[NT] WEP Open Authentication Information Disclosure
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 25 Jan 2006 10:03:34 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
WEP Open Authentication Information Disclosure
------------------------------------------------------------------------
SUMMARY
" <http://en.wikipedia.org/wiki/WEP> Wired Equivalent Privacy (WEP) is a
scheme to secure wireless networks (WiFi)." WEP with Open Authentication,
can be tricked by attacker to discard the WEP settings and negotiate a
post-association connection with the attacker in the clear.
DETAILS
Certain well-known wireless chipsets, using vulnerable drivers under the
Windows XP operating system and when configured to use WEP with Open
Authentication, can be tricked by a 802.11-based wireless client adapter
operating in master mode ("the attacker") to discard the WEP settings and
negotiate a post-association connection with the attacker in the clear.
ThinkSECURE have named this vulnerability as the
WEP-client-communication-dumbdown or WCCD vulnerability .
End-users of the system would not notice any difference about the clear
connection that was established. Although WPA/2 & WPA-PSK have been out
for some time now, there are still a large installed client base who are
still using WEP-enabled Access Points and thus have WEP-enabled profiles
setup in their laptops.
The vulnerability was observed in a Windows XP wireless client
configuration with the vulnerable drivers and with the following setups:
1. Profile configured using Windows XP zero configuration as well as
using the vulnerable drivers' bundled wireless client managers;
2. Profile configured to use WEP with static WEP key & Open
Authentication.
Using security auditing tool, probemapper, one can remotely evaluate the
SSID and capabilities of wireless profiles from probe requests and assess
whether the subject is probing for any
Open-Authentication-WEP-encryption-enabled wireless networks.
When a Windows XP client using a vulnerable chipset driver is configured
as outlined above via their wireless profiles ("the victim"), the victim
will send out probe requests bearing the SSID configured in the wireless
profile.
An attacker who detects the probe request frames coming from the
configured profile can configure a master-mode-enabled wireless card with
the detected SSID of the probe request frames and, using Open
Authentication with no-encryption, send probe responses to the victim.
The victim will then initiate authentication and association, sending an
association request frame with the Privacy Bit set to 1 (AP/STA can
support WEP).
The attacker returns an association response frame with Privacy Bit set to
0 (AP/STA cannot support WEP).
Although the correct behavior should be to not establish any communication
due to the difference between association request and response Privacy
Bits, the victim "dumbs-down" and establishes an un-encrypted
communications session to match the attacker's Privacy Bit setting of 0,
thus ignoring the WEP settings as configured in the client's profile. All
traffic to & from this connection will be sent in the clear.
A victim who has a vulnerable wireless network at home and brings a laptop
bearing the profile of said home wireless network to his/her organization
and plugs in using a wired connection may be attacked in this manner and
used as a conduit by the attacker, through the bridging of the laptop's
wireless interface to the wired interface, to the victim's organization's
wired network, thus bypassing corporate perimeter defenses. It is
irrelevant that the organization does not use wireless or has a
no-wireless policy if that policy is not strictly enforced through
proactive checking.
Also, firewalling on the victim's laptop might not guarantee safety in
certain cases: e.g. the attacker issues an IP address and gateway address
to the victim in response to the victim's typical DHCP request upon
association so as to fool the victim's machine into forwarding all traffic
to the attacker's machine. The result is that, when the victim opens up a
web browser for example, he will see a crafted page bearing malicious code
on the attacker's machine which runs exploit code on the victim's machine
(a good example being the recent WMF vulnerability) to give the attacker a
reverse shell into the victim, where the attacker can then do the bridging
of the interface or anything else he wants.
Workaround:
1. When not using or connected to your WEP-enabled wireless network,
switch off your wireless client adapter. If your laptop does not have a
hardware switch, disable the interface under windows until such a time as
you need to use your WEP-enabled wireless network. This will minimize the
attack window.
2. Do not configure your Windows wireless profiles to use "Automatic
Connection - Connect when this network is in range" option.
3. Migrate to your profiles and wireless networks to WPA-PSK, WPA or
WPA2, if possible. WPA was not found to be vulnerable for the devices we
tested.
4. Install personal firewalls to prevent unauthorized layer 3
connections, even if an association is made.
5. Regularly patch other components of your Windows operating system to
prevent the kind of scenario outlined in the vulnerability impact section
of this advisory from happening.
6. Watch for chipset driver releases which rectify this vulnerability.
ADDITIONAL INFORMATION
The information has been provided by <mailto:Michael.Wade@xxxxxxxxxxxx>
Michael Wade.
The original article can be found at:
<http://www.securitystartshere.net/page-vulns-wccd.htm>
http://www.securitystartshere.net/page-vulns-wccd.htm
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [EXPL] Windows Kernel APC Privilege Escalation (MS05-055, Exploit)
- Next by Date: [NT] CounterPath eyeBeam SIP Buffer Overflow
- Previous by thread: [EXPL] Windows Kernel APC Privilege Escalation (MS05-055, Exploit)
- Next by thread: [NT] CounterPath eyeBeam SIP Buffer Overflow
- Index(es):
Relevant Pages
|
