[KLUG Members] new wireless vulnerability?

Adam Williams members@kalamazoolinux.org
Thu, 14 Aug 2003 19:12:20 -0400
Previous message: [KLUG Members] new wireless vulnerability?
Next message: [KLUG Members] KLUG Meeting Notes for 08/12/2003
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> >>>>The wireless connection got an IP address from the DHCP server (Win 2k
> >>>>server) and the user didn't know it.  The user connected the wired connection
> >>>>and it got another IP address.  Because of the network bridge (I think), the
> >>>>two  network  cards sucked all the IP addresses out of the system and brought
> >>>>it and a related network down.
> >>>Seems unlikely, a bridge SHOULD not act that way.  There is either a problem in
> >>>their bridge support (A SHOCKING thought, I know, but a possibility none the
> >>>less),  or someone had their configuration seriously jacked up.
> >>Whose bridge support, the client or the server?  I'm stumped how it happend in the
> >>first place.
> >I would imagine the bridge the client created,  there was no indication
> >there was a bridge present on a server anywhere.
> True, though there must be some relation between the wireless access point and the wired
> access point.  I don't know if both those devices do DHCP or just one or some other
> entity.

Most WAPs provide DHCP unless disabled.  But a wacky DHCP wouldn't take
the LAN down, it would just make it difficult/impossible for new clients
to join.

> >>>>Anyone heard of anything like this before?
> >>>No, but there are a myriad ways it can happen.  The bridge broke arp, the client
> >>>requested an IP address with the broadcast MAC, the client went into a lease
> >>>request loop, etc... All of these would require a seriously depraved network
> >>>configuration or just really really really bad software (again, SHOCKING).
> >>Could you translate "the bridge broke arp"?
> >ARP is the protocol used to map IP<->MAC so that IP packets can be
> >transmitted inside ethernet frames.  If you screw up arp you'll trash
> >the ethernet.
> New info: the computer responded that there was a problem on the network with
> conflicting IP addresses, i.e., two computers with the same IP.  What if the "conflict"
> was the same computer with the two interfaces?

I suppose it is possible, but since we can't see how M$ DHCP client
implementation actually works.....

It would be very broken for a machine to create a bridge and THEN
complain about a redundant IP - I find it hard to believe that even
Bill's QC department of slobbering-knuckle-dragging troglodytes would
let that one through.

Is it at all possible that there is a client hiding out there with a
static IP in the range that the DHCP server hands out new addresses
from?  I know - "No way!" - but are you certain?

> >You'd think that by now everyone would have rock solid
> >ARP implementations,..... but I've encountered some bad ones pretty
> >recently (most notably the Cisco 776 SOHO ISDN router).  They can either
> >transmit corrupt ARP packets (as in the 776's case), refuse to respond
> >to some ARP requests, respond the the *WRONG* ARP requests (requests
> >someone else should have responded to, had a Xyplex port server that did
> >this), etc....
> >> There was obviously some sort of lease request loop.
> >But a lease loop shouldn't be able to knock off clients that already
> >have leases.  A client possessing a lease has first dibs in keeping it,
> >and according to RFC the DHCP server is supposed to ICMP test each
> >address for actual availability before leasing it out to a client.
> I was thinking similarly, that computers that already had leases shouldn't be affected.
> But, that's not what happened, all other boxes (even on a remote network) went down.

I've seen DSL modems plugged into a LAN take the whole thing down.  They
fire up with a broadcast address and as they seek their server they
cause the LAN to "pulse" between dead and alive.  Somehow the client,
thinking it had a bad IP, was doing something similair.

It is really hard to pin down exactly what happen'd post-mortem and
without a packet trace.

> >>>>What would happen if a hacker connected to an available wireless network
> >>>>with -two- wireless cards installed?  Would all wireless networks be
> >>>>vulnerable to a similar scenario?
> >Technically, so are most cabled networks.  Hence the interest in
> >"certified" clients, demand for things like DNSSEC, etc...
> >>>If they operate via DHCP and there isn't stopping anyone from requesting IP
> >>>leases whilly-nilly, they could do the above with one WIC.
> >>It seems to me that DHCP with IP leases free for the asking are the most common
> >>setup,
> >Yes.
> >>which made me wonder how vulnerable the average wireless network is to
> >>someone just driving down the street
> >Depends on a great many factors, but I'd wager the answer trends towards
> >"very".
> Do you think the network bridge is at the heart of the issue or a less-than-stable ARP
> setup?

I'd think the bridge scenario is more likely as every Win32 box on a LAN
anywhere is using ARP.  

> BTW, I still don't understand why the wizard sets up a network bridge "every time."  The
> wizard was simply supposed to configure for connection to a single LAN.  What two
> entities was it thinking of bridging?

Beats me.  I don't understand the point of this behavior.  But then I
haven't researched it much either.  Pretty much toss it over into the
"M$ sucks" pile.
Previous message: [KLUG Members] new wireless vulnerability?
Next message: [KLUG Members] KLUG Meeting Notes for 08/12/2003
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]