Microsoft Windows XP Wireless Zero Configuration Credential/Key Disclosure

2005-10-04T04:45:43
ID OSVDB:19873
Type osvdb
Reporter Laszlo Toth(donctl@gmail.com)
Modified 2005-10-04T04:45:43

Description

Vulnerability Description

Microsoft Windows XP Home & Professional contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a local non-privileged user is allowed to retrieve configured wireless profiles using the "WZCQueryInterface()" API via the Wireless Zero Configuration service (wzcsapi.dll), which will disclose configured SSIDs, WEP keys, or the PMK (Pairwise Master Key) that is used for pre-shared key authentication in WPA (Wi-Fi Protected Access), resulting in a loss of confidentiality. Additionally, the explorer process stores the same information in plaintext offering an additional method to gain the information.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Microsoft Windows XP Home & Professional contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a local non-privileged user is allowed to retrieve configured wireless profiles using the "WZCQueryInterface()" API via the Wireless Zero Configuration service (wzcsapi.dll), which will disclose configured SSIDs, WEP keys, or the PMK (Pairwise Master Key) that is used for pre-shared key authentication in WPA (Wi-Fi Protected Access), resulting in a loss of confidentiality. Additionally, the explorer process stores the same information in plaintext offering an additional method to gain the information.

References:

Secunia Advisory ID:17064 Other Advisory URL: http://www.soonerorlater.hu/index.khtml?article_id=62 Microsoft Knowledge Base Article: 893357 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-10/0016.html ISS X-Force ID: 22524 Generic Exploit URL: http://www.frsirt.com/exploits/20051006.wzcsapiuse.cpp.php FrSIRT Advisory: ADV-2005-1970 CVE-2005-4697 CVE-2005-4696 Bugtraq ID: 15008