Vulnerabilities > CVE-2003-0270 - Unspecified vulnerability in Apple 802.11N 7.3.1

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
apple
nessus
metasploit
NVD
Published: 2003-06-16
Updated: 2017-07-11

Summary

The administration capability for Apple AirPort 802.11 wireless access point devices uses weak encryption (XOR with a fixed key) for protecting authentication credentials, which could allow remote attackers to obtain administrative access via sniffing when the capability is available via Ethernet or non-WEP connections.

Vulnerable Configurations

Part Description Count
Hardware
Apple
1

Metasploit

descriptionThis module attempts to authenticate to an Apple Airport using its proprietary and largely undocumented protocol known only as ACPP.
idMSF:AUXILIARY/SCANNER/ACPP/LOGIN
last seen2020-02-27
modified2019-06-27
published2015-01-05
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0270
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/acpp/login.rb
titleApple Airport ACPP Authentication Scanner

Nessus

NASL familyMisc.
NASL idAIRPORT_PLAINTEXT_CREDENTIALS.NASL
descriptionThe remote host is an Apple Airport Wireless Access Point which can be administrated on top of TCP port 5009. There is a design flaw in the administrative protocol which makes the clients which connect to this port send the password in cleartext (although slightly obsfuscated). An attacker who has the ability to sniff the data going to this device may use this flaw to gain its administrative password and gain its control. Since the airport base station does not keep any log, it will be difficult to determine that administrative access has been stolen.
last seen2020-06-01
modified2020-06-02
plugin id11620
published2003-05-12
reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/11620
titleApple AirPort Base Station Authentication Credential Encryption Weakness
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if(description)
{
 script_id(11620);
 script_version ("1.18");
 script_cve_id("CVE-2003-0270");
 script_bugtraq_id(7554);
 script_xref(name:"Secunia", value:"8773");

 script_name(english:"Apple AirPort Base Station Authentication Credential Encryption Weakness");
 script_summary(english:"Connects to port 5009 and says 'Hello'");

 script_set_attribute(attribute:"synopsis", value:
"The remote wireless access point contains a password encryption
weakness." );
 script_set_attribute(attribute:"description", value:
"The remote host is an Apple Airport Wireless Access Point which
can be administrated on top of TCP port 5009.

There is a design flaw in the administrative protocol which makes
the clients which connect to this port send the password
in cleartext (although slightly obsfuscated).

An attacker who has the ability to sniff the data going to this
device may use this flaw to gain its administrative password and
gain its control. Since the airport base station does not keep any
log, it will be difficult to determine that administrative access
has been stolen." );
 script_set_attribute(attribute:"solution", value:
"Block incoming traffic to this port, and only administer
this base station when connected to it using a cross-over ethernet
cable." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");


 script_set_attribute(attribute:"plugin_publication_date", value: "2003/05/12");
 script_set_attribute(attribute:"vuln_publication_date", value: "2003/05/12");
 script_cvs_date("Date: 2018/06/27 18:42:25");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 script_category(ACT_GATHER_INFO);
 
 script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
 script_family(english:"Misc.");
 script_dependencies("find_service1.nasl");
 script_require_ports(5009);
 exit(0);
}

#
# The script code starts here
#

include("global_settings.inc");
include("misc_func.inc");

port = 5009;
if(!get_port_state(port))exit(0);
soc = open_sock_tcp(port);
if(!soc)exit(0);
req = "acpp" + crap(data:raw_string(0), length:124);
send(socket:soc, data:req);
r = recv(socket:soc, length:128);
if(!r)exit(0);
if("acpp" >< r && r != req){
	security_hole(port);
	register_service(port:5009, proto:"apple-airport-admin");
	}

References