Intel PRO/Wireless LAN Device Discloses Wireless Encryption Key to Local Users
|
|
SecurityTracker Alert ID: 1003380 |
|
SecurityTracker URL: http://securitytracker.com/id/1003380
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jan 28 2002
|
Impact:
Disclosure of authentication information
|
Exploit Included: Yes
|
Version(s): Driver versions 1.5.16.0 and 1.5.18.0; possibly others
|
Description:
A vulnerability was reported in Intel's PRO/Wireless 2011B Local Area Network (LAN) device. A local user can view the wireless encryption protocol (WEP) key for the device.
It is reported that the WEP key is stored in plain text in the registry and is accessible to any local user. The key is reportedly stored under the following type of Registry entry:
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0008]
Depending on the driver version, the key may be located in the DefaultKeys value:
"DefaultKeys"="364e01815b300d8038abc5ff00000000000000"
In this example, the first 12 hexadecimal values contain the 128-bit WEP key.
|
Impact:
A local user can view the WEP key in the registry.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.intel.com/network/connectivity/products/wlan_family.htm (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: 28 Jan 2002 10:06:43 -0000
Subject: Intel WLAN Driver storing 128bit WEP-Key in plain text!
|
Intro:
while doing some troubleshoting i found a bug on a
compaq evo n600c, with an
integrated 802.11b card connected via usb (on the
back of the display) running
as Intel(R) PRO/Wireless 2011B LAN USB Device.
Description:
the WEP-Key ist stored plain to the registry. the
permission the the specific key
is weak enough that every local user has read
access and can extract it via
regedit.exe or an equivalent tool. a driver from
other vendors (as example: Actiontec PrismII)
stores the 128bit key in a encrypted form to the
same place in the registry.
Howto:
Easy way:
if you open up the properties dialog of your
WLAN-Card and click to the "Advanced" tab,
you can find an entry dislaying the WEP-Key
plaintext (only as administrator).
a normal user don't have access to this "Advanced"
tab. this happened with the latest
driver version from Compaq Support Page (version
1.5.16.0). I tried to get the latest driver
from intel which is Version 1.5.18.0 (downloaded
on 24th January 2002). The newer release
fixed one part by not showing the entry in the
"Advanced" tab.
Everytime working way:
lets look @ the registry
General:
the security policies on
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0008]
Owner: local Administrator
Owner Group: local Administrators
Permissions
Name: Permisssion: Apply to:
local Administrator: Full Control This Key and Subkeys
local Power Users: Read This Key and Subkeys
local Users: Read This Key and Subkeys
Owner: Full Control Subkeys only
System: Full Control This Key and Subkeys
but if you look @ registry under
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0008]
^^ look for your correct device section ^^
(no matter which of the 2 noted driver versions used)
you find the string entry
"DefaultKeys"="364e01815b300d8038abc5ff00000000000000"
where the first 12 Hex-values show the WEP key in
plaintext.
"364e01815b300d8038abc5ff"
on another system with the new driver (1.15.18.0)
added additional key's under the
same context noted above: "Profiles\Default\WepKey"
"Key128"="2544801583660d7009abcdef00000000000000"
"DefKeyId128"="1
if this wep-key belongs to anyone, i apologize.
this key is free invented from
my fingers on the keyboard!
|
|
