[KLUG Members] new wireless vulnerability?

[bill]

Adam Williams wrote:

> > >>The wireless connection got an IP address from the DHCP server (Win 2k
> > >>server) and the user didn't know it.  The user connected the wired connection
> > >>and it got another IP address.  Because of the network bridge (I think), the
> > >>two  network  cards sucked all the IP addresses out of the system and brought
> > >>it and a related network down.
> > >Seems unlikely, a bridge SHOULD not act that way.  There is either a problem in
> > >their bridge support (A SHOCKING thought, I know, but a possibility none the
> > >less),  or someone had their configuration seriously jacked up.
> > Whose bridge support, the client or the server?  I'm stumped how it happend in the
> > first place.
>
> I would imagine the bridge the client created,  there was no indication
> there was a bridge present on a server anywhere.

True, though there must be some relation between the wireless access point and the wired
access point.  I don't know if both those devices do DHCP or just one or some other
entity.

> > >>Anyone heard of anything like this before?
> > >No, but there are a myriad ways it can happen.  The bridge broke arp, the client
> > >requested an IP address with the broadcast MAC, the client went into a lease
> > >request loop, etc... All of these would require a seriously depraved network
> > >configuration or just really really really bad software (again, SHOCKING).
> > Could you translate "the bridge broke arp"?
>
> ARP is the protocol used to map IP<->MAC so that IP packets can be
> transmitted inside ethernet frames.  If you screw up arp you'll trash
> the ethernet.

New info: the computer responded that there was a problem on the network with
conflicting IP addresses, i.e., two computers with the same IP.  What if the "conflict"
was the same computer with the two interfaces?

> You'd think that by now everyone would have rock solid
> ARP implementations,..... but I've encountered some bad ones pretty
> recently (most notably the Cisco 776 SOHO ISDN router).  They can either
> transmit corrupt ARP packets (as in the 776's case), refuse to respond
> to some ARP requests, respond the the *WRONG* ARP requests (requests
> someone else should have responded to, had a Xyplex port server that did
> this), etc....
>
> > There was obviously some sort of lease request loop.
>
> But a lease loop shouldn't be able to knock off clients that already
> have leases.  A client possessing a lease has first dibs in keeping it,
> and according to RFC the DHCP server is supposed to ICMP test each
> address for actual availability before leasing it out to a client.

I was thinking similarly, that computers that already had leases shouldn't be affected.
But, that's not what happened, all other boxes (even on a remote network) went down.

> > > > What would happen if a hacker connected to an available wireless network
> > > > with -two- wireless cards installed?  Would all wireless networks be
> > > > vulnerable to a similar scenario?
>
> Technically, so are most cabled networks.  Hence the interest in
> "certified" clients, demand for things like DNSSEC, etc...
>
> > > If they operate via DHCP and there isn't stopping anyone from requesting IP
> > > leases whilly-nilly, they could do the above with one WIC.
> > It seems to me that DHCP with IP leases free for the asking are the most common
> > setup,
>
> Yes.
>
> > which made me wonder how vulnerable the average wireless network is to
> > someone just driving down the street.
>
> Depends on a great many factors, but I'd wager the answer trends towards
> "very".

Do you think the network bridge is at the heart of the issue or a less-than-stable ARP
setup?

BTW, I still don't understand why the wizard sets up a network bridge "every time."  The
wizard was simply supposed to configure for connection to a single LAN.  What two
entities was it thinking of bridging?

kind regards,

bill