Monday, June 27, 2005

[NEWS] WLAN Session Containment DoS

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

WLAN Session Containment DoS
------------------------------------------------------------------------

SUMMARY

Session containment (also known as wireless intrusion prevention) is a
technique implemented by wireless LAN IDS vendors to prevent unauthorized
stations from connecting to an authorized or rogue access point. A denial
of service vulnerability with some WLAN Session Containment
implementations allows attacker to disconnect all connected users from the
WLAN.

DETAILS

When a WLAN IDS identifies an unauthorized station on a wireless network,
it may attempt to prevent the station from accessing network resources.
This is accomplished by mounting a denial of service (DoS) attack against
the rogue access point or station, leveraging weaknesses in the IEEE
802.11 specification to disconnect one or more users from the wireless
network.

When the disconnect message is repeated continuously, the rogue station is
unable to connect to the wireless network, preventing a potential network
intrusion.

When implementing a mechanism to disconnect users from a protected access
point, vendors must consider several factors:

* Preventing unauthorized access. The goal of session containment against
an unauthorized station is to stop access to the distribution system or
wired network. The selection of a technique that reliably stops access to
the network is a major consideration for the WLAN IDS vendor.

* Minimizing impact to the wireless spectrum or channel. A WLAN IDS
vendor can easily prevent all access to a monitored access point by
implementing a denial of service attack against the wireless spectrum,
such as an RF jamming attack. This has the negative side-affect of
preventing all access to the spectrum, including potentially authorized
stations and access points that are accessing a nearby production network.
A WLAN IDS vendor must implement a technique to disconnect unauthorized
stations with minimal impact t o other production wireless networks.

* Limiting DoS scope to designated stations. A vendor may opt to provide
sufficient fidelity in their session containment implementation such that
they can disconnect a single unauthorized station, preserving the
connectivity of other authorized users. This requirement will also
influence the implementation of the session disconnect technique.

Considering these implementation factors, vendors have implemented session
containment by transmitting spoofed deauthenticate and/or disassociate
management frames. By transmitting these frames with a spoofed source MAC
address of the access point or victim station, a WLAN IDS vendor can force
a client to disconnect from the network, forcing them to repeat the IEEE 8
0 2 . 1 1 authentication and association process to regain access to the
network. By repeating the transmission of these frames, a WLAN IDS can
sustain a DoS attack against a target MAC address, preventing access to
the network.

The following trace is an example of one vendor's implementation of
session containment against a rogue station:
1. 00:90:4b:2d:65:24 -> 00:12:17:9f:08:73 ICMP Echo (ping) request
2. 00:12:17:9f:08:73 -> 00:90:4b:2d:65:24 ICMP Echo (ping) reply
3. 00:12:17:9f:08:71 -> ff:ff:ff:ff:ff:ff IEEE 802.11 Deauthentication
4. 00:90:4b:2d:65:24 -> ff:ff:ff:ff:ff:ff IEEE 802.11 Probe Request, SSID:
"linksys-a"
5. 00:12:17:9f:08:71 -> 00:90:4b:2d:65:24 IEEE 802.11 Probe Response,
SSID: "linksys-a"
6. 00:12:17:9f:08:71 -> ff:ff:ff:ff:ff:ff IEEE 802.11 Deauthentication
7. 00:90:4b:2d:65:24 -> 00:12:17:9f:08:71 IEEE 802.11 Authentication
8. 00:12:17:9f:08:71 -> 00:90:4b:2d:65:24 IEEE 802.11 Authentication
9. 00:90:4b:2d:65:24 -> 00:12:17:9f:08:71 IEEE 802.11 Reassociation
Request, SSID: "linksys-a"
10. 00:12:17:9f:08:71 -> 00:90:4b:2d:65:24 IEEE 802.11 Reassociation
Response
11. 00:12:17:9f:08:71 -> ff:ff:ff:ff:ff:ff IEEE 802.11 Deauthentication

In this trace, an authenticated, associated station at 00:90:4b:2d:65:24
is exchanging ICMP echo request and response traffic with another station
at 00:12:17:9f:08:73. After the ICMP exchange, a deauthenticate request is
sent to the broadcast address from the access point at 00:12:17:9f:08:71,
which causes the wireless station to reconnect to the network beginning
with a probe request frame. A second deauthenticate notice is transmitted
in frame 6.

this frame is transmitted before the station re-authenticates to the
network, it is silently ignored, and the station continues the
authentication and re-association process. The deauthenticate frame
transmitted in frame 11 does successfully disconnect the client, forcing
them to repeat the connect process.

In this case, the deauthenticate frames are transmitted by the WLAN IDS
sensor with a spoofed source MAC address of the access point. This makes
the station believe that the access point is disconnecting them from the
network, forcing them to reconnect. Sustaining these spoofed frames will
keep the station from being able to transmit on the network. This
technique is employed by most vendors to implement session containment,
with minor variations.

ADDITIONAL INFORMATION

The information has been provided by <mailto:jwright@hasborg.com> Joshua
Wright .
The original article can be found at:
<http://i.cmpnet.com/nc/1612/graphics/SessionContainment_file.pdf>
http://i.cmpnet.com/nc/1612/graphics/SessionContainment_file.pdf
and at
<http://www.nwc.com/shared/article/printFullArticle.jhtml?articleID=164302965> http://www.nwc.com/shared/article/printFullArticle.jhtml?articleID=164302965.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

1 comment: