Intel WLAN Driver storing 128bit WEP-Key in plain text!

2002-01-28T00:00:00
ID SECURITYVULNS:DOC:2414
Type securityvulns
Reporter Securityvulns
Modified 2002-01-28T00:00:00

Description

Intro:

while doing some troubleshoting i found a bug on a

compaq evo n600c, with an

integrated 802.11b card connected via usb (on the

back of the display) running

as Intel(R) PRO/Wireless 2011B LAN USB Device.

Description:

the WEP-Key ist stored plain to the registry. the

permission the the specific key

is weak enough that every local user has read

access and can extract it via

regedit.exe or an equivalent tool. a driver from

other vendors (as example: Actiontec PrismII)

stores the 128bit key in a encrypted form to the

same place in the registry.

Howto:

Easy way:

if you open up the properties dialog of your

WLAN-Card and click to the "Advanced" tab,

you can find an entry dislaying the WEP-Key

plaintext (only as administrator).

a normal user don't have access to this "Advanced"

tab. this happened with the latest

driver version from Compaq Support Page (version

1.5.16.0). I tried to get the latest driver

from intel which is Version 1.5.18.0 (downloaded

on 24th January 2002). The newer release

fixed one part by not showing the entry in the

"Advanced" tab.

Everytime working way:

lets look @ the registry

General:

the security policies on

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0008]

Owner: local Administrator

Owner Group: local Administrators

Permissions

Name: Permisssion: Apply to:

local Administrator: Full Control This Key and Subkeys

local Power Users: Read This Key and Subkeys

local Users: Read This Key and Subkeys

Owner: Full Control Subkeys only

System: Full Control This Key and Subkeys

but if you look @ registry under

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\

Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0008]

^^ look for your correct device section ^^

(no matter which of the 2 noted driver versions used)

you find the string entry

"DefaultKeys"="364e01815b300d8038abc5ff00000000000000"

where the first 12 Hex-values show the WEP key in

plaintext.

"364e01815b300d8038abc5ff"

on another system with the new driver (1.15.18.0)

added additional key's under the

same context noted above: "Profiles\Default\WepKey"

"Key128"="2544801583660d7009abcdef00000000000000"

"DefKeyId128"="1

if this wep-key belongs to anyone, i apologize.

this key is free invented from

my fingers on the keyboard!