TUCoPS :: Network Appliances :: lswet11c.txt

Linksys WET11 crash 


enZo Notice
Date: 24/10/02
Product: Linksys WET11 (Wireless Bridge)
Mentioned By: netmask
Firmware Versions: 1.3.2, 1.3.1
Advisory Url: http://www.enZotech.net/advisories/linksys.wet11.txt
Problem: Linksys WET11 crashes when sent an ethernet frame from its own MAC address
Risk: To each his own.. But we say low.. It's just a DoS. Hell,
      speaking on 802.11 security, this may actually be a positive impact
      vulnerability, and increase your security =)



                                    ZZZZZZZZZZZZZZZZZZZ
                                    Z:::::::::::::::::Z
                  nnnn  nnnnnnnn    Z:::::::::::::::::Z   ooooooooooo
                  n:::nn::::::::nn  Z:::ZZZZZZZ::::::Z  oo:::::::::::oo
     eeeeeeeeeee  n::::::::::::::nn ZZZZZ  * Z::::::Z  o:::::::::::::::o
   ee:::::::::::eenn:::::::::::::::n      2 Z:::::Z    o:::::ooooo:::::o
  e:::::::::::::::een:::::nnnn:::::n     0 Z:::::Z     o::::o     o::::o
 e::::::eeeee::::::en::::n    n::::n    0 Z:::::Z      o::::o     o::::o
 e:::::e     e:::::en::::n    n::::n   2 Z:::::Z       o::::o     o::::o
 e::::::eeeee::::::en::::n    n::::n  * Z:::::Z        o::::o     o::::o
 e::::::::::::::::e n::::n    n::::n   Z:::::Z         o:::::ooooo:::::o
 e:::::eeeeeeeeeee  n::::n    n::::nZZZ:::::Z     ZZZZZo:::::::::::::::o
 e::::::e           n::::n    n::::nZ::::::ZZZZZZZZ:::Z oo:::::::::::oo
 e:::::::e          nnnnnn    nnnnnnZ:::::::::::::::::Z   ooooooooooo
  e:::::::eeeeeeeeee                Z:::::::::::::::::Z
   ee::::::::::::::e                ZZZZZZZZZZZZZZZZZZZ
    ee:::::::::::::e             \... www.enZotech.net .../
     eeeeeeeeeeeeee

                           The above is radical ascii art..
                              Yet again.. The Below is a lame Discovery.





*** Product information:

The Linksys WET11 is an Ethernet to 802.11b bridge. It can bridge a single
host, or an entire network (Up to 50 machines). If you are in a situation
where wireless is appropriate for you, these can be handy devices. Whether
it's just hooking up your PS2 or Xbox to the lan, or letting your neighbor
connect his entire network to yours, this device will let you do it. It's
a small device, the size of 1991 style Walkman, with a detachable SMC
antenna. Web based configuration, supporting 64/128 bit WEP, Ad-Hoc or
infrastructure mode, Modifiable transmission rates, DHCP client for unit
IP, and a few more features.

Overall, for a price of $100, this device is fairly neat for those who are
willing to have 802.11 on their network.. Or, to stick your neighbor or
xbox/PS2 in your DMZ. I'm really not interesting in going over the "802.11
can't be secured" discussion, that's not the point here. However, one
other nice feature to mention.. is the devices usefulness in a war driving
situation. If you have 1 Cisco 350 card, and 1 15dB Antenna.. But four
people.. This $100 device, could save quite a bit of money, and let
everyone get the benefits of your single antenna. When Kismet picks up a
network, you quickly reconfigure your unit to sit on it. Allowing everyone
in the van to use regular ethernet cards, and you move the antenna over to
unit, and everyone is set. While we don't condone accessing networks that
are not your own, if you were to do such a thing, you should keep in mind
you can NOT change the MAC address on this device, and you may end leaving
your device MAC address in logs around the area, which could incriminate
you later when federal officers are doing their jobs, and kick in your
door.



*** Data:

When configuring a WET11, you have to run their Windows application to do
the initial configuration, which is configured entirely by UDP
broadcasting. The first thing the software does, is probe for devices on
the network by broadcasting to port 4000 of 255.255.255.255:

Packet Analysis (This is really unrelated to the problem,
                 I just thought I'd include it out of boredom)


Probe Packet:
<UDP headers snipped>
16 bytes:

87 65 43 21 11 00 00 01  /* This data isn't clear.. Everything but the 6th byte
                            is identical to the first 8 bytes of the response
                            packet */
a0 00 0d c9 e7 7c        /* MAC Address of your machine */
00 00                    /* NUL */


Response Packet:
<UDP headers snipped>
120 bytes:

87 65 43 21 11 10 00 01  /* Everything but the 6 byte is the same as the
                            first 8 in the Probe packet */
a0 00 0d c9 e7 7c        /* MAC address of the requesting machine */
00 06 25 02 e4 71        /* MAC address of the WET11 */
45 53 33 30 30 62        /* Ascii: ES300b */
00                       /* NUL */
10 6c 69 6e 6b 73 79 73  /* Ascii: linksys */
00 00 00 00 00 00 00 00  /* NUL  */
00 00 00 00 00 00 00 00  /* NUL  */
00 00 00 00 00 00 00 00  /* NUL  */
00 00                    /* NUL  */
06 10 0e c0 a8 01 e1     /* unknown data, can be removed */

4c 69 6e 6b 73 79 73 20 57 45 54 31 31 /* SSID of unit, Default is
                                          "Linksys WET11"  */

00 00 00 00 00 00 00 00  /* NUL */
00 00 00 00 00 00 00 00  /* NUL */
00 00 00 00              /* NUL */
ff ff ff 00              /* Netmask 255.255.255.0 */
c0 a8 01 01              /* 192.168.1.1  (Default gw. The
                            unit default IP is 192.168.1.225) */
a6 e7 94 7f 8c 4b 9a ec  /* This data changes on every response.. */
a5 13 87                 /* This data changes on every response.. */


If you replay the response packet to the broadcast (Or modify the
Destination address in the header to the actual unit IP)... The unit crashes
right away..  Stops responding completely. At this point you have to hard
cycle the unit.

You don't really have to replay the packet, it's just an easy way of doing
it.. The actual problem is the unit doesn't know what to do when Source
MAC in the DLC header is the same as it's own. Really all you have to
do is forge a packet to a broadcast address, or directly to the unit,
using it's MAC in the ethernet frame, and the unit will crash. You don't have
to hit it on an open port (udp 4000, tcp 80). You just have to use
it's MAC in your header, and send direct or broadcast that packet. We only
tested with UDP.


*** Exploiting:

As it says above, forge it's MAC in the DLC header, and hit it
with a packet, and it's gone. Over the weekend we'll toss up a
configuration application for the device that lets you do the same
thing the Windows software does, and may just include the option in
there. Look for it at http://www.enZotech.net/


*** Solution:

Wait for Linksys to release a firmware upgrade. Or maybe they won't
see this as a problem.


*** Workaround:

Unplug your unit.. We guess. Or more likely, don't be bothered
by this.. Because really, who cares?

*** Initial Report Information:

Advanced notice wasn't given because this bug wasn't determined to be very
critical. These devices are fairly new, and the chance of attack isn't that
great. Further, we didn't bother because in the past, Linksys hasn't bothered
to respond to security problems.

*** Miscellaneous:

It is also recommended to disable the "Allow Upgrade Uploads" option,
under the Admin tab in the web configuration. This is on by default. While
there were no security issues found in this feature, it does open up tftp
on the device when enabled, and might as well disable it.




netmask of enZo
http://www.enZotech.net

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH