Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: netmask (netmask_at_enZotech.net)
Date: Fri Oct 25 2002 - 03:11:11 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    enZo Notice
    Date: 24/10/02
    Product: Linksys WET11 (Wireless Bridge)
    Mentioned By: netmask
    Firmware Versions: 1.3.2, 1.3.1
    Advisory Url: http://www.enZotech.net/advisories/linksys.wet11.txt
    Problem: Linksys WET11 crashes when sent an ethernet frame from its own MAC address
    Risk: To each his own.. But we say low.. It's just a DoS. Hell,
          speaking on 802.11 security, this may actually be a positive impact
          vulnerability, and increase your security =)

                      nnnn nnnnnnnn Z:::::::::::::::::Z ooooooooooo
                      n:::nn::::::::nn Z:::ZZZZZZZ::::::Z oo:::::::::::oo
         eeeeeeeeeee n::::::::::::::nn ZZZZZ * Z::::::Z o:::::::::::::::o
       ee:::::::::::eenn:::::::::::::::n 2 Z:::::Z o:::::ooooo:::::o
      e:::::::::::::::een:::::nnnn:::::n 0 Z:::::Z o::::o o::::o
     e::::::eeeee::::::en::::n n::::n 0 Z:::::Z o::::o o::::o
     e:::::e e:::::en::::n n::::n 2 Z:::::Z o::::o o::::o
     e::::::eeeee::::::en::::n n::::n * Z:::::Z o::::o o::::o
     e::::::::::::::::e n::::n n::::n Z:::::Z o:::::ooooo:::::o
     e:::::eeeeeeeeeee n::::n n::::nZZZ:::::Z ZZZZZo:::::::::::::::o
     e::::::e n::::n n::::nZ::::::ZZZZZZZZ:::Z oo:::::::::::oo
     e:::::::e nnnnnn nnnnnnZ:::::::::::::::::Z ooooooooooo
      e:::::::eeeeeeeeee Z:::::::::::::::::Z
       ee::::::::::::::e ZZZZZZZZZZZZZZZZZZZ
        ee:::::::::::::e \... www.enZotech.net .../

                               The above is radical ascii art..
                                  Yet again.. The Below is a lame Discovery.

    *** Product information:

    The Linksys WET11 is an Ethernet to 802.11b bridge. It can bridge a single
    host, or an entire network (Up to 50 machines). If you are in a situation
    where wireless is appropriate for you, these can be handy devices. Whether
    it's just hooking up your PS2 or Xbox to the lan, or letting your neighbor
    connect his entire network to yours, this device will let you do it. It's
    a small device, the size of 1991 style Walkman, with a detachable SMC
    antenna. Web based configuration, supporting 64/128 bit WEP, Ad-Hoc or
    infrastructure mode, Modifiable transmission rates, DHCP client for unit
    IP, and a few more features.

    Overall, for a price of $100, this device is fairly neat for those who are
    willing to have 802.11 on their network.. Or, to stick your neighbor or
    xbox/PS2 in your DMZ. I'm really not interesting in going over the "802.11
    can't be secured" discussion, that's not the point here. However, one
    other nice feature to mention.. is the devices usefulness in a war driving
    situation. If you have 1 Cisco 350 card, and 1 15dB Antenna.. But four
    people.. This $100 device, could save quite a bit of money, and let
    everyone get the benefits of your single antenna. When Kismet picks up a
    network, you quickly reconfigure your unit to sit on it. Allowing everyone
    in the van to use regular ethernet cards, and you move the antenna over to
    unit, and everyone is set. While we don't condone accessing networks that
    are not your own, if you were to do such a thing, you should keep in mind
    you can NOT change the MAC address on this device, and you may end leaving
    your device MAC address in logs around the area, which could incriminate
    you later when federal officers are doing their jobs, and kick in your

    *** Data:

    When configuring a WET11, you have to run their Windows application to do
    the initial configuration, which is configured entirely by UDP
    broadcasting. The first thing the software does, is probe for devices on
    the network by broadcasting to port 4000 of

    Packet Analysis (This is really unrelated to the problem,
                     I just thought I'd include it out of boredom)

    Probe Packet:
    <UDP headers snipped>
    16 bytes:

    87 65 43 21 11 00 00 01 /* This data isn't clear.. Everything but the 6th byte
                                is identical to the first 8 bytes of the response
                                packet */
    a0 00 0d c9 e7 7c /* MAC Address of your machine */
    00 00 /* NUL */

    Response Packet:
    <UDP headers snipped>
    120 bytes:

    87 65 43 21 11 10 00 01 /* Everything but the 6 byte is the same as the
                                first 8 in the Probe packet */
    a0 00 0d c9 e7 7c /* MAC address of the requesting machine */
    00 06 25 02 e4 71 /* MAC address of the WET11 */
    45 53 33 30 30 62 /* Ascii: ES300b */
    00 /* NUL */
    10 6c 69 6e 6b 73 79 73 /* Ascii: linksys */
    00 00 00 00 00 00 00 00 /* NUL */
    00 00 00 00 00 00 00 00 /* NUL */
    00 00 00 00 00 00 00 00 /* NUL */
    00 00 /* NUL */
    06 10 0e c0 a8 01 e1 /* unknown data, can be removed */

    4c 69 6e 6b 73 79 73 20 57 45 54 31 31 /* SSID of unit, Default is
                                              "Linksys WET11" */

    00 00 00 00 00 00 00 00 /* NUL */
    00 00 00 00 00 00 00 00 /* NUL */
    00 00 00 00 /* NUL */
    ff ff ff 00 /* Netmask */
    c0 a8 01 01 /* (Default gw. The
                                unit default IP is */
    a6 e7 94 7f 8c 4b 9a ec /* This data changes on every response.. */
    a5 13 87 /* This data changes on every response.. */

    If you replay the response packet to the broadcast (Or modify the
    Destination address in the header to the actual unit IP)... The unit crashes
    right away.. Stops responding completely. At this point you have to hard
    cycle the unit.

    You don't really have to replay the packet, it's just an easy way of doing
    it.. The actual problem is the unit doesn't know what to do when Source
    MAC in the DLC header is the same as it's own. Really all you have to
    do is forge a packet to a broadcast address, or directly to the unit,
    using it's MAC in the ethernet frame, and the unit will crash. You don't have
    to hit it on an open port (udp 4000, tcp 80). You just have to use
    it's MAC in your header, and send direct or broadcast that packet. We only
    tested with UDP.

    *** Exploiting:

    As it says above, forge it's MAC in the DLC header, and hit it
    with a packet, and it's gone. Over the weekend we'll toss up a
    configuration application for the device that lets you do the same
    thing the Windows software does, and may just include the option in
    there. Look for it at http://www.enZotech.net/

    *** Solution:

    Wait for Linksys to release a firmware upgrade. Or maybe they won't
    see this as a problem.

    *** Workaround:

    Unplug your unit.. We guess. Or more likely, don't be bothered
    by this.. Because really, who cares?

    *** Initial Report Information:

    Advanced notice wasn't given because this bug wasn't determined to be very
    critical. These devices are fairly new, and the chance of attack isn't that
    great. Further, we didn't bother because in the past, Linksys hasn't bothered
    to respond to security problems.

    *** Miscellaneous:

    It is also recommended to disable the "Allow Upgrade Uploads" option,
    under the Admin tab in the web configuration. This is on by default. While
    there were no security issues found in this feature, it does open up tftp
    on the device when enabled, and might as well disable it.

    netmask of enZo