Attacking Automatic Wireless Network Selection

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Attacking Automatic Wireless Network Selection
From: "Dino A. Dai Zovi" <ddz@xxxxxxxxxxxx>
Date: Tue, 17 Jan 2006 15:21:55 -0500
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Hello BUGTRAQ,

Simple Nomad recently discussed issues with Windows XP creating Ad-Hoc wireless networks at this year's ShmooCon. There are, however,many more similar and more serious problems with how Windows andMacOS X locate and automatically join wireless networks. These havebeen publicly discussed and demonstrated before, but do not seem tohave been given the attention needed as many security professionalsare still unaware of the risks they present.

Simple Nomad's work illustrated the problem when an ad-hoc networkwas present the Preferred Networks list used by Windows XP's WirelessAuto Configuration service (MacOS X has an similar list of "TrustedWireless Networks"). In fact, Windows and MacOS X probe for *every*network in the preferred/trusted networks list upon boot up andwaking from sleep. Under Windows, the entire list is probed forcontinually when the machine is not currently associated to awireless network. In addition, any network joined is automaticallyadded to the top of this list (MacOS X only adds the network to thetrusted networks list if the user elects to do so when joining thenetwork). Some wireless adapters, notably most 802.11b-only cards,will automatically probe for randomly generated network names. Allof these behaviors can be taken advantage of by a nearby attacker.

To that effect, I would like to introduce KARMA [1], written by Shane"K2" Macaulay and myself. Our paper, "Attacking Automatic WirelessNetwork Selection" [2] describes serious vulnerabilities in howwireless networks are identified and automatically joined by WindowsXP and MacOS X workstations. These vulnerabilities may cause nearbywireless clients to inadvertently and automatically join a roguewireless network. KARMA is a proof-of-concept toolkit thatdemonstrates the risk of these vulnerabilities through a patch to theLinux MadWifi driver and client-side exploit toolkit.

Our driver responds to EVERY Probe Request as it operates in HostAPmode. The wireless network is "cloaked", so it does not send out anybeacons, but when a client in range sends a Probe Request for anetwork ("tmobile", "linksys", "megacorp", etc), the driver willrespond as if it were that network. In this way, it acts as avirtual AP for any network requested. This yields an extremelyeffective attack that is able to cause nearly all unassociatedwireless clients within range to join the rogue network. KARMA alsoincludes a tool for passively monitoring probe requests sent out bynearby wireless clients and a framework for exploiting client-sidevulnerabilities once the client has joined the rogue network (no liveexploits are included, though).

For example, we demonstrated this attack during our presentation atMicrosoft's first BlueHat internal security conference. In a hall of400-500 engineers, we hijacked upwards of 100 clients instantly,enough that our Linux laptop became unstable from all the wirelesstraffic passing through it. In practice, since nearly every roaminglaptop has at least one unencrypted hotspot network in theirpreferred/trusted networks, almost all Windows XP and MacOS X laptopsare susceptible to this kind of attack.

In addition, our driver uncovered vulnerabilities in drivers for802.11b-only cards where they probe for randomly generated networknames when the card is not associated to a network. When the KARMAdriver responds to this probe, the card and host will join thenetwork and DHCP an address, etc. I reported this to both Microsoftand Apple in the Spring last year. Apple has subsequently fixed theissue [3] and Microsoft said that a fix would be in the next servicepack.

Again, this is not entirely new stuff. Max Moser released hisHotSpotter [4] tool in April 2004 to create a HostAP based on sniffedProbe Requests. We first released our driver implementing theparallel attack in February 2005 at Immunity's Security Shindig inNYC. However, awareness of these issues appears to still be low.


Cheers,

Dino A. Dai Zovi
Matasano Security
ddz@xxxxxxxxxxxx
http://www.matasano.com
http://www.matasano.com/log/

References:

[1] - http://www.theta44.org/karma/
[2] - http://www.theta44.org/karma/aawns.pdf
[3] - http://docs.info.apple.com/article.html?artnum=301988
[4] - http://www.remote-exploit.org/index.php/Hotspotter_main

Prev by Date: [USN-243-1] tuxpaint vulnerability
Next by Date: Oracle DBMS Access Control Bypass in Login
Previous by thread: [USN-243-1] tuxpaint vulnerability
Next by thread: Oracle DBMS Access Control Bypass in Login
Index(es):
- Date
- Thread