If you don't know neither the enemy nor yourself, you will sucumb in every battle.
If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.
But if you know the enemy and know yourself you need not fear the result of a hundred battles.
The art of war (Sun Tzu)
WZCS Advisory

Summary

"The Wireless Zero Configuration system service enables automatic configuration for IEEE 802.11 wireless adapters for wireless communication."

There are two closely related vulnerabilities:
  • Once the "View Available Wireless Networks" dialogue box is opened the Pair-wise Master Keys of the WPA pre-shared key authentication and WEP keys of the given interface can be found in the memory of the explorer process, even after closing the dialog box.
  • The Wireless Zero Configuration Service can be queried by any user without administrator privilege to get the WEP keys and WPA Pair-wise Master Keys.

Details

Remote: No
Risk: low
Vulnerable Systems:
  • Windows XP SP2
Immune Systems: No other than SP2 was tested
Published: 04.10.2005

The WZCS has an RPC interface with some callable functions. RpcQueryInterface allows local users to get certain data about a wireless interface, for example the SSID/key pairs. The WEP keys are in clear text. The WPA pre-shared key is not disclosed, but the PMK is enough to connect to a wireless network (e.g. you can use http://hostap.epitest.fi/wpa_supplicant/ which accepts the PMK as an authentication data).

I found this vulnerability when I realised that if the "View Available Wireless Networks" is open, the WPA PMKs and WEP keys can be found in the memory of the explorer process. The dialog is implemented in wzcdlg.dll that uses wzcsapi.dll which implements WZCQueryInterface. If you call the WZQueryInterface with the right parameters you can get the desired information.

Wzcsapi.dll is not documented in Windows XP. However, you can find some information in the Windows CE documentationWith some debugging and the help of the aforementioned documentation writing an exploit code is not a difficult task.

The vulnerabilities were found and the advisory was published by László Tóth (donctl at gmail dot com).

Special thanks goes to Lajos Antal and Balázs Boda.

History:

Vulnerabilities were discovered in March, 2005.
Vendor was notified 20th March, 2005.
The vendor stated the vulnerabilities as low security issues. They said you need "debug program" privilege to access this information (I tested it, you do not need). Therefore they wrote the following:
"At this point, we are looking at possibly shipping a fix for this issue in a Service Pack, although, there is a strong likelihood that we will be looking to addressing the issue in the next version of the product."
Vendor released a feature enhancement patch (http://support.microsoft.com/?id=893357)  that is not related to these issues.
Vendor was notified 9th May, 2005 that the feature enhancement did not change the behaviour of the WZCS service regarding the vulnerabilities.
The Vendor stated they did not intend to fix the vulnerabilities with this patch and they wrote:
"We feel that the most appropriate ship vehicle for this issue is the next version of the product which is Longhorn in this case."
At this point the decision was made to publish this advisory.