2007 Wifi Exploited v1.0

EXPLOITED
Martin Suess
martin.suess@csnc.ch
GLÄRNISCHSTRASSE 7
POSTFACH 1671
CH-8640 RAPPERSWIL
Tel.+41 55-214 41 60
Fax+41 55-214 41 61
team@csnc.ch www.csnc.ch
WiFi Exploited
Martin Suess
martin.suess@csnc.ch
GLÄRNISCHSTRASSE 7
POSTFACH 1671
CH-8640 RAPPERSWIL
Tel.+41 55-214 41 60
Fax+41 55-214 41 61
Agenda
g Introduction
g WiFi Security Measures & Threats
g Wireless Drivers Exploited

g Possibilities for packet injection
g Finding vulnerabilities
g Searching for (known) exploits
g Demo
g MadWifi Exploited
g Remedy?!
g Probability of an attack
g Remediation
© Compass Security AG Page 3

Introduction
GLÄRNISCHSTRASSE 7
POSTFACH 1671
CH-8640 RAPPERSWIL
Tel.+41 55-214 41 60
Fax+41 55-214 41 61
WiFi Security & Threats
Internet
?
? ?

g Wireless LAN is virtually everywhere:

g Laptops, PDAs, Mobile Phones, Webcams
g Public access points in trainstations, *bucks, …
g Today a Wireless LAN can be secured properly

g WPA, WPA2
g EAP
g VPN

g Is a WLAN really secured properly with

WPA/EAP/VPN?
g DeAuth of clients possible for all 802.11

protocols released so far
g Access point faking
g What about the lower layers?

Wireless LAN drivers?!

Wireless Drivers Exploited
GLÄRNISCHSTRASSE 7
POSTFACH 1671
CH-8640 RAPPERSWIL
Tel.+41 55-214 41 60
Fax+41 55-214 41 61
Packet Injection - MadWifi
g MadWifi
g Opensource wireless driver for atheros based wireless LAN NICs
g Multiple virtual interfaces can be created (wifiX, athX)

wlanconfig ath1 create wlandev wifi0 mode monitor
g Supports different modes (excerpt):

ap Create the VAP in AP mode.
monitor Create the station in monitor mode.
sta Create the VAP in station mode.
g Platforms
g Various Linux distros
g Mac OSX (part of OSX, user cannot really do much)

Packet injection - LORCON
g Various drivers for various
Application 1
Application 2
hardware...
...
g Well known wireless LAN
drivers/chipsets
g Madwifi (Atheros chipset)
g Prism
g ... LORCON
g RAW packet injection different for
madwifi[ng|old]
every driver
prism54
wlan-ng
hostap
airjack
g Solution: Driver abstraction
...
framework LORCON!
g http://802.11ninja.net/lorcon

Finding Vulnerabilities
g Wireless LAN (802.11[a|b|g]) frame format
g Types and subtypes

g Control Frames (RTS, CTS, ACK, ...)
g Management Frames (Beacons, Probes, Auth, DeAuth, ...)
g Data Frames (Data, ...)

g Body contains „Information Elements“

g Length/Value pairs basically
g Some length restrictions exist in the Information Elements

g e.g. SSID
g Are they checked by the client?
g What happens when we send an oversized packet?

g Valid SSID IE
0x00 0x07 Compass

1 1 7
g Overlength SSID IE
0x00 0xFF 0x90 0x90 0x90 0x90 00000

1 1 255

Application 1 Application 2
HTTP 200....
Operating System
802.11 Frame Driver Kernel

802.11 Frame Network
Interface x
Network Other
Interface Hardware

Application 1 Application 2
Operating System
802.11
802.11Frame
Frame 0
0
0 Driver 0
802.11
802.11Frame
Frame
0 Network
Interface x
Kernel
Network Other
Interface Hardware

Demo
Playing with
802.11[a|b|g]
GLÄRNISCHSTRASSE 7
POSTFACH 1671
CH-8640 RAPPERSWIL
Tel.+41 55-214 41 60
Fax+41 55-214 41 61
Finding Vulnerabilities – Demo
g airbase -> fuzz-e

g freely available
g based on LORCON -> works with many drivers
g fuzzing too general -> fuzzing not effective enough
g packet_sender
g based on LORCON -> works with many drivers
g self coded -> better knowledge of functionality
g more protocol-aware -> fuzzing more effective

