ignore security and it'll go away

031003.txt

031003.txt
Posted Feb 9, 2004
Authored by Bruno Morisson | Site genhex.org

The Red-M RedAlert wireless 802.11b/Bluetooth probe version 2.75 has multiple security issues. Any unauthenticated user can reboot the appliance through the webserver. The administrator's access is bound by IP address, allowing anyone coming in via NAT from a shared network the same levels of control. The device also filters out specific characters in SSIDs representing them all as a single space character.

tags | advisory
MD5 | f7a4556f01ea0e902cfe2038fed5fa39

031003.txt

Change Mirror Download

Red-M Red-Alert Multiple Vulnerabilities

Product: RedAlert
Versions Affected: Tested with hardware version 2.7.5, software v3.1 build 24
Status: Fixed by vendor
Vendor URL: http://www.red-m.com
Advisory URL: http://genhex.org/releases/031003.txt
Author: Bruno Morisson <morisson@genhex.org>

Timeline:
3 October 2003 - Vendor contacted through local partner
8 January 2004 - New firmware version tested
8 February 2004 - Advisory released

Copyright notice:
This advisory, parts of it, or of the information herein
can be reproduced as long as proper credit is given to the author(s).

Product Description:
Red-Alert is a wireless (802.11b/Bluetooth) probe that monitors and
reports on wireless security threats.


Overview:
1) Any unauthenticated user can remotely reboot the Red-Alert probe, and
all locally logged events are lost.
2) The user authentication is bound to the source IP address
of the user authenticating, hence any other user behind the same address
will not be asked for authentication.
3) The probe will not correctly identify SSID strings that contain multiple
space (0x20) characters.


Details:
1) Any unauthenticated user can remotely reboot the Red-Alert
appliance through the webserver.
When a browser request is longer than aproximately 1230 bytes, the
appliance simply reboots. Consequently, all information is lost.
*Anything* sent to the device's tcp port 80 longer than aprox.
1230 bytes reboots it, whether it's a valid request or not.

This can be tested, for example, using perl and netcat:
$ perl -e 'print "a"x1230 . "\r\n\r\n"| nc <device ip> 80

The device reboots, and all locally logged information is lost.

2) The authentication of the probe administrator is bound to the user's
IP address. If multiple users are behind a nat or proxy, any of
those users can access the gui without restrictions after authentication.
The authentication does, in fact, expire after a few minutes of
inactivity, however, since the events popup page auto-refreshes itself
the session will potentially never expire.

3) If there are wireless networks detected by the probe with an SSID
with multiple space (0x20) characters, the probe fails to correctly
identify them. For example, if a network has the SSID " ",
the probe will detect it as " "(single space character). Any sequence
of multiple space characters in any substring of the SSID are
represented as one single space character.


Solution:
Contact Red-M or your local partner for a firmware update.


Disclaimer:
The information in this advisory is provided AS IS, with no
guarantee that its contents are correct, although the author
believes them to be so. The author takes no responsability for
the use or misuse of the information in this advisory or methods
described. Use at your own responsability.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close