[KLUG Members] new wireless vulnerability?
bill
members@kalamazoolinux.org
Thu, 14 Aug 2003 08:13:22 -0400
Adam Williams wrote:
> > >>The wireless connection got an IP address from the DHCP server (Win 2k
> > >>server) and the user didn't know it. The user connected the wired connection
> > >>and it got another IP address. Because of the network bridge (I think), the
> > >>two network cards sucked all the IP addresses out of the system and brought
> > >>it and a related network down.
> > >Seems unlikely, a bridge SHOULD not act that way. There is either a problem in
> > >their bridge support (A SHOCKING thought, I know, but a possibility none the
> > >less), or someone had their configuration seriously jacked up.
> > Whose bridge support, the client or the server? I'm stumped how it happend in the
> > first place.
>
> I would imagine the bridge the client created, there was no indication
> there was a bridge present on a server anywhere.
True, though there must be some relation between the wireless access point and the wired
access point. I don't know if both those devices do DHCP or just one or some other
entity.
> > >>Anyone heard of anything like this before?
> > >No, but there are a myriad ways it can happen. The bridge broke arp, the client
> > >requested an IP address with the broadcast MAC, the client went into a lease
> > >request loop, etc... All of these would require a seriously depraved network
> > >configuration or just really really really bad software (again, SHOCKING).
> > Could you translate "the bridge broke arp"?
>
> ARP is the protocol used to map IP<->MAC so that IP packets can be
> transmitted inside ethernet frames. If you screw up arp you'll trash
> the ethernet.
New info: the computer responded that there was a problem on the network with
conflicting IP addresses, i.e., two computers with the same IP. What if the "conflict"
was the same computer with the two interfaces?
> You'd think that by now everyone would have rock solid
> ARP implementations,..... but I've encountered some bad ones pretty
> recently (most notably the Cisco 776 SOHO ISDN router). They can either
> transmit corrupt ARP packets (as in the 776's case), refuse to respond
> to some ARP requests, respond the the *WRONG* ARP requests (requests
> someone else should have responded to, had a Xyplex port server that did
> this), etc....
>
> > There was obviously some sort of lease request loop.
>
> But a lease loop shouldn't be able to knock off clients that already
> have leases. A client possessing a lease has first dibs in keeping it,
> and according to RFC the DHCP server is supposed to ICMP test each
> address for actual availability before leasing it out to a client.
I was thinking similarly, that computers that already had leases shouldn't be affected.
But, that's not what happened, all other boxes (even on a remote network) went down.
> > > > What would happen if a hacker connected to an available wireless network
> > > > with -two- wireless cards installed? Would all wireless networks be
> > > > vulnerable to a similar scenario?
>
> Technically, so are most cabled networks. Hence the interest in
> "certified" clients, demand for things like DNSSEC, etc...
>
> > > If they operate via DHCP and there isn't stopping anyone from requesting IP
> > > leases whilly-nilly, they could do the above with one WIC.
> > It seems to me that DHCP with IP leases free for the asking are the most common
> > setup,
>
> Yes.
>
> > which made me wonder how vulnerable the average wireless network is to
> > someone just driving down the street.
>
> Depends on a great many factors, but I'd wager the answer trends towards
> "very".
Do you think the network bridge is at the heart of the issue or a less-than-stable ARP
setup?
BTW, I still don't understand why the wizard sets up a network bridge "every time." The
wizard was simply supposed to configure for connection to a single LAN. What two
entities was it thinking of bridging?
kind regards,
bill