Attacking Automatic Wireless Network Selection
Hello BUGTRAQ,
Simple Nomad recently discussed issues with Windows XP creating Ad-
Hoc wireless networks at this year's ShmooCon. There are, however,
many more similar and more serious problems with how Windows and
MacOS X locate and automatically join wireless networks. These have
been publicly discussed and demonstrated before, but do not seem to
have been given the attention needed as many security professionals
are still unaware of the risks they present.
Simple Nomad's work illustrated the problem when an ad-hoc network
was present the Preferred Networks list used by Windows XP's Wireless
Auto Configuration service (MacOS X has an similar list of "Trusted
Wireless Networks"). In fact, Windows and MacOS X probe for *every*
network in the preferred/trusted networks list upon boot up and
waking from sleep. Under Windows, the entire list is probed for
continually when the machine is not currently associated to a
wireless network. In addition, any network joined is automatically
added to the top of this list (MacOS X only adds the network to the
trusted networks list if the user elects to do so when joining the
network). Some wireless adapters, notably most 802.11b-only cards,
will automatically probe for randomly generated network names. All
of these behaviors can be taken advantage of by a nearby attacker.
To that effect, I would like to introduce KARMA [1], written by Shane
"K2" Macaulay and myself. Our paper, "Attacking Automatic Wireless
Network Selection" [2] describes serious vulnerabilities in how
wireless networks are identified and automatically joined by Windows
XP and MacOS X workstations. These vulnerabilities may cause nearby
wireless clients to inadvertently and automatically join a rogue
wireless network. KARMA is a proof-of-concept toolkit that
demonstrates the risk of these vulnerabilities through a patch to the
Linux MadWifi driver and client-side exploit toolkit.
Our driver responds to EVERY Probe Request as it operates in HostAP
mode. The wireless network is "cloaked", so it does not send out any
beacons, but when a client in range sends a Probe Request for a
network ("tmobile", "linksys", "megacorp", etc), the driver will
respond as if it were that network. In this way, it acts as a
virtual AP for any network requested. This yields an extremely
effective attack that is able to cause nearly all unassociated
wireless clients within range to join the rogue network. KARMA also
includes a tool for passively monitoring probe requests sent out by
nearby wireless clients and a framework for exploiting client-side
vulnerabilities once the client has joined the rogue network (no live
exploits are included, though).
For example, we demonstrated this attack during our presentation at
Microsoft's first BlueHat internal security conference. In a hall of
400-500 engineers, we hijacked upwards of 100 clients instantly,
enough that our Linux laptop became unstable from all the wireless
traffic passing through it. In practice, since nearly every roaming
laptop has at least one unencrypted hotspot network in their
preferred/trusted networks, almost all Windows XP and MacOS X laptops
are susceptible to this kind of attack.
In addition, our driver uncovered vulnerabilities in drivers for
802.11b-only cards where they probe for randomly generated network
names when the card is not associated to a network. When the KARMA
driver responds to this probe, the card and host will join the
network and DHCP an address, etc. I reported this to both Microsoft
and Apple in the Spring last year. Apple has subsequently fixed the
issue [3] and Microsoft said that a fix would be in the next service
pack.
Again, this is not entirely new stuff. Max Moser released his
HotSpotter [4] tool in April 2004 to create a HostAP based on sniffed
Probe Requests. We first released our driver implementing the
parallel attack in February 2005 at Immunity's Security Shindig in
NYC. However, awareness of these issues appears to still be low.
Cheers,
Dino A. Dai Zovi
Matasano Security
ddz@xxxxxxxxxxxx
http://www.matasano.com
http://www.matasano.com/log/
References:
[1] - http://www.theta44.org/karma/
[2] - http://www.theta44.org/karma/aawns.pdf
[3] - http://docs.info.apple.com/article.html?artnum=301988
[4] - http://www.remote-exploit.org/index.php/Hotspotter_main