RE: Advisory: WZCS vulnerabilities

From: Brian J. Bartlett (
Date: 10/05/05

  • Next message: NGSSoftware Insight Security Research: "Patches available for critical flaws in HP Openview"
    To: <>
    Date: Wed, 5 Oct 2005 00:37:55 -0700

    Which is why I refuse to go wireless at this point. I've yet to see an
    implementation yet that is totally secure, and the vendors are no help to
    this point. It sounds good, whichever OS we are talking about, with
    whatever they are saying at the moment, but when it comes down to brass
    tacks, the security just isn't there.

    Brian J. Bartlett
    Statistician, Systems Engineer/Analyst/Security, Econometrician
    (Why yes, I am a polymath. Sue me.)

    -----Original Message-----
    From: donctl []
    Sent: Tuesday, October 04, 2005 1:55 AM
    Subject: Advisory: WZCS vulnerabilities


    "The Wireless Zero Configuration system service enables automatic
    configuration for IEEE 802.11 wireless adapters for wireless

    There are two closely related vulnerabilities:

        * Once the "View Available Wireless Networks" dialogue box is
    opened the Pair-wise Master Keys of the WPA pre-shared key
    authentication and WEP keys of the given interface can be found in the
    memory of the explorer process, even after closing the dialog box.

        * The Wireless Zero Configuration Service can be queried by any
    user without administrator privilege to get the WEP keys and WPA
    Pair-wise Master Keys.


    Remote: No
    Risk: low
    Vulnerable Systems:

        * Windows XP SP2

        * Windows XP SP2 with

    Immune Systems: No other than SP2 was tested
    Published: 04.10.2005

    The WZCS has an RPC interface with some callable functions.
    RpcQueryInterface allows local users to get certain data about a
    wireless interface, for example the SSID/key pairs. The WEP keys are
    in clear text. The WPA pre-shared key is not disclosed, but the PMK is
    enough to connect to a wireless network (e.g. you can use which accepts the PMK as an
    authentication data).

    I found this vulnerability when I realised that if the "View Available
    Wireless Networks" is open, the WPA PMKs and WEP keys can be found in
    the memory of the explorer process. The dialog is implemented in
    wzcdlg.dll that uses wzcsapi.dll which implements WZCQueryInterface.
    If you call the WZQueryInterface with the right parameters you can get
    the desired information.

    Wzcsapi.dll is not documented in Windows XP. However, you can find
    some information in the Windows CE documentation. With some debugging
    and the help of the aforementioned documentation writing an exploit
    code is not a difficult task.

    The vulnerabilities were found and the advisory was published by
    László Tóth (donctl at gmail dot com).

    Special thanks goes to Lajos Antal and Balázs Boda.

    Vulnerabilities were discovered in March, 2005.
    Vendor was notified 20th March, 2005.
    The vendor stated the vulnerabilities as low security issues. They
    said you need "debug program" privilege to access this information (I
    tested it, you do not need). Therefore they wrote the following:
    "At this point, we are looking at possibly shipping a fix for this
    issue in a Service Pack, although, there is a strong likelihood that
    we will be looking to addressing the issue in the next version of the
    Vendor released a feature enhancement patch
    ( that is not related to
    these issues.
    Vendor was notified 9th May, 2005 that the feature enhancement did not
    change the behaviour of the WZCS service regarding the
    The Vendor stated they did not intend to fix the vulnerabilities with
    this patch and they wrote:
    "We feel that the most appropriate ship vehicle for this issue is the
    next version of the product which is Longhorn in this case."
    At this point the decision was made to publish this advisory.

    For more information please visit

  • Next message: NGSSoftware Insight Security Research: "Patches available for critical flaws in HP Openview"