Upload
kurapix
View
221
Download
0
Embed Size (px)
Citation preview
8/8/2019 2007 Wifi Exploited v1.0
1/27
EXPLOITED
Martin Suess
POSTFACH 1671CH-8640 RAPPERSWIL
Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch
8/8/2019 2007 Wifi Exploited v1.0
2/27
GLRNISCHSTRASSE 7POSTFACH 1671CH-8640 RAPPERSWIL
Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch
WiFi Exploited
Martin Suess
8/8/2019 2007 Wifi Exploited v1.0
3/27
Compass Security AG Page 3
Agenda
g Introductiong WiFi Security Measures & Threats
g Wireless Drivers Exploitedg Possibilities for packet injection
g Finding vulnerabilities
g Searching for (known) exploits
g Demog MadWifi Exploited
g Remedy?!g Probability of an attack
g Remediation
8/8/2019 2007 Wifi Exploited v1.0
4/27
GLRNISCHSTRASSE 7POSTFACH 1671CH-8640 RAPPERSWIL
Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch
Introduction
8/8/2019 2007 Wifi Exploited v1.0
5/27
Compass Security AG Page 5
WiFi Security & Threats
? ??
Internet
8/8/2019 2007 Wifi Exploited v1.0
6/27
Compass Security AG Page 6
WiFi Security & Threats
g Wireless LAN is virtually everywhere:g Laptops, PDAs, Mobile Phones, Webcams
g Public access points in trainstations, *bucks,
g Today a Wireless LAN can be secured properlyg WPA, WPA2
g EAP
g
VPN
8/8/2019 2007 Wifi Exploited v1.0
7/27
Compass Security AG Page 7
WiFi Security & Threats
g Is a WLAN really secured properly withWPA/EAP/VPN?
g DeAuth of clients possible for all 802.11protocols released so far
g Access point faking
g What about the lower layers?Wireless LAN drivers?!
8/8/2019 2007 Wifi Exploited v1.0
8/27
GLRNISCHSTRASSE 7POSTFACH 1671CH-8640 RAPPERSWIL
Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch
Wireless Drivers Exploited
8/8/2019 2007 Wifi Exploited v1.0
9/27
Compass Security AG Page 9
Packet Injection - MadWifi
g MadWifig Opensource wireless driver for atheros based wireless LAN NICs
g Multiple virtual interfaces can be created (wifiX, athX)wlanconfig ath1 create wlandev wifi0 mode monitor
g Supports different modes (excerpt):ap Create the VAP in AP mode.
monitor Create the station in monitor mode.
sta Create the VAP in station mode.
g Platforms
g Various Linux distrosg Mac OSX (part of OSX, user cannot really do much)
8/8/2019 2007 Wifi Exploited v1.0
10/27
Compass Security AG Page 10
Packet injection - LORCON
LORCON
madwifi[ng|old]
wlan-ng
hostap
prism
54
airjack
...
Application1
Application2
...
g Various drivers for varioushardware...
g
Well known wireless LANdrivers/chipsetsg Madwifi (Atheros chipset)
g Prism
g ...
g RAW packet injection different forevery driver
g Solution: Driver abstractionframework LORCON!
g http://802.11ninja.net/lorcon
8/8/2019 2007 Wifi Exploited v1.0
11/27
Compass Security AG Page 11
Finding Vulnerabilities
g Wireless LAN (802.11[a|b|g]) frame format
g Types and subtypesg Control Frames (RTS, CTS, ACK, ...)
g Management Frames (Beacons, Probes, Auth, DeAuth, ...)
g Data Frames (Data, ...)
8/8/2019 2007 Wifi Exploited v1.0
12/27
Compass Security AG Page 12
Finding Vulnerabilities
g Body contains Information Elementsg Length/Value pairs basically
g
Some length restrictions exist in the Information Elementsg e.g. SSID
g Are they checked by the client?
g What happens when we send an oversized packet?
8/8/2019 2007 Wifi Exploited v1.0
13/27
Compass Security AG Page 13
Finding Vulnerabilities
g Valid SSID IE
g Overlength SSID IE
0x00 0x07 Compass
1 71
0x00 0xFF 0x90 0x90 0x90 0x90
1 2551
8/8/2019 2007 Wifi Exploited v1.0
14/27
Compass Security AG Page 14
Finding Vulnerabilities
Operating System
Application 1 Application 2
Network
Interface
Other
Hardware
KernelDriver
Network
Interface x
802.11 Frame802.11 Frame
HTTP 200....
