In-Reply-To: <20021106185730.15557.qmail@mail.securityfocus.com> >> Possibly vulnerable, not tested, OEM Version from GlobalSunTech: >> D-Link DWL-900AP+ B1 version 2.1 and 2.2 >> ALLOY GL-2422AP-S >> EUSSO GL2422-AP >> LINKSYS WAP11-V2.2 > >The D-Link DWL-900AP+ B1 2.1 isn't affected. > I'm sorry, this device IS vulnerable, I believe ALL others are as well. The source code posted is only a proof of concept, slight modifications will deliver the correct result. Mainly the data returned by the "gstsearch" packet has EOF's or EOL's in it, so parsing will lead to an abort, before the desired data is delivered. The worst is, that an attacker is actually able to save these returned values back to the WAP using the string "gstset" (not quite sure if this is the correct string, because I'm at work and don't have the infos here, but it is possible!) followed by the data. NOTE: The answer of the access point is a broadcast message as well, so every computer in the subnet would be able to receive the data.
