Laurent Butti BlackHat Europe

Transcription

1 ENSIMAG - 4MMSR - Network Security Seminars Laurent Butti BlackHat Europe Corentin Delpech corentin.delpech@ensimag.fr Lucas Fontaine lucas.fontaine@ensimag.fr ENSIMAG 2A TELECOM /29

2 Starring Laurent BUTTI! Network security at R&D labs o working for Orange Speaker at security-focused conferences o ToorCon, Shmoocon, First, BlackHAt US, hack.lu Wi-Fi security centric anecdote : o History of MadWifi. ENSIMAG 2A TELECOM /29

3 Summary Introduction, overview Historic, Wi-Fi standards, usages Technical specificities Networking modes Wi-Fi frames Security of Wi-Fi networks Which issues? How to perform vulnerability tests? Fuzzing What is fuzzing? Implementation of a fuzzer Discovered vulnerabilities Fuzzers limitation, countermeasures Demonstration (!) Final words, summary ENSIMAG 2A TELECOM /29

4 Summary Introduction, overview Historic, Wi-Fi standards, usages Technical specificities Networking modes Wi-Fi frames Security of Wi-Fi networks Which issues? How to perform vulnerability tests? Fuzzing What is fuzzing? Implementation of a fuzzer Discovered vulnerabilities Fuzzers limitation, countermeasures Demonstration (!) Final words, summary ENSIMAG 2A TELECOM /29

5 Historic, Wi-Fi standards Introduction Wi-Fi Wireless Fidelity Appeared in 1999 Now Ubiquitous Many platforms : laptops, cellular phones, printers Why this presentation? Many chipsets -> Many developers -> Heterogeneous regarding security Figure 1 Democratization of wireless hot spots ENSIMAG 2A TELECOM /29

6 Technical specificities, Networking Modes Introduction wireless cards can operate in different modes : Monitor : Just listen to traffic Master AdHoc : Act as an access point : Act as an Adhoc Station Managed : Act as a station Discovering an access point : Figure 2 A Network Active scanning : send probe request and listen to responses and do channel hopping Passive scanning : listen to beacons and do channel hopping ENSIMAG 2A TELECOM /29

7 Technical specificities, Wi-Fi Frames Introduction frames : Data frames Control frames Management frames : MAC frame format : Authentification, Asssociation Request, Assocation Responce, Resassociation Responce, Dissociation, Beacon, Probe Request,Probe responce, Request To Send, Clear To Send, Acknolegement Figure 3 - Mac frame format ENSIMAG 2A TELECOM /29

8 Technical specificities, Wi-Fi Frames Introduction Example of a frame : Figure 4 - Example of a frame with WireShark ENSIMAG 2A TELECOM /29

9 Technical specificities, Wi-Fi Frames Introduction 3 class frames : class 1 : Probe Request / Response, Beacon, Athentification Request / Responce, Deauhentication class 2 : (Re)association Request / Response Deassociation class 3 : Deauthentication Figure States for 1 client and server ENSIMAG 2A TELECOM /29

10 Summary Introduction, overview Historic, Wi-Fi standards, usages Technical specificities Networking modes Wi-Fi frames Security of Wi-Fi networks Which issues? How to perform vulnerability tests? Fuzzing What is fuzzing? Implementation of a fuzzer Discovered vulnerabilities Fuzzers limitation, countermeasures Demonstration (!) Final words, summary ENSIMAG 2A TELECOM /29

11 Which issues? Security of Wi-Fi networks Infrastructure/network sided security weak Client sided security weak Remote attack (in the victim s radio coverage) with kernel-mode code remote execution! Figure 6 Example of Wi-Fi remote attack ENSIMAG 2A TELECOM /29

12 How to perform vulnerability test? Security of Wi-Fi networks Closed source drivers Black box testing Reverse engineering Open source drivers Black & white box testing Source code auditing Corentin & Lucas! Figure 7 Do you know what is inside the box? ENSIMAG 2A TELECOM /29

