By Enno Rey & Daniel Mende
erey@ernw.de
dmende@ernw.de
When implementing Cisco Wireless network infrastructure Enno and Daniel got the impression that, security wise, these systems smell.
First part of the presentation focuses on what a typical implementation looks like.
There are three generations:
1. Structured Wireless-Aware Networks (SWAN)
2. Based on managed APs and LWAPP (After acquiring Airport)
3. Cisco Unified Wireless Network
The talk focuses on generation one and three.
The are a couple of attack paths: traffic in transit, cryptographics and against components.
First up is SWAN. It mainly runs on WLCCP protocol messages, this protocol is proprietary, so the patents are needed to discover the inner workings and the deviations from the patent.
The key management is arranged by Cisco’s proprietary key management framework called Cisco Centralized Key Management (CCKM). This framework allows the key material for clients from one access point to the other.
One of the properties of the protocol is the selection of the WDS Masters that controls all communication between the APs.
He communication between the APs is authenticated by means of LEAP. The security of LEAP is debatable at best. And Cisco’s fix, deriving two additional keys based on the first key is debatable too.
Management interfaces are the Achilles’ heel of many systems.
So what do you need for a practical attack against APs? If you can get to the AP’s management interface, you can identify it by identifying WLCCP speakers, sniff the intra AP traffic and crack the LEAP secret. Then you can evict the WDS master if necessary.
Daniel next demoed the attack. He used Loki to sniff the backbone interface to identify the WDS master. Loki can now be used to create a new WDS master but inserting a new WDS master. The master priority is configurable up to 254, but the protocol can handle a value to 255, so you can always win this election.
Next Loki can be used to brute force the detected WDS password and the revealed password can be used to derive the additional security keys.
Even though there are some parts of the crypto space that smells, Enno and Daniel where not able to find practical exploits here.
Management interfaces however are another story.
SNMP is a good friend, especially if people forget to reset their community strings. The SNMP interface does not allow you to reset passwords of existing users, but it does allow you to create administrative users.
The web interface of Cisco WLAN management tooling is web based, with all the classical web based attacks like Cross Site Scripting.
Enno demoed a web based attack. Intercepting a request to the web based interface with burpsuite and rewriting the request he was able to trigger a buffer overflow in the wireless management appliance. This makes you wander what would happen if you run a fuzzer against it.
Key points to take away:
• “Enterprise WLAN solutions” might be complex beasts
• There many be not so obvious vulnerabilities
• Use common sense when deploying
• The problems outlined are not Cisco specific
The majority of problems are based on management interface. They should never be publicly exposed.