Re: Accesspoints disclose wep keys, password and mac filter (fwd)

[<informatik.koerfer () web de>]

In-Reply-To: <20021106185730.15557.qmail () mail securityfocus com>

> >        Possibly vulnerable, not tested, OEM Version from GlobalSunTech:
> >                D-Link DWL-900AP+ B1 version 2.1 and 2.2
> >                ALLOY GL-2422AP-S
> >                EUSSO GL2422-AP
> >                LINKSYS WAP11-V2.2
>
> The D-Link DWL-900AP+ B1 2.1 isn't affected.

I'm sorry, this device IS vulnerable, I believe ALL others are as well.
The source code posted is only a proof of concept, slight modifications
will deliver the correct result.

Mainly the data returned by the "gstsearch" packet has EOF's or EOL's
in it, so parsing will lead to an abort, before the desired data is
delivered.

The worst is, that an attacker is actually able to save these returned
values back to the WAP using the string "gstset" (not quite sure if this
is the correct string, because I'm at work and don't have the infos here,
but it is possible!) followed by the data.

NOTE:
The answer of the access point is a broadcast message as well,
so every computer in the subnet would be able to receive the
data.