Local information disclosure in WeFi Client v3.3.3.0

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Local information disclosure in WeFi Client v3.3.3.0
From: XiaShing@xxxxxxxxx
Date: 9 Jul 2008 13:12:41 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

==================================================
INFO
==================================================
The wireless client, WeFi v3.3.3.0 is susceptible to a local information 
disclosure due to irresponsible coding. Earlier versions may also be affected.

==================================================
DISCUSSION
==================================================
Due to the WeFi client storing the keys in memory, a dump is able to show valid 
WEP, WPA and WPA2 keys that can be used by a local attacker. This information 
can often be found around the 044296C0 offset. An attacker could easily dump 
the credentials from memory whilst walking past a laptop with an autorun U3 
USB. The file that keeps the keys in memory is as follows:

C:\Program Files\WeFi\WeFi.exe

==================================================
SAMPLE 1
==================================================
Here is a sample of the hexadecimal memory dump:

Offset    00 01 02 03 04 05 06 07 08 09    ASCII

044296C0  03 8B CB 00 30 39 46 38 32 39    .?Ë.09F829    <--WEP KEY
044296CA  38 30 43 58 00 00 00 00 00 00    80CX......    <--WEP KEY

As you can see, the WEP key, "09F82980CX" has been stored in plain text.

The WEP Key has been changed from its true values to protect the identity and 
anonymity of the victim.

==================================================
SAMPLE 2
==================================================
A few lines down and we find the SSID, "linksys":

Offset    00 01 02 03 04 05 06 07 08 09    ASCII

044296FC  00 00 00 00 00 00 00 00 6C 69    ........li    <--SSID
04429706  6E 6B 73 79 73 2E 2E 2E 2E 2E    nksys.....    <--SSID

The SSID has been changed from its true values to protect the identity and 
anonymity of the victim.

==================================================
NOTES
==================================================
The WeFi client continues to keep the WEP keys long after the client has 
authenticated with the wireless access point. The first network that the client 
authenticates with is around 044296C0 and further wireless keys can be found 
after that offset. All wireless keys are accompanied with their respectable 
SSID shortly after the key.

==================================================
SOLUTION
==================================================
Do not keep the wireless encryption keys in the program and disallow the client 
to "Remember Key". 
The wireless key should only be used during authentication and should not be 
kept in the system memory. 
Encryption is no longer a valid solution as this can be reversed if the 
algorithm is known or reversed.
The vendor has been notified.

==================================================
Thanks,
Xia Shing Zee

Prev by Date: Re: Unauthorized reading confirmation from Outlook
Next by Date: Insomnia : ISVA-080709.1 - Microsoft SQL Server - Corrupt Backup File Heap Overflow
Previous by thread: [ MDVSA-2008:138 ] - Updated OpenOffice.org packages fix vulnerability
Next by thread: Insomnia : ISVA-080709.1 - Microsoft SQL Server - Corrupt Backup File Heap Overflow
Index(es):
- Date
- Thread