Local vulnerability in WeFi Client v3.2.1.4.1(Update)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Local vulnerability in WeFi Client v3.2.1.4.1(Update)
From: XiaShing@xxxxxxxxx
Date: 4 Jul 2008 06:35:36 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

==================================================
INFO
==================================================
The wireless client, WeFi v3.2.1.4.1 is susceptible to local vulnerabilities 
due to improper coding. Earlier versions may 

also be affected.

==================================================
DISCUSSION
==================================================
Due to lack of improper encryption and the client storing backups of the log 
files, a local attacker can gain unencrypted keys to WEP, WPA and WPA2 access 
points. The log files that keep the keys are as follows:

C:\Program Files\WeFi\LogFiles\ClientWeFiLog.dat
C:\Program Files\WeFi\LogFiles\ClientWeFiLog.bak
C:\Program Files\WeFi\Users\mee@xxxxxxxxxxxxx (Yet to be confirmed, heavily 
encrypted)

==================================================
SAMPLE
==================================================
Here is a sample of the backup file code:
a11ae90c2b66|7a000b|6|c8e|736|3f2a|ffffffff|0|0|35|6570|Create Profile|
a11ae90c2d4a|7a000b|6|c8e|736|3f2a|ffffffff|0|0|35|6571|try to connect|
a11ae90c2d4a|7a000b|6|c8e|736|3f2a|ffffffff|0|0|35|6572|09F82980CX|

As you can see, the key has been stored in plain text at the end of the last 
line.

==================================================
NOTES
==================================================
It is to be noted that the backup file, .bak, is still viewable even after the 
client is closed. When the .dat file  exceeds 3000kb, it moves the data to the 
.bak file and subsequently when that file exceeds 3000kb, the data is deleted. 
This can exceed over a day of normal internet browsing.

The .dat file shows the unencrypted keys several lines after the phrase, 
"Create Profile". It also shows failed attempts at connecting to a wireless 
access point.

==================================================
SOLUTION
==================================================
Use heavier encryption or do not keep log files.
The vendor has been notified.

==================================================
Thanks,
Xia Shing Zee

Prev by Date: [SECURITY] [DSA 1601-1] New wordpress packages fix several vulnerabilities
Next by Date: Unauthorized reading confirmation from Outlook
Previous by thread: [SECURITY] [DSA 1601-1] New wordpress packages fix several vulnerabilities
Next by thread: Re: Local vulnerability in WeFi Client v3.2.1.4.1(Update)
Index(es):
- Date
- Thread