Sie sind auf Seite 1von 27

EXPLOITED

Martin Suess
martin.suess@csnc.ch
GLÄRNISCHSTRASSE 7
POSTFACH 1671
CH-8640 RAPPERSWIL

Tel.+41 55-214 41 60
Fax+41 55-214 41 61
team@csnc.ch www.csnc.ch
WiFi Exploited

Martin Suess
martin.suess@csnc.ch

GLÄRNISCHSTRASSE 7
POSTFACH 1671
CH-8640 RAPPERSWIL

Tel.+41 55-214 41 60
Fax+41 55-214 41 61
team@csnc.ch www.csnc.ch
Agenda

g Introduction
g WiFi Security Measures & Threats

g Wireless Drivers Exploited


g Possibilities for packet injection
g Finding vulnerabilities
g Searching for (known) exploits

g Demo
g MadWifi Exploited

g Remedy?!
g Probability of an attack
g Remediation

© Compass Security AG Page 3


Introduction

GLÄRNISCHSTRASSE 7
POSTFACH 1671
CH-8640 RAPPERSWIL

Tel.+41 55-214 41 60
Fax+41 55-214 41 61
team@csnc.ch www.csnc.ch
WiFi Security & Threats

Internet

?
? ?

© Compass Security AG Page 5


WiFi Security & Threats

g Wireless LAN is virtually everywhere:


g Laptops, PDAs, Mobile Phones, Webcams
g Public access points in trainstations, *bucks, …

g Today a Wireless LAN can be secured properly


g WPA, WPA2
g EAP
g VPN

© Compass Security AG Page 6


WiFi Security & Threats

g Is a WLAN really secured properly with


WPA/EAP/VPN?

g DeAuth of clients possible for all 802.11


protocols released so far

g Access point faking

g What about the lower layers?


Wireless LAN drivers?!

© Compass Security AG Page 7


Wireless Drivers Exploited

GLÄRNISCHSTRASSE 7
POSTFACH 1671
CH-8640 RAPPERSWIL

Tel.+41 55-214 41 60
Fax+41 55-214 41 61
team@csnc.ch www.csnc.ch
Packet Injection - MadWifi

g MadWifi
g Opensource wireless driver for atheros based wireless LAN NICs

g Multiple virtual interfaces can be created (wifiX, athX)


wlanconfig ath1 create wlandev wifi0 mode monitor

g Supports different modes (excerpt):


ap Create the VAP in AP mode.
monitor Create the station in monitor mode.
sta Create the VAP in station mode.

g Platforms
g Various Linux distros
g Mac OSX (part of OSX, user cannot really do much)

© Compass Security AG Page 9


Packet injection - LORCON

g Various drivers for various

Application 1

Application 2
hardware...

...
g Well known wireless LAN
drivers/chipsets
g Madwifi (Atheros chipset)
g Prism
g ... LORCON

g RAW packet injection different for

madwifi[ng|old]
every driver

prism54
wlan-ng

hostap

airjack
g Solution: Driver abstraction

...
framework LORCON!
g http://802.11ninja.net/lorcon

© Compass Security AG Page 10


Finding Vulnerabilities

g Wireless LAN (802.11[a|b|g]) frame format

g Types and subtypes


g Control Frames (RTS, CTS, ACK, ...)
g Management Frames (Beacons, Probes, Auth, DeAuth, ...)
g Data Frames (Data, ...)

© Compass Security AG Page 11


Finding Vulnerabilities

g Body contains „Information Elements“


g Length/Value pairs basically

g Some length restrictions exist in the Information Elements


g e.g. SSID

g Are they checked by the client?

g What happens when we send an oversized packet?

© Compass Security AG Page 12


Finding Vulnerabilities

g Valid SSID IE

0x00 0x07 Compass


1 1 7

g Overlength SSID IE

0x00 0xFF 0x90 0x90 0x90 0x90 00000


1 1 255

© Compass Security AG Page 13


Finding Vulnerabilities

Application 1 Application 2
HTTP 200....

Operating System

802.11 Frame Driver Kernel


802.11 Frame Network
Interface x

Network Other
Interface Hardware

© Compass Security AG Page 14


Finding Vulnerabilities

Application 1 Application 2

Operating System

802.11
802.11Frame
Frame 0
0
0 Driver 0
802.11
802.11Frame
Frame
0 Network
Interface x
Kernel

Network Other
Interface Hardware

© Compass Security AG Page 15


Demo

Playing with
802.11[a|b|g]

GLÄRNISCHSTRASSE 7
POSTFACH 1671
CH-8640 RAPPERSWIL

Tel.+41 55-214 41 60
Fax+41 55-214 41 61
team@csnc.ch www.csnc.ch
Finding Vulnerabilities – Demo

g airbase -> fuzz-e


g freely available
g based on LORCON -> works with many drivers
g fuzzing too general -> fuzzing not effective enough

g packet_sender
g based on LORCON -> works with many drivers
g self coded -> better knowledge of functionality
g more protocol-aware -> fuzzing more effective

© Compass Security AG Page 17


Searching for (known) exploits

© Compass Security AG Page 18


Searching for (known) exploits

© Compass Security AG Page 19


Demo

MadWifi Exploited

GLÄRNISCHSTRASSE 7
POSTFACH 1671
CH-8640 RAPPERSWIL

Tel.+41 55-214 41 60
Fax+41 55-214 41 61
team@csnc.ch www.csnc.ch
Environment

Shellcode
connects back

EXPLOIT root@victim# _

© Compass Security AG Page 21


Remedy?!

GLÄRNISCHSTRASSE 7
POSTFACH 1671
CH-8640 RAPPERSWIL

Tel.+41 55-214 41 60
Fax+41 55-214 41 61
team@csnc.ch www.csnc.ch
Remedy?!

g Probability of such an attack (in general)


g Attacker has to be on-site physically (range of WiFi)
g Exploit depends on hardware (chipset -> driver)
g Exploit depends on driver version
g Finding exploits is nothing for script kiddies

g Probability of this attack


g See above
g Vulnerability known since 06.12.2006
g Fixed (in version 0.9.2.1) since 07.12.2006 (!!!)
g Exploit available since 10.01.2006 (script kiddy proof)

© Compass Security AG Page 23


Remedy?!

g Is there any remedy anyway?


g Packets are read by driver before firewall or VPN...
g Hardly anything the user can do :-(

g Best effort
g Disable wireless devices whenever possible
g Keep reading the news with an eye on driver vulnerabilities
g Regularly apply patches
g Avoid public wireless networks and use wired networks instead
g Work with low privileged user

© Compass Security AG Page 24


References

g IEEE 802.11 Standards


http://standards.ieee.org/getieee802/802.11.html

g MadWifi
http://madwifi.org/

g LORCON
http://802.11ninja.net/lorcon

g Airbase
http://www.802.11mercenary.net/

g Milw0rm
http://www.milw0rm.org/
http://www.milw0rm.org/exploits/3389

g Metasploit
http://www.metasploit.org/

g MadWifi WLAN Driver Buffer Overflow CVE-2006-6332


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6332

© Compass Security AG Page 25


Abbreviations

WEP Wired Equivalend Privacy

WPA WiFi Protected Access

VPN Virtual Private Network

EAP Extensible Authentication Protocol

MADWifi Multiband Atheros Driver for Wifi

LORCON Loss Of Radio CONnectivity

(E)SSID (Extended) Service Set Identifier (human readable name)

BSSID Basic Service Set Identifier (MAC address of AP)

AP Access Point

IE Information Element (part of a 802.11 frame)


© Compass Security AG Page 26