Next Page >>
access points
Advisory URL: http://www.securenetwork.it/advisories/
*** SUMMARY ***
Boa is a single-tasking HTTP server. That means that, unlike traditional web servers, it does not fork for each incoming connection, nor does it fork many copies of itself to handle multiple connections.
Boa is very low on hardware usage and is therefore used on many embedded systems, including routers, wireless access points and portable devices.
The Intersil isl3893 is an arm9 System On Chip for wireless access points. The goal of the project is to make an embedded distribution built around uclibc and uclinux.
It is possible to overwrite the "admin" password in memory, thus allowing an attacker to gain access to the web interface and alter configuration parameters. This vulnerability can be combined with another known vulnerability (CVE-2000-0920) to read arbitrary files from the device filesystem.
It's important to notice that Boa httpd doesn't have any authentication code built in; the flaw is inside the Intersil extensions but we can't confirm it because no source code is released.
Services Modules (WiSMs), and Cisco Catalyst 3750 Integrated Wireless
LAN Controllers are responsible for system-wide wireless LAN functions,
such as security policies, intrusion prevention, RF management, quality
of service (QoS), and mobility.
These devices communicate with Controller-based Access Points over any
Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the Lightweight
Access Point Protocol (LWAPP).
This Security Advisory describes multiple distinct vulnerabilities in
the WLCs, WiSMs, and the Cisco Catalyst 3750 Integrated WLCs. These
------
* Marvell Driver EAPoL-Key Length Overflow
Summary:
--------
* The wireless drivers in some Wi-Fi access points (such as the
MARVELL-based Netgear WN802T) do not correctly parse malformed EAPoL-Key
packets. This packet is used for unicast/multicast key derivation (which
are called 4-way handshake and group key handshake) of any secure
wireless connection (WPA-PSK, WPA2-PSK, WPA-EAP, WPA2-EAP).
ethernet packets broadcast from the Access Point to the Subscriber Unit
and potentially allows injection into the communication from the Subscriber Unit
to the Access Point.
There are two parts to the 5830 series radio system, an Access Point, and
a Subscriber Unit. Access Points are generally deployed at a radio tower
or smaller repeater sites, and the Subscriber Units on a clients building.
The radios are designed to be mounted externally, and have a single
ethernet feed and integrated antenna.
These radios are straight ethernet bridges, there is no routing
3Com
WX 5004 Access Controller
3CRUWX500475
HP
WX6103 Access Controller Support up to 128 Access Points
JF247A
BACKGROUND
CVSS 2.0 Base Metrics
> http://www.securenetwork.it/ricerca/advisory/download/SN-2010-08.txt
>
>
> *** SUMMARY ***
>
> Linksys WAP610N is a SOHO wireless access point supporting 802.11n draft.
>
> Unauthenticated remote textual administration console has been found that
> allow an attacker to run system command as root user.
>
>
3Com
WX 5004 Access Controller
3CRUWX500475
HP
WX6103 Access Controller Support up to 128 Access Points
JF247A
BACKGROUND
CVSS 2.0 Base Metrics
>
> ============
>
>
>
> The Linksys Wireless-G Broadband Router is really three devices in one box. First, there's the Wireless Access Point, which lets you connect both screaming fast Wireless-G (802.11g at 54Mbps) and Wireless-B (802.11b at 11Mbps) devices to the network. There's also a built-in 4-port full-duplex 10/100 Switch to connect your wired-Ethernet devices together. Connect four PCs directly, or attach more hubs and switches to create as big a network as you need. Finally, the Router function ties it all together and lets your whole network share a high-speed cable or DSL Internet connection.
>
>
>
>
>
>
> ============
>
>
>
> The Linksys Wireless-G Broadband Router is really three devices in one box. First, there's the Wireless Access Point, which lets you connect both screaming fast Wireless-G (802.11g at 54Mbps) and Wireless-B (802.11b at 11Mbps) devices to the network. There's also a built-in 4-port full-duplex 10/100 Switch to connect your wired-Ethernet devices together. Connect four PCs directly, or attach more hubs and switches to create as big a network as you need. Finally, the Router function ties it all together and lets your whole network share a high-speed cable or DSL Internet connection.
>
>
>
>
>
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02544568
Version: 1
HPSBGN02589 SSRT100296 rev.1 - HP ProCurve Access Points, Access Controllers, and Mobility Controllers, Privilege Escalation
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-10-13
Last Updated: 2010-10-13
This is true for every Actiontec router I've tested. In each case,
the MAC was listed by kismet in the list of connected clients, and in
every case the WEP key was the last 40 bits of this MAC.
