Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] WEP Open Authentication Information Disclosure

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] WEP Open Authentication Information Disclosure
Date: 25 Jan 2006 10:03:34 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  WEP Open Authentication Information Disclosure
------------------------------------------------------------------------


SUMMARY

" <http://en.wikipedia.org/wiki/WEP> Wired Equivalent Privacy (WEP) is a 
scheme to secure wireless networks (WiFi)." WEP with Open Authentication, 
can be tricked by attacker to discard the WEP settings and negotiate a 
post-association connection with the attacker in the clear.

DETAILS

Certain well-known wireless chipsets, using vulnerable drivers under the 
Windows XP operating system and when configured to use WEP with Open 
Authentication, can be tricked by a 802.11-based wireless client adapter 
operating in master mode ("the attacker") to discard the WEP settings and 
negotiate a post-association connection with the attacker in the clear.

ThinkSECURE have named this vulnerability as the  
WEP-client-communication-dumbdown or WCCD vulnerability .

End-users of the system would not notice any difference about the clear 
connection that was established. Although WPA/2 & WPA-PSK have been out 
for some time now, there are still a large installed client base who are 
still using WEP-enabled Access Points and thus have WEP-enabled profiles 
setup in their laptops.

The vulnerability was observed in a Windows XP wireless client 
configuration with the vulnerable drivers and with the following setups:
 1. Profile configured using Windows XP zero configuration as well as 
using the vulnerable drivers' bundled wireless client managers;
 2. Profile configured to use WEP with static WEP key & Open 
Authentication.

Using security auditing tool, probemapper, one can remotely evaluate the 
SSID and capabilities of wireless profiles from probe requests and assess 
whether the subject is probing for any 
Open-Authentication-WEP-encryption-enabled wireless networks.

When a Windows XP client using a vulnerable chipset driver is configured 
as outlined above via their wireless profiles ("the victim"), the victim 
will send out probe requests bearing the SSID configured in the wireless 
profile.

An attacker who detects the probe request frames coming from the 
configured profile can configure a master-mode-enabled wireless card with 
the detected SSID of the probe request frames and, using Open 
Authentication with no-encryption, send probe responses to the victim.

The victim will then initiate authentication and association, sending an 
association request frame with the Privacy Bit set to 1 (AP/STA can 
support WEP).

The attacker returns an association response frame with Privacy Bit set to 
0 (AP/STA cannot support WEP).

Although the correct behavior should be to not establish any communication 
due to the difference between association request and response Privacy 
Bits, the victim "dumbs-down" and establishes an un-encrypted 
communications session to match the attacker's Privacy Bit setting of 0, 
thus ignoring the WEP settings as configured in the client's profile. All 
traffic to & from this connection will be sent in the clear.

A victim who has a vulnerable wireless network at home and brings a laptop 
bearing the profile of said home wireless network to his/her organization 
and plugs in using a wired connection may be attacked in this manner and 
used as a conduit by the attacker, through the bridging of the laptop's 
wireless interface to the wired interface, to the victim's organization's 
wired network, thus bypassing corporate perimeter defenses. It is 
irrelevant that the organization does not use wireless or has a 
no-wireless policy if that policy is not strictly enforced through 
proactive checking.

Also, firewalling on the victim's laptop might not guarantee safety in 
certain cases: e.g. the attacker issues an IP address and gateway address 
to the victim in response to the victim's typical DHCP request upon 
association so as to fool the victim's machine into forwarding all traffic 
to the attacker's machine. The result is that, when the victim opens up a 
web browser for example, he will see a crafted page bearing malicious code 
on the attacker's machine which runs exploit code on the victim's machine 
(a good example being the recent WMF vulnerability) to give the attacker a 
reverse shell into the victim, where the attacker can then do the bridging 
of the interface or anything else he wants.

Workaround:
 1. When not using or connected to your WEP-enabled wireless network, 
switch off your wireless client adapter. If your laptop does not have a 
hardware switch, disable the interface under windows until such a time as 
you need to use your WEP-enabled wireless network. This will minimize the 
attack window.
 2. Do not configure your Windows wireless profiles to use "Automatic 
Connection - Connect when this network is in range" option.
 3. Migrate to your profiles and wireless networks to WPA-PSK, WPA or 
WPA2, if possible. WPA was not found to be vulnerable for the devices we 
tested.
 4. Install personal firewalls to prevent unauthorized layer 3 
connections, even if an association is made.
 5. Regularly patch other components of your Windows operating system to 
prevent the kind of scenario outlined in the vulnerability impact section 
of this advisory from happening.
 6. Watch for chipset driver releases which rectify this vulnerability.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:Michael.Wade@ferguson.com> 
Michael Wade.
The original article can be found at:  
<http://www.securitystartshere.net/page-vulns-wccd.htm> 
http://www.securitystartshere.net/page-vulns-wccd.htm



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] WEP Open Authentication Information Disclosure, SecuriTeam <=
Previous by Date:  [EXPL] Windows Kernel APC Privilege Escalation (MS05-055, Exploit), SecuriTeam
Next by Date:  [NT] CounterPath eyeBeam SIP Buffer Overflow, SecuriTeam
Previous by Thread:  [EXPL] Windows Kernel APC Privilege Escalation (MS05-055, Exploit), SecuriTeam
Next by Thread:  [NT] CounterPath eyeBeam SIP Buffer Overflow, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]