If you don't know neither the enemy
nor yourself, you will sucumb in every battle.
If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.
But if you know the enemy and know yourself you need not fear the result of a hundred battles.
The art of war (Sun Tzu)
Summary"The Wireless Zero Configuration system service enables automatic configuration for IEEE 802.11 wireless adapters for wireless communication."
There are two closely related vulnerabilities:
The WZCS has an RPC interface with some callable functions. RpcQueryInterface allows local users to get certain data about a wireless interface, for example the SSID/key pairs. The WEP keys are in clear text. The WPA pre-shared key is not disclosed, but the PMK is enough to connect to a wireless network (e.g. you can use http://hostap.epitest.fi/wpa
I found this vulnerability when I realised that if the "View Available Wireless Networks" is open, the WPA PMKs and WEP keys can be found in the memory of the explorer process. The dialog is implemented in wzcdlg.dll that uses wzcsapi.dll which implements WZCQueryInterface. If you call the WZQueryInterface with the right parameters you can get the desired information.
Wzcsapi.dll is not documented in Windows XP. However, you can find some information in the Windows CE documentation. With some debugging and the help of the aforementioned documentation writing an exploit code is not a difficult task.
The vulnerabilities were found and the advisory was published by László Tóth (donctl at gmail dot com).
Special thanks goes to Lajos Antal and Balázs Boda.
History:Vulnerabilities were discovered in March, 2005.
Vendor was notified 20th March, 2005.
The vendor stated the vulnerabilities as low security issues. They said you need "debug program" privilege to access this information (I tested it, you do not need). Therefore they wrote the following:
"At this point, we are looking at possibly shipping a fix for this issue in a Service Pack, although, there is a strong likelihood that we will be looking to addressing the issue in the next version of the product."
Vendor released a feature enhancement patch (http://support.microsoft.com/
Vendor was notified 9th May, 2005 that the feature enhancement did not change the behaviour of the WZCS service regarding the vulnerabilities.
The Vendor stated they did not intend to fix the vulnerabilities with this patch and they wrote:
"We feel that the most appropriate ship vehicle for this issue is the next version of the product which is Longhorn in this case."
At this point the decision was made to publish this advisory.