-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 @stake, Inc. www.atstake.com Security Advisory Advisory Name: Multiple Red-M 1050 Blue Tooth Access Point Vulnerabilities Issues: Red-M 1050 Access Point Management Web Server DoS Red-M 1050 Access Point Case Insensitive Passwords Red-M 1050 Access Point TFTP Server Based Password Attack Red-M 1050 Access Point Management Session State Storage Red-M 1050 Access Point Device Existence Broadcast Red-M 1050 Access Point PPP Denial of Service Release Date: 06/05/2002 Application: Red-M 1050AP (Bluetooth Access Point) 1050AP boot v01.03.16 1050AP loader v02.01.26 1050AP software v02.00.26 Platform: Red-M 1050AP 1050AP basecard v00.00.01 Severity: An attacker is able to disable the administration web server, crack the administration password via tftp (UDP), piggyback authorised administration connections when proxied, NAT addresses are in use and locate device on network without requiring to scan the network to locate it. Author: Ollie Whitehouse [ollie@atstake.com] Vendor Status: Alerted (Response below) CVE Candidate: CAN-2002-0393 CAN-2002-0394 CAN-2002-0395 CAN-2002-0396 CAN-2002-0397 CAN-2002-0398 Reference: www.atstake.com/research/advisories/2002/a060502-1.txt Overview: Red-M's (http://www.red-m.com) 1050AP (Bluetooth Access Point) is the device which exists between legacy Ethernet networks and Bluetooth 1.0/1.1 compatible devices looking to obtain IP network access. Red-M's device is currently the only device which supports piconet (multiple Bluetooth clients to one access point). There exists a number of vulnerabilities which are outlined below that could enable an attacker on the wired/wireless side of the device to mount an attack against the device in an attempt to locate the device, cause loss of administration functionality or compromise the administration interface. [1] Red-M 1050 Access Point Management Web Server DoS The 1050AP device provides a web based management interface to allow configuration of the device. This web based management system has no concept of authorised or unauthorised hosts and is simply protected by a password over an unencrypted connection. There exists a vulnerability in web server that runs on the 1050AP that potentially allows an attacker to disable the web server completely until the device is restarted (physically). [2] Red-M 1050 Access Point Case Insensitive passwords Another vulnerability which exists in the AP is that the administration password is not case sensitive. This combined with the fact that the maximum password length is 16 chars (documented) and can only be a-z, 0-9 (@stake testing) greatly reduces the number of passwords which can be used and thus reduces cracking time. [3] Red-M 1050 Access Point TFTP Sever Based Password Attack In addition the AP provides a tftp server for configuration backups and firmware updates, however this tftp server can not be disabled and can be used by an attacker to crack the administration password using a UDP based attack. This combined with the above can provide an effective way of cracking the administration password in good time by either dictionary or brute force methods. [4] Red-M 1050 Access Point Management Session State Storage Their exists another vulnerability within the administration web interface. When you login with the admin password to the web interface no cookie, session ID or basic authentication data is passed. No data is passed from either the client to server or server to the client in response to maintain state of the current session. The server simply remembers that your IP successfully logged in until the session expires and/or you click the logout button. This method of maintaining state suffers from a number of attacks: I) You connect to the device via a proxy then any user who uses the same proxy can connect to the admin interface already authenticated. II) You connect to the device via a firewall which does NAT/PAT then, as above, anyone who is NAT'd behind the same IP can get access to the admin interface. III) A number of other IP/Layer2 based attacks for traffic redireciton or forged packets. This combined with the fact that when changing the adminsitration password it does not ask for the current password means that an Administrator can effectivly be locked out of the device by an attacker sucessfully exploiting this vulnerability. [5] Red-M 1050 Access Point Device Existence Broadcast The device broadcasts its name via UDP to the broadcast address (255.255.255.255). So to detect a Red-M AP active on the network simply listen on port 8887 on UDP and every minute or so a broadcast will occur which delivers the following informaiton: the AP's current name, IP address, netmask, serial number and aerial address. [6] Red-M 1050 Access Point PPP Denial of Service Finally it is possible for an attacker who is bonded to cause a denial of service within the AP. Each attempt to connect thereafter will not work, simply generating an error of 'Unable to establish a connection' within the Microsoft dial-up connection dialog box. Details: It should be noted that although a number of issues are listed as DoS-only, this is only limited by the fact that during the assessment of the device @stake was unable to gain access to the debugging interface to enable the successfull exploitation of the vulnerabilities (be they buffer or heap overflows). [1] Red-M 1050 Access Point Management Web Server DoS Connect to the web interface and enter a long string for the administration password. Click 'OK'. You will get a connect error on the page re-fresh and the web server will be dead until you power down the device and restart it physically. [2] Red-M 1050 Access Point Case Insensitive passwords The same file was requested twice using the different cases. In each case the same file was returned. This can also be demonstrated within the web interface by attempting to log-in with either the real password or a the same password but using a different case (e.g. AbCdEf instead of abcdef). C:\>tftp -i 192.168.1.253 get FLASH_Database-abcdef Transfer successful: 381 bytes in 2 seconds, 190 bytes/s C:\>tftp -i 192.168.1.253 get FLASH_Database-AbCdEf FLASH_Second