|
--------------------------------------------------------------------------
Trango Broadband Wireless
M5830 Series Rogue SU Authentication Bug
Date : 15 December, 2009
By: Blair - jediblair@gmail.com
--------------------------------------------------------------------------
Background
----------
Trango Broadband (www.trangobroadband.com) produce a line of unlicensed
5.3/5.8 Ghz point-to-multipoint broadband wireless radios which are used
by many wireless ISPs around the world to provide internet and private
office services to hard-to-reach customers.
Currently there is a flaw in the authentication mechanism of these radios
which, if an attacker knows some details, can allow interception of
ethernet packets broadcast from the Access Point to the Subscriber Unit
and potentially allows injection into the communication from the Subscriber Unit
to the Access Point.
There are two parts to the 5830 series radio system, an Access Point, and
a Subscriber Unit. Access Points are generally deployed at a radio tower
or smaller repeater sites, and the Subscriber Units on a clients building.
The radios are designed to be mounted externally, and have a single
ethernet feed and integrated antenna.
These radios are straight ethernet bridges, there is no routing
functionality built in to the radio software which adds to the ease of
exploitation.
This attack focuses on the Subscriber Unit (SU) end, however, if one knows
the correct information, one could potentially configure a rogue Access
Point and MiTM a target as well, though this is not the topic of this
advisory.
The Problem
-----------
The Access5830 series of radios contains a flaw in the authentication of
subscriber units. This flaw has been fixed with the 900Mhz and 2.4Ghz
products, whereby the APID and SUID system has changed significantly,
and the SU units are assigned an ID when they connect, only if their
MAC is in the SUDB. Trango has neglected to bring this functionality
to the older 5800 series radios, nor have they introduced new hardware
implementing this functionality in the 5.8Ghz spectrum.
When a new subscriber is added, the MAC address of their SU device is
entered into the Subscriber Database (SUDB) on the Access Point, and they
are assigned an arbitrary numeric Subscriber ID or SUID in the range of
1-8190 by the Administrator. This SUID is configured on the SU device,
along with the APID and BaseID of the Access Point. For most situations,
the APID and BaseID are the same.
The bug lies in the synchronization of any SU in the SUDB by the AP.
Once an SU has been synchronized to the AP with the correct MAC
address, any further attempts by another SU of the same SUID but with
a different MAC address to synchronize will succeed.
When configuring and mounting an SU, you can do a frequency scan (site
survey) from the unit, which will display the available access points
in the area, along with their APID and BaseID - this is the information
you will need to exploit the Trango network in the area.
The Exploit
-----------
To carry out this exploit you need to have an SU which is capable of
connecting to the 5800 or 5830 AP. This would generally be a 5800 or
5830 SU-I or SU-EXT, or one of the smaller FOX 5800 SU, or the newer FOX
5580M-FSU - these can be found readily either buying direct from Trango,
or from a number of wireless systems resellers. Probably good if this is
the same type of unit as the target, though not required.
The information you need to enter into the SU is based on whatever you
have found via the site survey information - apsearch and survey commands
on the radio's CLI. The full command listing and user guide can be
downloaded from the Trango website.
To carry out the attack, you would need to find line-of-sight and have
good signal strength (between -40 and -80 dBm) to the target AP, and
have knowledge of an SUID which is already connected, or try random
numbers until you find one which works - most providers have quite a
number of subscribers per AP so this should not be hard. Many providers
will physically mark their SUs with the SUID and APID with a permanant
marker, so if you have physical access to a connected SU, finding this
information is probably trivial.
Once you have configured the SU with the BaseID, APID and SUID and
verified signal strength, you simply turn opmode on, and your rogue SU
will authenticate, regardless if it's MAC is in the SUDB or not.
Once synchronized, you will start to receive traffic to the ethernet
port of the radio as if it was the target unit. Because the unit is a
simple bridge, you can look at this traffic with a packet capture utility
such as wireshark or tcpdump. Depending on signal strength, the target may
or may not notice any loss of service or packet loss. It may be possible
to inject packets to the network from a computer behind the rogue SUID,
depending on the configuration of the switching and/or routing at the far
end.
Vendor Response
---------------
I contacted Trango to advise them of this problem several years ago and
they stated that they were not interested in providing a fix, as it would
require a major rewrite of their software to implement. I believe enough
time has passed for them to have reasonably fixed the problem, and they
have not. So, here it is, public disclosure. Shame on you Trango, you've
let all your customers down.
- Blair