by Thorn » Mon Feb 03, 2003 9:35 am
Tested against a WAP 11 v1.1 (firmware version 1.4g8) and WAP11 v2.2 (firmware version 1.01j) this AM.
Non-Associated:
WAP11 v1.1
Results: Both versions of pong reported "no answer"
WAP11 v2.2
Results: Both versions of pong reported "no answer"
Associated:
WAP11 v1.1
Results: Both versions of pong reported "no answer"
WAP11 v2.2
Results: Using both the original version and v1.1 of pong.exe, I was not able to get anything particularly useful. There was some output, but most of the output appeared to be junk (i.e. non-printable characters.) However, part of the SSID did show in the "Admin Password" field of pong v1.1. Upon running v1.1 in the raw mode, the model, firmware version, WEP keys, SSID, and admin password were all displayed. I would suspect that the WAP11 has a slightly data layout, hence when it formated for output in either version of pong.exe, the data appears to be trashed. However, the vunerablity still exists, and once the layout of the raw data is known, it is very easy to determine what the are the values.
Conclusion:
Persons running a WAP11 v2.2 do have to worry about this exploit. However, WEP provides some protection as the data can only be extracted after the AP and the card have associated. If the WEP key is unknown, then association cannot take place.
Those persons running a WAP11 v2.2 without implementing WEP are the most vunerable to this exploit.
Thorn
Stop the TSA now! Boycott the airlines.