 | ||||||
| << Previous | INDEX | Search | src | Set bookmark | Go to bookmark | Next >> |
| ||||||
| |||||||||||||||||||||
Date: 28 Jan 2002 10:06:43 -0000
From: dario luethi <dlu@remote-exploit.org>
To: bugtraq@securityfocus.com
Subject: Intel WLAN Driver storing 128bit WEP-Key in plain text!
Intro:
while doing some troubleshoting i found a bug on a
compaq evo n600c, with an
integrated 802.11b card connected via usb (on the
back of the display) running
as Intel(R) PRO/Wireless 2011B LAN USB Device.
Description:
the WEP-Key ist stored plain to the registry. the
permission the the specific key
is weak enough that every local user has read
access and can extract it via
regedit.exe or an equivalent tool. a driver from
other vendors (as example: Actiontec PrismII)
stores the 128bit key in a encrypted form to the
same place in the registry.
Howto:
Easy way:
if you open up the properties dialog of your
WLAN-Card and click to the "Advanced" tab,
you can find an entry dislaying the WEP-Key
plaintext (only as administrator).
a normal user don't have access to this "Advanced"
tab. this happened with the latest
driver version from Compaq Support Page (version
1.5.16.0). I tried to get the latest driver
from intel which is Version 1.5.18.0 (downloaded
on 24th January 2002). The newer release
fixed one part by not showing the entry in the
"Advanced" tab.
Everytime working way:
lets look @ the registry
General:
the security policies on
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0008]
Owner: local Administrator
Owner Group: local Administrators
Permissions
Name: Permisssion: Apply to:
local Administrator: Full Control This Key and Subkeys
local Power Users: Read This Key and Subkeys
local Users: Read This Key and Subkeys
Owner: Full Control Subkeys only
System: Full Control This Key and Subkeys
but if you look @ registry under
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0008]
^^ look for your correct device section ^^
(no matter which of the 2 noted driver versions used)
you find the string entry
"DefaultKeys"="364e01815b300d8038abc5ff00000000000000"
where the first 12 Hex-values show the WEP key in
plaintext.
"364e01815b300d8038abc5ff"
on another system with the new driver (1.15.18.0)
added additional key's under the
same context noted above: "Profiles\Default\WepKey"
"Key128"="2544801583660d7009abcdef00000000000000"
"DefKeyId128"="1
if this wep-key belongs to anyone, i apologize.
this key is free invented from
my fingers on the keyboard!
| |||||||||||||||||||||