_______________________________________________________________________________
Nomad Mobile Research Centre
A D V I S O R Y
www.nmrc.org
Simple Nomad [thegnome@nmrc.org]
14Jan2006
_______________________________________________________________________________
Microsoft Windows Silent Adhoc Network Advertisement
Platforms : Windows 2000/XP/2003
Application: Wireless Network Connection
(aka Microsoft Wireless Client)
Severity : High (albeit lame)
Synopsis
--------
This advisory documents an anomaly involving Microsoft's Wireless Network
Connection. If a laptop connects to an ad-hoc network it can later start
beaconing the ad-hoc network's SSID as its own ad-hoc network without the
laptop owner's knowledge. This can allow an attacker to attach to the laptop
as a prelude to further attack.
Details
-------
The following is a sample scenario:
- Alice has a wireless access point at home with an SSID of "linksys", which
she has successfully set up and connected to with her laptop.
- Alice goes to the airport (or train station or coffee shop) and opens her
laptop.
- Bob, who is sitting next to Alice, has a laptop configured with an ad-hoc
network advertising an SSID of "linksys".
- Alice's laptop when started looks for the SSID of "linksys", and attachs to
Bob's ad-hoc network.
- The next time Alice boots up the laptop when the Ethernet cable is not
attached and there is no "linksys" SSID in range, Alice starts advertising
an ad-hoc network with an SSID of "linksys".
This is basically a configuration error that spreads virus-like from laptop to
laptop. In field tests, numerous ad-hoc SSIDs such as "linksys", "dlink",
"tmobile", "hpsetup", and others have been documented.
The issue is compounded with a few additional caveats. Laptops with built-in
wireless connectivity are usually left with the wireless active. Additionally,
by default most wireless connections use DHCP to acquire an IP address. If
the DHCP request fails, Microsoft has implemented RFC 3927 [1] to provide an IP
address via APIPA (Automated Private IP Address) [2] in the 169.254.0.0/16
range [3]. This is known as a Link-Local address, and by default Link-Local is
turned on on all Windows platforms on all interfaces, including wireless
interfaces. Details of Microsoft's Link-Local implementation is in RFC 3927,
appendix A.4 (Microsoft is a co-author of RFC 3927).
Essentially this assigns the advertising ad-hoc network an IP address. On
Windows 2000 and Windows XP SP0 and SP1, this all happens in the background
without the user's knowledge -- on Windows XP SP2, the user is notified it has
"attached" to an ad-hoc network, when in fact it has simply started
advertising the ad-hoc network and the Link-Local address has been assigned. An
attacker can attach to the ad-hoc SSID and either manually assign an IP address
in the 169.254 class B or simply DHCP and await a time-out that assigns the
attacker's laptop an IP address via a Link-Local configuration. After passively
sniffing and awaiting the usual NetBIOS traffic and/or by running a ping sweep,
the victim's IP address can be discovered. The attacker can then perform the
various probes and attacks to gain access to the system.
If the attacker is impatient in waiting for determining the IP address of the
victim computer, the attacker can attach to the advertising SSID and offer up
a DHCP server. Windows systems running Link-Local addresses periodically probe
for a DHCP address, so the victim will eventually get the DHCP address and
switch to the new address supplied by the DHCP as opposed to continue using the
APIPA number. By tracking what IP addresses are being served by the DHCP
server, the attacker can spend more time on an attack and less time solving the
connectivity issue.
There is a warning about using Link-Local with wireless LANs due to the lack of
physical security in RFC 3927 section 5 paragraph 3, but unfortunately
Microsoft failed to properly heed this warning in spite of co-authoring the
RFC.
Tested configurations
---------------------
Field tests were conducted and the following systems were either positively
identified (sometimes via "shoulder surfing") or approximated based upon
passive fingerprinting of network traffic:
Windows 2000 SP 2
Windows 2000 SP 3
Windows 2000 SP 4
Windows XP Home Edition Gold
Windows XP Professional Gold
Windows XP Professional SP 1
Windows XP Professional SP 2
Windows 2003 (unknown patch level)
Lab tests were conducted with 2 laptops with the following configuration:
Windows XP Professional Gold
Windows XP Professional SP 2
Vendor Response
---------------
Microsoft was contacted on October 13, 2005. After numerous exchanges of emails
and a conference call, Microsoft was able to reproduce and isolate the issue
within their software. As there are multiple and easy-to-implement workarounds
for the issue, Microsoft has scheduled to include the fix in the next service
packs.
Solution/Workaround
-------------------
Until Microsoft releases Service Packs for the affected platforms, use one of
the following three workarounds:
Workaround #1:
Disable wireless when not in use. Simple, eh?
Workaround #2:
Use an alternate Wireless Client Manager, (e.g. for an integrated Intel Wifi
connector, use Intel PROSet/Wireless) as all others tested do not seem to
have the problem (this testing was not all-inclusive).
Workaround #3 (recommended):
1. Click on the Wireless option in the System Tray and open the Wireless
Network Connection window.
2. Click on "Change advanced settings".
3. In the Wireless Network Connection Properties window, click on the Wireless
Networks tab.
4. Click on the Advanced button.
5. Click on "Access point (infrastructure) networks only"
This workaround prevents you from connecting to any ad-hoc network in the
first place.
Comments
--------
Yes this is lame. I know this, don't email me with that info. However I deem it
serious due to the exposure in laptops with wireless.
In field tests, it became apparent that if the laptop user fired up their
laptop in the airport terminal and was advertising an ad-hoc network, when the
same laptop user fired up their laptop during the flight, they would in fact
be advertising the ad-hoc network during flight. This has a couple of
ramifications.
The first is that if wireless laptops with the wireless adapter enabled were
capable of interfering with the navigational systems as claimed by the airlines
then we would be having numerous in-flight incidents due to the high
proliferation of wifi-enabled laptops used by business people on flights. The
second ramification is that users sitting on a plane at 35,000 feet are not
going to be suspecting a network attack against the laptop in the lap, and so
any odd "side effects" from probe and attack attempts (service crashing, blue
screen or a restart) will be dismissed as a local system anomaly and not an
attack, allowing the attacker to be a little more aggressive.
Here is collected data from 4 domestic flights within the U.S. conducted during
September and October 2005. The data was collected using NetStumbler, NMap,
and Metasploit Framework [4] from a laptop running Windows XP:
Aircraft Laptops* Ad-hoc Nets** Live Targets Vulnerable***
-------- -------- ------------- ------------ -------------
MD80 8 2 3 1
MD80 12 5 5 4
757 22 1 3 3
MD80 14 4 4 3
* Number of laptops out and running at approximately the halfway point of the
flight.
** In some cases, an ad-hoc network would form and other laptops would attach
to it instead of advertising their own ad-hoc network.
*** A system was classified as vulnerable if it could be remotely compromised
or it was open enough to allow files to be copied to or from the hard
drive. Vulnerabilities included CVE-2005-0059 (MS05-017), CVE-2005-1983
(MS05-039), open shares, and NULL access.
It should also be noted that while visiting Charlotte, NC (whose airport at
the time had no commercial wireless offering like TMobile or anything else) --
walking the terminal during massive eastcoast rain delays with most flights
delayed by a couple of hours -- I counted no less than 62 ad-hoc devices. The
novelty of collecting data during flight was the focus of the table above, but
a conservative estimate would put have of those ad-hoc devices at risk.
Greetz
------
OSVDB, American Airlines (extra room in coach rocks, but serve iced tea for
christ sake), Starbucks, and everyone in the scene in DFW.
Special Greetz to Dino and K2, check out http://www.theta44.org/karma/ as
they covered some similar ground at Bluehat and CanSecWest (I was at neither),
KARMA works great and is perfect for owning every laptop in the terminal or
on the plane.
References
----------
[1] http://www.faqs.org/rfcs/rfc3927.html - This defines IPv4 Link-Local
addresses and their use.
[2] http://en.wikipedia.org/wiki/APIPA
[3] http://www.faqs.org/rfcs/rfc3330.html - This defines special-use address
ranges, including the 169.254 class B.
[4] You should know these tool locations by heart. Netstumbler, Nmap, and
Metasploit Framework can be found at www.netstumbler.com,
www.insecure.org/nmap, and www.metasploit.com respectively.
Copyright
---------
This advisory is Copyright (c) 2006 NMRC - feel free to distribute it without
edits, but you DO NOT have permission to use this advisory in any type of
commercial endeavour.
_______________________________________________________________________________