Verizon FIOS (and DSL?) access points are detectable due to their
predictable default ESSID' which is a 5 character string of random
letters and numbers (ie A1BC3 or AB123, etc).
Cisco WLCs and Cisco WiSMs are responsible for system-wide wireless
LAN functions, such as security policies, intrusion prevention, RF
management, quality of service (QoS), and mobility.
These devices communicate with controller-based access points over
any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the
Lightweight Access Point Protocol (LWAPP) and the Control and
Provisioning of Wireless Access Points (CAPWAP) protocol.
The Cisco WLC family of devices is affected by 2 denial of service
========
Multiple persistent input validation vulnerabilities are detected in ManageEngines ServiceDesk v8.0 Plus web application.
The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent).
Two vulnerabilities are located in the my details and request new incidents module of the web front-end with the bound
vulnerable name, subject and description parameters. Exploitation requires low user inter action & low privileged
customer web application user account. The secound part of the bugs are located in the New Contract, Access points and
Create Solution module of the admin/moderator back-end with the bound vulnerable title, asset name, contract name, description
or support name. Successful exploitation of the vulnerability can lead to session hijacking (customer/manager/admin), persistent
phishing or stable (persistent) web context manipulation.
Introduction
============
The Linksys Wireless-G Broadband Router is really three devices in one box. First, there's the Wireless Access Point, which lets you connect both screaming fast Wireless-G (802.11g at 54Mbps) and Wireless-B (802.11b at 11Mbps) devices to the network. There's also a built-in 4-port full-duplex 10/100 Switch to connect your wired-Ethernet devices together. Connect four PCs directly, or attach more hubs and switches to create as big a network as you need. Finally, the Router function ties it all together and lets your whole network share a high-speed cable or DSL Internet connection.
Security Risk
=============
Linksys WRT54GL is prone to an authentication-bypass vulnerability. Reportedly, the device permits changes in its configuration settings without requring authentication (CSRF).
# Vincenzo Iozzo - "0-Knowledge fuzzing"
# Daniel Mende - "Hacking Cisco Enterprise WLANs"
# Shawn Merdinger - "We Don’t Need No Stinkin’ Badges: Hacking Electronic Door Access Controllers"
# Yaniv Miron - "Microsoft Patch Analysis"
# Joseph Moti - "Don’t Touch My Winny"
# Cristofaro Mune - "(Too Much) Access Points – Exploitation Roundup"
# Chris Palmer - "Web browser PKI/SSL security policy weaknesses and a potential solution – research with the Electronic Frontier Foundation"
# Alexey Tikhonow - "De-blackboxing of digital camera"
# Zook Wilcox O’Hearn - "Tahoe-LAFS"
########## REGISTRATION ##########
http://www.securenetwork.it/ricerca/advisory/download/SN-2010-08.txt
*** SUMMARY ***
Linksys WAP610N is a SOHO wireless access point supporting 802.11n draft.
Unauthenticated remote textual administration console has been found that
allow an attacker to run system command as root user.
for my client's employees to buy some coffee at the ground floor and,
therefore, I can steal "WPA handshake" for the employees. Then, I need
to spend some times cracking for WPA key. If I successfully crack the
key, I, now, can connect with Android devices of my client's employees
and they might think that they are connecting with their very powerful
access points of their workplace. At this point, I could launch
karmetasploit-style attacks in order to get malware into the device.
Every process here does not require me to get network my client's networks.
The bug allows remote attackers to implement/inject own malicious script code on the application side (persistent) of the service.
The first vulnerabilities are located in the `Edit Configuration` module with the bound vulnerable Label, Virtual Host, Request to
send, Email Alerts and Response expected parameters.
The secound vulnerabilities are located in the Create Solution, Access points and New Contract module with the bound vulnerable
title, asset name, contract name, name or description parameter requests.
Exploitation requires low user interaction and a low privileged application user account. Successful exploitation of the vulnerability
can lead to persistent session hijacking (manager/admin), persistent phishing or persistent module web context manipulation.
Dear all,
after informing Netgear about the unsafe handling of passwords on their WG102 Access Points nothing happened for several weeks. To inform other users about the potential threat to their networks I decided to share my findings.
WG102 offers the the typical SNMP write & SNMP read community password 'protection'. SNMPv2 is already known for weak security, yet NETGEAR goes one step further:
the SNMP write community (password) is accessible in cleartext via the MIB which is readable via the SNMP read community.
