Vulnerabilities > CVE-2003-0270 - Unspecified vulnerability in Apple 802.11N 7.3.1

CVSS 7.6 - HIGH

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

high complexity

apple

nessus

metasploit

NVD

Published: 2003-06-16

Updated: 2017-07-11

Summary

The administration capability for Apple AirPort 802.11 wireless access point devices uses weak encryption (XOR with a fixed key) for protecting authentication credentials, which could allow remote attackers to obtain administrative access via sniffing when the capability is available via Ethernet or non-WEP connections.

Vulnerable Configurations

Part	Description	Count
Hardware	Apple Apple 802.11N 7.3.1	1

Metasploit

description	This module attempts to authenticate to an Apple Airport using its proprietary and largely undocumented protocol known only as ACPP.
id	MSF:AUXILIARY/SCANNER/ACPP/LOGIN
last seen	2020-02-27
modified	2019-06-27
published	2015-01-05
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0270
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/acpp/login.rb
title	Apple Airport ACPP Authentication Scanner

Nessus

NASL family	Misc.
NASL id	AIRPORT_PLAINTEXT_CREDENTIALS.NASL
description	The remote host is an Apple Airport Wireless Access Point which can be administrated on top of TCP port 5009. There is a design flaw in the administrative protocol which makes the clients which connect to this port send the password in cleartext (although slightly obsfuscated). An attacker who has the ability to sniff the data going to this device may use this flaw to gain its administrative password and gain its control. Since the airport base station does not keep any log, it will be difficult to determine that administrative access has been stolen.
last seen	2020-06-01
modified	2020-06-02
plugin id	11620
published	2003-05-12
reporter	This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/11620
title	Apple AirPort Base Station Authentication Credential Encryption Weakness
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(11620); script_version ("1.18"); script_cve_id("CVE-2003-0270"); script_bugtraq_id(7554); script_xref(name:"Secunia", value:"8773"); script_name(english:"Apple AirPort Base Station Authentication Credential Encryption Weakness"); script_summary(english:"Connects to port 5009 and says 'Hello'"); script_set_attribute(attribute:"synopsis", value: "The remote wireless access point contains a password encryption weakness." ); script_set_attribute(attribute:"description", value: "The remote host is an Apple Airport Wireless Access Point which can be administrated on top of TCP port 5009. There is a design flaw in the administrative protocol which makes the clients which connect to this port send the password in cleartext (although slightly obsfuscated). An attacker who has the ability to sniff the data going to this device may use this flaw to gain its administrative password and gain its control. Since the airport base station does not keep any log, it will be difficult to determine that administrative access has been stolen." ); script_set_attribute(attribute:"solution", value: "Block incoming traffic to this port, and only administer this base station when connected to it using a cross-over ethernet cable." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value: "2003/05/12"); script_set_attribute(attribute:"vuln_publication_date", value: "2003/05/12"); script_cvs_date("Date: 2018/06/27 18:42:25"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc."); script_family(english:"Misc."); script_dependencies("find_service1.nasl"); script_require_ports(5009); exit(0); } # # The script code starts here # include("global_settings.inc"); include("misc_func.inc"); port = 5009; if(!get_port_state(port))exit(0); soc = open_sock_tcp(port); if(!soc)exit(0); req = "acpp" + crap(data:raw_string(0), length:124); send(socket:soc, data:req); r = recv(socket:soc, length:128); if(!r)exit(0); if("acpp" >< r && r != req){ security_hole(port); register_service(port:5009, proto:"apple-airport-admin"); }

Summary

Vulnerable Configurations

Metasploit

Nessus

References