8/8/2019 2007 Wifi Exploited v1.0
15/27
Compass Security AG Page 15
Finding Vulnerabilities
Operating System
Application 1 Application 2
Network
Interface
Other
Hardware
KernelDriverNetwork
Interface x802.11 Frame
802.11 Frame
802.11 Frame
802.11 Frame
8/8/2019 2007 Wifi Exploited v1.0
16/27
GLRNISCHSTRASSE 7POSTFACH 1671CH-8640 RAPPERSWIL
Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch
Demo
Playing with
802.11[a|b|g]
8/8/2019 2007 Wifi Exploited v1.0
17/27
Compass Security AG Page 17
Finding Vulnerabilities Demo
g airbase -> fuzz-eg freely available
g based on LORCON -> works with many drivers
g fuzzing too general -> fuzzing not effective enough
g packet_senderg based on LORCON -> works with many drivers
g self coded -> better knowledge of functionalityg more protocol-aware -> fuzzing more effective
8/8/2019 2007 Wifi Exploited v1.0
18/27
Compass Security AG Page 18
Searching for (known) exploits
8/8/2019 2007 Wifi Exploited v1.0
19/27
Compass Security AG Page 19
Searching for (known) exploits
8/8/2019 2007 Wifi Exploited v1.0
20/27
GLRNISCHSTRASSE 7POSTFACH 1671CH-8640 RAPPERSWIL
Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch
Demo
MadWifi Exploited
8/8/2019 2007 Wifi Exploited v1.0
21/27
Compass Security AG Page 21
Environment
EXPLOIT
Shellcode
connects back
root@victim# _
8/8/2019 2007 Wifi Exploited v1.0
22/27
GLRNISCHSTRASSE 7POSTFACH 1671CH-8640 RAPPERSWIL
Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch
Remedy?!
R d ?!
8/8/2019 2007 Wifi Exploited v1.0
23/27
Compass Security AG Page 23
Remedy?!
g Probability of such an attack (in general)g Attacker has to be on-site physically (range of WiFi)
g Exploit depends on hardware (chipset -> driver)
g Exploit depends on driver versiong Finding exploits is nothing for script kiddies
g Probability of this attackg See above
g Vulnerability known since 06.12.2006
g
Fixed (in version 0.9.2.1) since 07.12.2006 (!!!)g Exploit available since 10.01.2006 (script kiddy proof)
R d ?!
8/8/2019 2007 Wifi Exploited v1.0
24/27
Compass Security AG Page 24
Remedy?!
g Is there any remedy anyway?g Packets are read by driver before firewall or VPN...
g Hardly anything the user can do :-(
g Best effortg Disable wireless devices whenever possible
g Keep reading the news with an eye on driver vulnerabilities
g Regularly apply patchesg Avoid public wireless networks and use wired networks instead
g Work with low privileged user
Refe ences
8/8/2019 2007 Wifi Exploited v1.0
25/27
Compass Security AG Page 25
References
g IEEE 802.11 Standardshttp://standards.ieee.org/getieee802/802.11.html
g MadWifi
http://madwifi.org/
g LORCONhttp://802.11ninja.net/lorcon
g
Airbasehttp://www.802.11mercenary.net/
g Milw0rmhttp://www.milw0rm.org/http://www.milw0rm.org/exploits/3389
g Metasploithttp://www.metasploit.org/
g MadWifi WLAN Driver Buffer Overflow CVE-2006-6332http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6332
Abbreviations
8/8/2019 2007 Wifi Exploited v1.0
26/27
Compass Security AG Page 26
Abbreviations
Information Element (part of a 802.11 frame)IE
Access PointAP
Basic Service Set Identifier (MAC address of AP)BSSID
(Extended) Service Set Identifier (human readable name)(E)SSID
Loss Of Radio CONnectivityLORCON
Multiband Atheros Driver for WifiMADWifi
Extensible Authentication ProtocolEAP
Virtual Private NetworkVPN
WiFi Protected AccessWPA
Wired Equivalend PrivacyWEP
8/8/2019 2007 Wifi Exploited v1.0
27/27