Affected Versions:
- Netgear WG102
Details
=======
The Cisco Wireless Control System is a centralized, systems-level
platform for managing and controlling lightweight access points,
wireless LAN controllers, and Wireless Location Appliances for the
Cisco Unified Wireless Network. The Cisco Wireless Control System uses
Apache Tomcat. A vulnerability in Apache Tomcat may allow for remote
code execution attacks. The mod_jk.so URI handler does not handle long
URLs correctly. An insecure memory copy triggers an exploitable stack
for my client's employees to buy some coffee at the ground floor and,
therefore, I can steal "WPA handshake" for the employees. Then, I need
to spend some times cracking for WPA key. If I successfully crack the
key, I, now, can connect with Android devices of my client's employees
and they might think that they are connecting with their very powerful
access points of their workplace. At this point, I could launch
karmetasploit-style attacks in order to get malware into the device.
Every process here does not require me to get network my client's networks.
------
* Atheros Driver Reserved Frame Vulnerability
Summary:
--------
* The wireless driver in some Wi-Fi access points (such as the
ATHEROS-based Netgear WNDAP330) do not correctly parse malformed
reserved management frames.
Assigned CVE:
-------------
=======
CiscoWorks WLSE is a centralized, systems-level application for managing and
controlling an entire autonomous Cisco wireless LAN (WLAN) infrastructure. The
Cisco Wireless Control System (WCS) is a centralized, systems-level application
for managing and controlling lightweight access points and wireless LAN
controllers for the Cisco Unified Wireless Network.
A CiscoWorks WLSE can be converted to a Cisco WCS using a utility that can be
ordered from Cisco. There are two administrative accounts on the Wireless
Control System (WCS): a Linux root account and Cisco WCS root account.
Vulnerability present also on firmware ver.3.04.03 (US)
Other models and/or firmware versions may be also affected.
Background Information:
Linksys WAP54G is a wireless access points that allow wireless clients
connectivity to wired networks.
Supported 802.11b and 802.11g protocols, with data rates up to 54Mbit/s.
Summary:
+---------------------
Filters that deny TLS packets using TCP port 443 and MGCP packets on UDP
port 2427 should be deployed throughout the network as part of a transit
ACL (tACL) policy for protection of traffic which enters the network at
ingress access points. This policy should be configured to protect the
network device where the filter is applied and other devices behind it.
Filters for TLS packets using TCP port 443 and MGCP packets on UDP port
2427 should also be deployed in front of vulnerable network devices so
that traffic is only allowed from trusted clients.
Cisco WLCs and Cisco WiSMs are responsible for system-wide wireless
LAN functions, such as security policies, intrusion prevention, RF
management, quality of service (QoS), and mobility.
These devices communicate with controller-based access points over any
Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the
Lightweight Access Point Protocol (LWAPP) and the Control and
Provisioning of Wireless Access Points (CAPWAP) protocol.
The Cisco WLC family of devices is affected by the following
------
* Marvell Driver Multiple Information Element Overflows
Summary:
--------
* The wireless drivers in some Wi-Fi access points (such as the
MARVELL-based Linksys WAP4400N) do not correctly parse information
elements included in association requests. Most information elements are
used by the wireless access point and clients to advertise their
capabilities (regarding rates, network name, cryptographic capabilities...).
+---------------------
Filters that deny HTTPS packets using TCP port 443 and MGCP packets on
UDP port 2427 should be deployed throughout the network as part of a
transit ACL (tACL) policy for protection of traffic which enters the
network at ingress access points. This policy should be configured to
protect the network device where the filter is applied and other devices
behind it. Filters for HTTPS packets using TCP port 443 and MGCP packets
on UDP port 2427 should also be deployed in front of vulnerable network
devices so that traffic is only allowed from trusted clients.
It is possible to mitigate these vulnerabilities with access control
lists (ACL). Filters that deny ICMP Echo Request, TCP port 22 (SSH),
TCP port 23 (Telnet), TCP port 80 (HTTP), TCP/UDP port 53 (DNS) and
TCP/UDP port 5060 (SIP) should be deployed at voice/data network
boundaries as part of a tACL policy for protection of traffic which
enters the network at ingress access points. This policy should be
configured to protect the network device and other devices behind it
where the filter is applied.
Additional information about tACLs is available in "Transit Access
Control Lists: Filtering at Your Edge":
Note: Only firmware version major numbers are displayed on the
administration web interface: 1.20, 1.30, 1.31
Background Information:
D-Link DAP-1160 is a wireless access points that allow wireless clients
connectivity to wired networks.
Supported 802.11b and 802.11g protocols. WEP, WPA and WPA2 supported.
Summary:
Next Page>>
|
