what you don't know can hurt you

wefi3330-lfi.txt

wefi3330-lfi.txt
Posted Jul 10, 2008
Authored by Xia Shing Zee

The wireless client, WeFi version 3.3.3.0, is susceptible to a local information disclosure due to irresponsible coding. Earlier versions may also be affected.

tags | exploit, local, file inclusion, info disclosure
MD5 | 916b64e183d8ec5934d9f3992093f751

wefi3330-lfi.txt

Change Mirror Download
==================================================
INFO
==================================================
The wireless client, WeFi v3.3.3.0 is susceptible to a local information disclosure due to irresponsible coding. Earlier versions may also be affected.

==================================================
DISCUSSION
==================================================
Due to the WeFi client storing the keys in memory, a dump is able to show valid WEP, WPA and WPA2 keys that can be used by a local attacker. This information can often be found around the 044296C0 offset. An attacker could easily dump the credentials from memory whilst walking past a laptop with an autorun U3 USB. The file that keeps the keys in memory is as follows:

C:\Program Files\WeFi\WeFi.exe

==================================================
SAMPLE 1
==================================================
Here is a sample of the hexadecimal memory dump:

Offset 00 01 02 03 04 05 06 07 08 09 ASCII

044296C0 03 8B CB 00 30 39 46 38 32 39 .‹Ë.09F829 <--WEP KEY
044296CA 38 30 43 58 00 00 00 00 00 00 80CX...... <--WEP KEY

As you can see, the WEP key, "09F82980CX" has been stored in plain text.

The WEP Key has been changed from its true values to protect the identity and anonymity of the victim.

==================================================
SAMPLE 2
==================================================
A few lines down and we find the SSID, "linksys":

Offset 00 01 02 03 04 05 06 07 08 09 ASCII

044296FC 00 00 00 00 00 00 00 00 6C 69 ........li <--SSID
04429706 6E 6B 73 79 73 2E 2E 2E 2E 2E nksys..... <--SSID

The SSID has been changed from its true values to protect the identity and anonymity of the victim.

==================================================
NOTES
==================================================
The WeFi client continues to keep the WEP keys long after the client has authenticated with the wireless access point. The first network that the client authenticates with is around 044296C0 and further wireless keys can be found after that offset. All wireless keys are accompanied with their respectable SSID shortly after the key.

==================================================
SOLUTION
==================================================
Do not keep the wireless encryption keys in the program and disallow the client to "Remember Key".
The wireless key should only be used during authentication and should not be kept in the system memory.
Encryption is no longer a valid solution as this can be reversed if the algorithm is known or reversed.
The vendor has been notified.

==================================================
Thanks,
Xia Shing Zee
Login or Register to add favorites

File Archive:

July 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    15 Files
  • 2
    Jul 2nd
    19 Files
  • 3
    Jul 3rd
    12 Files
  • 4
    Jul 4th
    1 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    25 Files
  • 7
    Jul 7th
    35 Files
  • 8
    Jul 8th
    4 Files
  • 9
    Jul 9th
    5 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close