Searching for (known) exploits

Searching for (known) exploits

Demo
MadWifi Exploited
GLÄRNISCHSTRASSE 7
POSTFACH 1671
CH-8640 RAPPERSWIL
Tel.+41 55-214 41 60
Fax+41 55-214 41 61
Environment
Shellcode
connects back
EXPLOIT root@victim# _

Remedy?!
GLÄRNISCHSTRASSE 7
POSTFACH 1671
CH-8640 RAPPERSWIL
Tel.+41 55-214 41 60
Fax+41 55-214 41 61
Remedy?!
g Probability of such an attack (in general)

g Attacker has to be on-site physically (range of WiFi)
g Exploit depends on hardware (chipset -> driver)
g Exploit depends on driver version
g Finding exploits is nothing for script kiddies
g Probability of this attack

g See above
g Vulnerability known since 06.12.2006
g Fixed (in version 0.9.2.1) since 07.12.2006 (!!!)
g Exploit available since 10.01.2006 (script kiddy proof)

Remedy?!
g Is there any remedy anyway?

g Packets are read by driver before firewall or VPN...
g Hardly anything the user can do :-(
g Best effort
g Disable wireless devices whenever possible
g Keep reading the news with an eye on driver vulnerabilities
g Regularly apply patches
g Avoid public wireless networks and use wired networks instead
g Work with low privileged user

References
g IEEE 802.11 Standards

http://standards.ieee.org/getieee802/802.11.html
g MadWifi
http://madwifi.org/
g LORCON
http://802.11ninja.net/lorcon
g Airbase
http://www.802.11mercenary.net/
g Milw0rm
http://www.milw0rm.org/
http://www.milw0rm.org/exploits/3389
g Metasploit
http://www.metasploit.org/
g MadWifi WLAN Driver Buffer Overflow CVE-2006-6332

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6332

Abbreviations
WEP Wired Equivalend Privacy
WPA WiFi Protected Access
VPN Virtual Private Network
EAP Extensible Authentication Protocol
MADWifi Multiband Atheros Driver for Wifi
LORCON Loss Of Radio CONnectivity
(E)SSID (Extended) Service Set Identifier (human readable name)
BSSID Basic Service Set Identifier (MAC address of AP)
AP Access Point
IE Information Element (part of a 802.11 frame)


2007 Wifi Exploited v1.0

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

2007 Wifi Exploited v1.0

Hochgeladen von

Copyright:

Verfügbare Formate

EXPLOITED

g Wireless Drivers Exploited

© Compass Security AG Page 3

© Compass Security AG Page 5

g Wireless LAN is virtually everywhere:

g Today a Wireless LAN can be secured properly

© Compass Security AG Page 6

g Is a WLAN really secured properly with

g DeAuth of clients possible for all 802.11

g Access point faking

g What about the lower layers?

© Compass Security AG Page 7

g Multiple virtual interfaces can be created (wifiX, athX)

g Supports different modes (excerpt):

© Compass Security AG Page 9

g Various drivers for various

g RAW packet injection different for

© Compass Security AG Page 10

g Wireless LAN (802.11[a|b|g]) frame format

g Types and subtypes

© Compass Security AG Page 11

g Body contains „Information Elements“

g Some length restrictions exist in the Information Elements

g Are they checked by the client?

g What happens when we send an oversized packet?

© Compass Security AG Page 12

0x00 0x07 Compass

0x00 0xFF 0x90 0x90 0x90 0x90 00000

© Compass Security AG Page 13

802.11 Frame Driver Kernel

© Compass Security AG Page 14

© Compass Security AG Page 15

g airbase -> fuzz-e

© Compass Security AG Page 17

© Compass Security AG Page 18

© Compass Security AG Page 19

© Compass Security AG Page 21

g Probability of such an attack (in general)

g Probability of this attack

© Compass Security AG Page 23

g Is there any remedy anyway?

© Compass Security AG Page 24

g IEEE 802.11 Standards

g MadWifi WLAN Driver Buffer Overflow CVE-2006-6332

© Compass Security AG Page 25

WEP Wired Equivalend Privacy

WPA WiFi Protected Access

VPN Virtual Private Network

EAP Extensible Authentication Protocol

MADWifi Multiband Atheros Driver for Wifi

LORCON Loss Of Radio CONnectivity

(E)SSID (Extended) Service Set Identifier (human readable name)

BSSID Basic Service Set Identifier (MAC address of AP)

IE Information Element (part of a 802.11 frame)

Das könnte Ihnen auch gefallen