2007 Wifi Exploited v1.0

8/8/2019 2007 Wifi Exploited v1.0

1/27

EXPLOITED

Martin Suess

[email protected] 7

POSTFACH 1671CH-8640 RAPPERSWIL

Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch


2/27

GLRNISCHSTRASSE 7POSTFACH 1671CH-8640 RAPPERSWIL


WiFi Exploited

Martin Suess

[email protected]


3/27

Compass Security AG Page 3

Agenda

g Introductiong WiFi Security Measures & Threats

g Wireless Drivers Exploitedg Possibilities for packet injection

g Finding vulnerabilities

g Searching for (known) exploits

g Demog MadWifi Exploited

g Remedy?!g Probability of an attack

g Remediation


4/27



Introduction


5/27


WiFi Security & Threats

? ??

Internet


6/27



g Wireless LAN is virtually everywhere:g Laptops, PDAs, Mobile Phones, Webcams

g Public access points in trainstations, *bucks,

g Today a Wireless LAN can be secured properlyg WPA, WPA2

g EAP

g

VPN


7/27



g Is a WLAN really secured properly withWPA/EAP/VPN?

g DeAuth of clients possible for all 802.11protocols released so far

g Access point faking

g What about the lower layers?Wireless LAN drivers?!


8/27



Wireless Drivers Exploited


9/27


Packet Injection - MadWifi

g MadWifig Opensource wireless driver for atheros based wireless LAN NICs

g Multiple virtual interfaces can be created (wifiX, athX)wlanconfig ath1 create wlandev wifi0 mode monitor

g Supports different modes (excerpt):ap Create the VAP in AP mode.

monitor Create the station in monitor mode.

sta Create the VAP in station mode.

g Platforms

g Various Linux distrosg Mac OSX (part of OSX, user cannot really do much)


10/27


Packet injection - LORCON

LORCON

madwifi[ng|old]

wlan-ng

hostap

prism

54

airjack

...

Application1

Application2

...

g Various drivers for varioushardware...

g

Well known wireless LANdrivers/chipsetsg Madwifi (Atheros chipset)

g Prism

g ...

g RAW packet injection different forevery driver

g Solution: Driver abstractionframework LORCON!

g http://802.11ninja.net/lorcon


11/27


Finding Vulnerabilities

g Wireless LAN (802.11[a|b|g]) frame format

g Types and subtypesg Control Frames (RTS, CTS, ACK, ...)

g Management Frames (Beacons, Probes, Auth, DeAuth, ...)

g Data Frames (Data, ...)


12/27



g Body contains Information Elementsg Length/Value pairs basically

g

Some length restrictions exist in the Information Elementsg e.g. SSID

g Are they checked by the client?

g What happens when we send an oversized packet?


13/27



g Valid SSID IE

g Overlength SSID IE

0x00 0x07 Compass

1 71

0x00 0xFF 0x90 0x90 0x90 0x90

1 2551


14/27



Operating System

Application 1 Application 2

Network

Interface

Other

Hardware

KernelDriver

Network

Interface x

802.11 Frame802.11 Frame

HTTP 200....


15/27



Operating System

Application 1 Application 2

Network

Interface

Other

Hardware

KernelDriverNetwork

Interface x802.11 Frame

802.11 Frame

802.11 Frame

802.11 Frame


16/27



Demo

Playing with

802.11[a|b|g]


17/27


Finding Vulnerabilities Demo

g airbase -> fuzz-eg freely available

g based on LORCON -> works with many drivers

g fuzzing too general -> fuzzing not effective enough

g packet_senderg based on LORCON -> works with many drivers

g self coded -> better knowledge of functionalityg more protocol-aware -> fuzzing more effective


18/27


Searching for (known) exploits


19/27


Searching for (known) exploits


20/27



Demo

MadWifi Exploited


21/27


Environment

EXPLOIT

Shellcode

connects back

root@victim# _


22/27



Remedy?!

R d ?!


23/27


Remedy?!

g Probability of such an attack (in general)g Attacker has to be on-site physically (range of WiFi)

g Exploit depends on hardware (chipset -> driver)

g Exploit depends on driver versiong Finding exploits is nothing for script kiddies

g Probability of this attackg See above

g Vulnerability known since 06.12.2006

g

Fixed (in version 0.9.2.1) since 07.12.2006 (!!!)g Exploit available since 10.01.2006 (script kiddy proof)

R d ?!


24/27


Remedy?!

g Is there any remedy anyway?g Packets are read by driver before firewall or VPN...

g Hardly anything the user can do :-(

g Best effortg Disable wireless devices whenever possible

g Keep reading the news with an eye on driver vulnerabilities

g Regularly apply patchesg Avoid public wireless networks and use wired networks instead

g Work with low privileged user

Refe ences


25/27


References

g IEEE 802.11 Standardshttp://standards.ieee.org/getieee802/802.11.html

g MadWifi

http://madwifi.org/

g LORCONhttp://802.11ninja.net/lorcon

g

Airbasehttp://www.802.11mercenary.net/

g Milw0rmhttp://www.milw0rm.org/http://www.milw0rm.org/exploits/3389

g Metasploithttp://www.metasploit.org/

g MadWifi WLAN Driver Buffer Overflow CVE-2006-6332http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6332

Abbreviations


26/27


Abbreviations

Information Element (part of a 802.11 frame)IE

Access PointAP

Basic Service Set Identifier (MAC address of AP)BSSID

(Extended) Service Set Identifier (human readable name)(E)SSID

Loss Of Radio CONnectivityLORCON

Multiband Atheros Driver for WifiMADWifi

Extensible Authentication ProtocolEAP

Virtual Private NetworkVPN

WiFi Protected AccessWPA

Wired Equivalend PrivacyWEP


27/27

2007 Wifi Exploited v1.0

Documents

Transcript of 2007 Wifi Exploited v1.0