SecuriTeam - Apple AirPort Administrative Password Obfuscation

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

Apple's AirPort device is a wireless access point, providing 802.11 services to network clients. Authentication credentials are obfuscated, and then sent over the network. If an AirPort is administered over the Ethernet interface or via an insecure (non-WEP) wireless connection, an attacker that can sniff the network can obtain administrative access to the AirPort.

Credit:
The original advisory can be downloaded from:
http://www.atstake.com/research/advisories/2003/a051203-1.txt
The information has been provided by at stake AdvisoriesJeremy Rauch and Dave G..

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable systems:
* AirPort Base Station (ALL)

Apple's AirPort device is a wireless access point, providing 802.11 services to network clients. This device is managed through a proprietary administrative protocol over a TCP port (5009/tcp). Authentication credentials are obfuscated, and then sent over the network.

The authentication credentials, a password with a maximum length of 32 characters, are XOR'd against a predefined key. When sent over the network, the password is sent out in a 32 byte fixed block. @stake was able to determine the key by setting a one-character password and monitoring the network traffic. This revealed 31 bytes of the XOR 'key'. The final byte can be obtained by XORing the obfuscated first byte against the first character of the plaintext password.

If an AirPort is administered over the Ethernet interface or via an insecure (non-WEP) wireless connection, an anonymous attacker that can sniff the network can obtain administrative access to the AirPort. If WEP is enabled, then the attack is limited to WEP authenticated attackers.

Vendor Response:
The recommendation is to administer the AirPort Base Station either via a wired connection or via a WEP-protected wireless connection.

Recommendation:
The only way to securely administer the AirPort Base Station is by connecting to it via a crossover cable. In environments where this is not practical, it is advised that the AirPort Base Station be managed through the Ethernet network, and not the wireless network.

	Real Networks RealPlayer Compressed GIF Handling Integer Overflow
	RealNetworks RealPlayer CMediumBlockAllocator Integer Overflow Vulnerability
	SugarCRM Online Document Cross-Site Scripting (XSS) Vulnerability
	Skype URI Processing Arbitrary XML File Deletion Vulnerability
	Skype Protocol Handler Datapath Argument Injection Credential Disclosure Vulnerability
	LedgerSMB Multiple Vulnerabilities
	Kaspersky Lab Multiple Products Local Privilege Escalation Vulnerability
	Piwik Cookie Unserialize Vulnerability
	Invision Power Board SQL PHP File Inclusion and SQL Injection
	U.S. Defense Information Systems Agency (DISA) Unix Security Readiness Review (SRR) Vulnerability
	DevIL DICOM Buffer Overflow Vulnerability
	Marvell Driver Multiple Information Element Overflows
	HP Data Protector Express and Single Server Edition (SSE) DoS and Code Execution
	HP Color LaserJet Printers Unauthorized Access to Data and DoS
	KDE KDELibs Remote Array Overrun with Arbitrary Code Execution