Transfer successful: 381 bytes in 3 seconds, 127 bytes/s C:\>fc FLASH_Database-abcdef FLASH_Second Comparing files FLASH_Database-abcdef and FLASG_Second FC: no differences encountered [3] Red-M 1050 Access Point TFTP Sever Based Password Attack Simply execute the following command replacing the tag with the attempted password. tftp -i 192.168.1.1 get FLASH_Database- [4] Red-M 1050 Access Point Management Session State Storage A simple way to demonstrate this vulnerability is to use one browser (such as IE) and authenticate with the management interface. Then load a different browser (such as Netscape) and then type in the address of the AP. You will be presented with the pre-authenicated administrative interface on the AP. [5] Red-M 1050 Access Point Device Existence Broadcast Use a tool such as netcat to listen on port UDP/8887 (i.e. nc -u -L -p 8887 -o output). Every 30 seconds a new entry will be made in the log file similar to the one below: < 00000000 2c 01 be ba c0 a8 01 fd ff ff ff 00 00 02 81 64 # &....2.........d < 00000010 00 56 02 06 08 01 00 00 00 0d 01 57 6f 6c 6c 79 # .V.........Wolly < 00000020 57 6f 72 6c 64 00 # World. A break down of the packet is as follows: [bytes 1] Length of data segment of packet [bytes 2 to 4] Unknown [bytes 5 to 8] IP address of device [bytes 9 to 12] Subnet mask of device [bytes 13 to 15] Serial Number* [bytes 16 to 18] Bluetooth Address* [byte 19] Is the device configured (01 = no / 02 = yes) [bytes 20 to 27] Unknown [bytes 28 to LEN-1] Access point name The above packet is how Red-M's own set up program knows of the AP's existence on the network. * [bytes 13 to 18] the aerial address [6] Red-M 1050 Access Point PPP Denial of Service Bond and then connect with the AP. When prompted for the PPP username for the link enter a very long username. Recommendation: Upgrade your firmware to the latest release. In addition follow the steps outlined below to mitigate the current design vulnerabilities. Typically wireless access points to the network should be considered hostile networks. In the case of the above vulnerabilities a packet filtering device should be placed between the Ethernet interface of the AP and the corporate network restricting the types of traffic and from which hosts communication destined for the AP can come from. However this will still expose the device to attacks from the wireless site of the device. To mitigate against these attacks ensure good username and password policies are in place. However, consider the limitations of the username and passwords in the 1050AP. Strong passwords may not be possible. From @stake's testing, username and passwords can only be [a-z] and [0-9] within the device's PPP authentication mechanism. The 1050AP does provide a number of other mechanisms to protect against being discovered and to protect against automatic connections. For details of these please refer to the vendors documentation. It is @stake's recommendation that the following options are used: [Option] [Suggested Setting] Authentication: Authentication with bonding Force encryption: Check box Accessibility mode: Connectable and non discoverable PPP authentication: Check box Automatically authorize: Uncheck box Vendor Response: Red-M was initially notified of these vulnerabilities between August and November, 2001. It should be noted the DoS attacks have been resolved in the latest release of the firmware available from the Red-M website: http://www.red-m.com/Products/Downloads/freefiles/1050AP_2_02_10.zip The remaining design issues are due to be resolved in a firmware release planned for August, 2002. The following response was received from Red-M via email. "We continue to see the principle new threat introduced by the addition of a wireless access point as being from outside that network, over the wireless(Bluetooth) interface, or an external connection to the wired network (typically the Internet). This is continuously re-enforced by the customer feedback we receive. We believe that your draft advisory does not demonstrate a practical vulnerability over the *wireless* interface, as the 1050AP's wireless security mechanisms (Bluetooth security) has not been shown to be vulnerable. The vulnerabilities that you have identified require that 1050AP is installed in an environment where the corporate security policy allows such attacks to be mounted on the wired side of the Access Point. The current design philosophy for the 1050AP is that it would be used on a corporate network already secured by implementation of a corporate security policy. This should mitigate the risk of attacks from the wired network. We have thus concentrated on meeting the customer requirement of securing access to the wired network from the wireless side by, for example, rogue Bluetooth devices. However, we also realise that a level of security is required to mitigate some types of attack from inside the wired network, and to prevent accidental compromising of wireless connectivity. The issues you've raised we believe fit into this category. Revised firmware to address the issues you raised is now planned for the firmware release in August. This firmware will be applied both to new build of product and made available for the installed base as an upgrade that can be applied to product that's already in use." Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CAN-2002-0393 Red-M 1050 Access Point Management Web Server DoS CAN-2002-0394 Red-M 1050 Access Point Case Insensitive Passwords CAN-2002-0395 Red-M 1050 Access Point TFTP Server Based Password Attack CAN-2002-0396 Red-M 1050 Access Point Management Session State Storage CAN-2002-0397 Red-M 1050 Access Point Device Existence Broadcast CAN-2002-0398 Red-M 1050 Access Point PPP Denial of Service @stake Vulnerability Reporting Policy: http://www.atstake.com/research/policy/index.html @stake Advisory Archive: http://www.atstake.com/research/advisories/index.html PGP Key: http://www.atstake.com/research/pgp_key.asc Copyright 2002 @stake, Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.3 iQA/AwUBPP4fbUe9kNIfAm4yEQK+ZACaAray1lSrbqII930DoookUXR0vhsAoLCP cW2OqJWNXE6AGsMClo5rTOzR =e3y3 -----END PGP SIGNATURE-----