Red-M Red-Alert Multiple Vulnerabilities Product: RedAlert Versions Affected: Tested with hardware version 2.7.5, software v3.1 build 24 Status: Fixed by vendor Vendor URL: http://www.red-m.com Advisory URL: http://genhex.org/releases/031003.txt Author: Bruno Morisson Timeline: 3 October 2003 - Vendor contacted through local partner 8 January 2004 - New firmware version tested 8 February 2004 - Advisory released Copyright notice: This advisory, parts of it, or of the information herein can be reproduced as long as proper credit is given to the author(s). Product Description: Red-Alert is a wireless (802.11b/Bluetooth) probe that monitors and reports on wireless security threats. Overview: 1) Any unauthenticated user can remotely reboot the Red-Alert probe, and all locally logged events are lost. 2) The user authentication is bound to the source IP address of the user authenticating, hence any other user behind the same address will not be asked for authentication. 3) The probe will not correctly identify SSID strings that contain multiple space (0x20) characters. Details: 1) Any unauthenticated user can remotely reboot the Red-Alert appliance through the webserver. When a browser request is longer than aproximately 1230 bytes, the appliance simply reboots. Consequently, all information is lost. *Anything* sent to the device's tcp port 80 longer than aprox. 1230 bytes reboots it, whether it's a valid request or not. This can be tested, for example, using perl and netcat: $ perl -e 'print "a"x1230 . "\r\n\r\n"| nc 80 The device reboots, and all locally logged information is lost. 2) The authentication of the probe administrator is bound to the user's IP address. If multiple users are behind a nat or proxy, any of those users can access the gui without restrictions after authentication. The authentication does, in fact, expire after a few minutes of inactivity, however, since the events popup page auto-refreshes itself the session will potentially never expire. 3) If there are wireless networks detected by the probe with an SSID with multiple space (0x20) characters, the probe fails to correctly identify them. For example, if a network has the SSID " ", the probe will detect it as " "(single space character). Any sequence of multiple space characters in any substring of the SSID are represented as one single space character. Solution: Contact Red-M or your local partner for a firmware update. Disclaimer: The information in this advisory is provided AS IS, with no guarantee that its contents are correct, although the author believes them to be so. The author takes no responsability for the use or misuse of the information in this advisory or methods described. Use at your own responsability.