BugTraq
Back to list
|
Post reply
Re: Accesspoints disclose wep keys, password and mac filter (fwd)
Nov 07 2002 05:29PM
informatik koerfer web de
(1 replies)
In-Reply-To: <20021106185730.15557.qmail (at) mail.securityfocus (dot) com [email concealed]>
>> Possibly vulnerable, not tested, OEM Version from GlobalSunTech:
>> D-Link DWL-900AP+ B1 version 2.1 and 2.2
>> ALLOY GL-2422AP-S
>> EUSSO GL2422-AP
>> LINKSYS WAP11-V2.2
>
>The D-Link DWL-900AP+ B1 2.1 isn't affected.
>
I'm sorry, this device IS vulnerable, I believe ALL others are as well.
The source code posted is only a proof of concept, slight modifications
will deliver the correct result.
Mainly the data returned by the "gstsearch" packet has EOF's or EOL's
in it, so parsing will lead to an abort, before the desired data is
delivered.
The worst is, that an attacker is actually able to save these returned
values back to the WAP using the string "gstset" (not quite sure if this
is the correct string, because I'm at work and don't have the infos here,
but it is possible!) followed by the data.
NOTE:
The answer of the access point is a broadcast message as well,
so every computer in the subnet would be able to receive the
data.
[ reply ]
Re: Accesspoints disclose wep keys, password and mac filter (fwd)
Nov 08 2002 10:40PM
tenty overkillnetworks com
Privacy Statement
Copyright 2010, SecurityFocus
>> Possibly vulnerable, not tested, OEM Version from GlobalSunTech:
>> D-Link DWL-900AP+ B1 version 2.1 and 2.2
>> ALLOY GL-2422AP-S
>> EUSSO GL2422-AP
>> LINKSYS WAP11-V2.2
>
>The D-Link DWL-900AP+ B1 2.1 isn't affected.
>
I'm sorry, this device IS vulnerable, I believe ALL others are as well.
The source code posted is only a proof of concept, slight modifications
will deliver the correct result.
Mainly the data returned by the "gstsearch" packet has EOF's or EOL's
in it, so parsing will lead to an abort, before the desired data is
delivered.
The worst is, that an attacker is actually able to save these returned
values back to the WAP using the string "gstset" (not quite sure if this
is the correct string, because I'm at work and don't have the infos here,
but it is possible!) followed by the data.
NOTE:
The answer of the access point is a broadcast message as well,
so every computer in the subnet would be able to receive the
data.
[ reply ]