    I found this vulnerability when I realised that if the "View Available
    Wireless Networks" is open, the WPA PMKs and WEP keys can be found in
    the memory of the explorer process. The dialog is implemented in
    wzcdlg.dll that uses wzcsapi.dll which implements WZCQueryInterface.
    If you call the WZQueryInterface with the right parameters you can get
    the desired information.

    Wzcsapi.dll is not documented in Windows XP. However, you can find
    some information in the Windows CE documentation. With some debugging
    and the help of the aforementioned documentation writing an exploit
    code is not a difficult task.

    The vulnerabilities were found and the advisory was published by
    László Tóth (donctl at gmail dot com).

    Special thanks goes to Lajos Antal and Balázs Boda.

    History:
    Vulnerabilities were discovered in March, 2005.
    Vendor was notified 20th March, 2005.
    The vendor stated the vulnerabilities as low security issues. They
    said you need "debug program" privilege to access this information (I
    tested it, you do not need). Therefore they wrote the following:
    "At this point, we are looking at possibly shipping a fix for this
    issue in a Service Pack, although, there is a strong likelihood that
    we will be looking to addressing the issue in the next version of the
    product."
    Vendor released a feature enhancement patch
    (http://support.microsoft.com/?id=893357) that is not related to
    these issues.
    Vendor was notified 9th May, 2005 that the feature enhancement did not
    change the behaviour of the WZCS service regarding the
    vulnerabilities.
    The Vendor stated they did not intend to fix the vulnerabilities with
    this patch and they wrote:
    "We feel that the most appropriate ship vehicle for this issue is the
    next version of the product which is Longhorn in this case."
    At this point the decision was made to publish this advisory.

    For more information please visit
    http://www.soonerorlater.hu/index.khtml?article_id=62.


  • Next message: NGSSoftware Insight Security Research: "Patches available for critical flaws in HP Openview"

    Relevant Pages

    • Advisory: WZCS vulnerabilities
      ... "The Wireless Zero Configuration system service enables automatic ... user without administrator privilege to get the WEP keys and WPA ... The vulnerabilities were found and the advisory was published by ... The vendor stated the vulnerabilities as low security issues. ...
      (Bugtraq)
    • Web-style Wireless IDS attacks
      ... Web-style Wireless IDS attacks ... Wireless intrusion detection systems (WIDS) are not yet as popular as their ... This article looks at the results of research into wireless intrusion detection ... Vulnerabilities in Kismet, coupled with recent publications ...
      (Bugtraq)
    • Re: No wireless connectivity at hotspots
      ... Use the start menu to open it, look around for a disabling switch or checkmark. ... how to disable the vendor-supplied wireless configuration. ... So, you have to use the vendor provided program, not the Windows program. ... After you disable the vendor-supplied utility, you will be able to use the built-in Windows program to do it. ...
      (microsoft.public.windowsxp.general)
    • Re: Windows 2000 virus
      ... | WEP keys can be discovered in a few minutes (2-4 mins in my tests ... |>| Wireless is not a necessity nor is it mandatory in a router solution. ... |>necessity to discover the key, not something that can be done in a few ...
      (alt.comp.anti-virus)
    • Re: NIC reports type incorrectly?
      ... You could use the PNPDeviceID pulling out the Vendor and Device ... ID and match it against known values for nics ... ... If you only have a few wireless cards/wired cards.. ... While I couldn't find your card quickly.. ...
      (microsoft.public.win32.programmer.wmi)