[KLUG Members] new wireless vulnerability?

[Adam Williams]

> >>The wireless connection got an IP address from the DHCP server (Win 2k
> >>server) and the user didn't know it.  The user connected the wired connection
> >>and it got another IP address.  Because of the network bridge (I think), the
> >>two  network  cards sucked all the IP addresses out of the system and brought
> >>it and a related network down.
> >Seems unlikely, a bridge SHOULD not act that way.  There is either a problem in
> >their bridge support (A SHOCKING thought, I know, but a possibility none the
> >less),  or someone had their configuration seriously jacked up.
> Whose bridge support, the client or the server?  I'm stumped how it happend in the
> first place.

I would imagine the bridge the client created,  there was no indication
there was a bridge present on a server anywhere.

> >>Anyone heard of anything like this before?
> >No, but there are a myriad ways it can happen.  The bridge broke arp, the client
> >requested an IP address with the broadcast MAC, the client went into a lease
> >request loop, etc... All of these would require a seriously depraved network
> >configuration or just really really really bad software (again, SHOCKING).
> Could you translate "the bridge broke arp"?  

ARP is the protocol used to map IP<->MAC so that IP packets can be
transmitted inside ethernet frames.  If you screw up arp you'll trash
the ethernet.  You'd think that by now everyone would have rock solid
ARP implementations,..... but I've encountered some bad ones pretty
recently (most notably the Cisco 776 SOHO ISDN router).  They can either
transmit corrupt ARP packets (as in the 776's case), refuse to respond
to some ARP requests, respond the the *WRONG* ARP requests (requests
someone else should have responded to, had a Xyplex port server that did
this), etc....

> There was obviously some sort of lease request loop.

But a lease loop shouldn't be able to knock off clients that already
have leases.  A client possessing a lease has first dibs in keeping it,
and according to RFC the DHCP server is supposed to ICMP test each
address for actual availability before leasing it out to a client.

> > > What would happen if a hacker connected to an available wireless network
> > > with -two- wireless cards installed?  Would all wireless networks be
> > > vulnerable to a similar scenario?

Technically, so are most cabled networks.  Hence the interest in
"certified" clients, demand for things like DNSSEC, etc... 

> > If they operate via DHCP and there isn't stopping anyone from requesting IP
> > leases whilly-nilly, they could do the above with one WIC.
> It seems to me that DHCP with IP leases free for the asking are the most common
> setup, 

Yes.

> which made me wonder how vulnerable the average wireless network is to
> someone just driving down the street.

Depends on a great many factors, but I'd wager the answer trends towards
"very".