[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] [Fwd: Bugtraq: Linksys WRT54G Denial of Service Vulnerability]

To: Michael Renzmann <security@dylanic.de>
Subject: Re: [Full-Disclosure] [Fwd: Bugtraq: Linksys WRT54G Denial of Service Vulnerability]
From: "Jonathan A. Zdziarski" <jonathan@nuclearelephant.com>
Date: Thu, 04 Dec 2003 02:03:11 -0500

> What do you mean with "externally"? WLAN? Internet?
> I don't know this particular device, but I know that lots of other 
> Access Points that have a web interface regard any request from WLAN as 
> being internal. If this is also the case for the WRT54G, the attack can 
> be made from anyone who is in reach of the Access Point as described in 
> the vulnerability report.

I would hope that users of this device would at least be taking
advantage of the integrated WPA functionality to keep unwanted visitors
off the network - although this still presents a vulnerability, it is
(at the present time) more difficult to hack your way onto a
WPA-protected network than an unencrypted or WEP-encrypted system. 

> WRT54G is said to have an https? Or do you mean SSL for authentication 
> of users before they can access anything on (or behind) the network the 
> Access Point is attached to?

I was referring to https...if it supports it, that's great...they are
certainly working hard to make the newer hardware more secure.  For
authentication, WPA supports certificate-based authentication, but I
doubt any residential user would be using this.  Most would probably
just use the pre-shared key...which used alone doesn't quite make much
more sense than WEP (although it takes away some of the 'cracking wep'
fun).  If, for example, someone were to be a legitimate user on that
network or intercept or deduce the pre-shared key (somehow), it seems as
though it would be relatively easy to decode all subsequent packets for
any user by simply following the stream of new keys generated for each
packet.  This would require capturing every packet from the start of a
session, but appears to still leave a hole open for someone who wanted
to write such a tool (i'm sure WPA-PSK decoding will be part of some new
version of Kismet eventually, as WEP decoding is already).  'Course
being that WPA is new, there's plenty of time for people to spend
cracking it before it goes mainstream.

Jonathan


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] [Fwd: Bugtraq: Linksys WRT54G Denial of Service Vulnerability]
  - From: Michael Renzmann <security@dylanic.de>
- Re: [Full-Disclosure] [Fwd: Bugtraq: Linksys WRT54G Denial of Service Vulnerability]
  - From: "Jonathan A. Zdziarski" <jonathan@nuclearelephant.com>
- Re: [Full-Disclosure] [Fwd: Bugtraq: Linksys WRT54G Denial of Service Vulnerability]
  - From: Michael Renzmann <security@dylanic.de>

Prev by Date: Re: [Full-Disclosure] [Fwd: Bugtraq: Linksys WRT54G Denial of Service Vulnerability]
Next by Date: Re: [Full-Disclosure] [Fwd: Bugtraq: Linksys WRT54G Denial of Service Vulnerability]
Previous by thread: Re: [Full-Disclosure] [Fwd: Bugtraq: Linksys WRT54G Denial of Service Vulnerability]
Next by thread: Re: [Full-Disclosure] [Fwd: Bugtraq: Linksys WRT54G Denial of Service Vulnerability]
Index(es):
- Date
- Thread