13 Summary Introduction, overview Historic, Wi-Fi standards, usages Technical specificities Networking modes Wi-Fi frames Security of Wi-Fi networks Which issues? How to perform vulnerability tests? Fuzzing What is fuzzing? Implementation of a fuzzer Discovered vulnerabilities Fuzzers limitation, countermeasures Demonstration (!) Final words, summary ENSIMAG 2A TELECOM /29

14 What is fuzzing? Fuzzing Black box software testing technique Automatically generate and inject malformed or semi-malformed data in order to find implementation bugs [OWASP.ORG] Fuzz (random data) Malformed data Semimalformed data Input of a program Which behavior? If program fails Defects and implementations bugs to correct New vulnerability discovered! Fuzzing is OK to discover the most obvious bugs KO for the most complex ones (not smart enough!) ENSIMAG 2A TELECOM /29

15 Implementation of a fuzzer Fuzzing Information Element Element ID (1) Length (1) Information (Length) Figure 8 Structure of an Information Element Figure 9 Information Element SSID of a frame List of interesting Information Element IE 0 : SSID (min size of 0 byte, max. 32) IE 3 : Channel (fixed size of 1 byte) Some fast boundary test examples : IE 0 {0, 1, MIN-1, MIN, MIN+1, MAX-1, MAX, MAX+1, 254, 255} lengths IE 3 {0, 1, 254, 255} Some IE have a fixed or maximum length Possible overflow of the static buffer receiving the Information if Length not checked ENSIMAG 2A TELECOM /29

16 Implementation of a fuzzer Fuzzing Ethernet connectivity useful for bug detection (ping and keepalive TCP connection) Figure 10 Architecture overview ENSIMAG 2A TELECOM /29

17 Implementation of a fuzzer Fuzzing Difficulties Proprietary Information Element (documentation?!) Channel hopping for active access point scan from the client NEED fast answer Difficult with a Python implementation of the fuzzer, even harder with existing injection framework like Scapy Cannot state if the victim device is listening or not to beacons Detection of a bug under several OS? Solutions More than just a fuzzer : a smart fuzzer Flood the radio with probe responses and beacons Automatic bug detection Windows : ping don t answer any more or even BSOD! Linux : monitor {oops unable to handle assert panic} kernel events Detect when the victim device stop sending probe request for active scanning -> the device don t work anymore! ENSIMAG 2A TELECOM /29

18 Summary Introduction, overview Historic, Wi-Fi standards, usages Technical specificities Networking modes Wi-Fi frames Discovered vulnerabilities Fuzzers limitation, countermeasures Demonstration (!) Security of Wi-Fi networks Which issues? How to perform vulnerability tests? Final words, summary Fuzzing What is fuzzing? Implementation of a fuzzer ENSIMAG 2A TELECOM /29

19 Discovered vulnerabilities by Laurent BUTTI with his Wi-Fi fuzzing - NetGear MA521 Wireless Driver Long Rates Overflow Utilisation d une trame avec un IE Rates trop long (longueur maximale de 8 octets normalement) - NetGear WG311v1 Wireless Driver Long SSID Overflow Utilisation d une trame avec un IE SSID trop long (longueur maximale de 32 octets normalement) - D-Link DWL-G650+ (A1) Wireless Driver Long TIM Overflow Utilisation d une trame avec un IE TIM trop long - Madwifi Driver Remote Buffer Overflow Vulnerability Utilisation d une trame avec IE WPA/RSN/VMM/ATH trop long Exploitable uniquement lors d un appel à SIOCGIWSCAN du client Commande iwlist par exemple ENSIMAG 2A TELECOM /29

20 Discovered vulnerabilities by Laurent BUTTI with his Wi-Fi fuzzing Figure 11 - Linux Kernel «oops» ENSIMAG 2A TELECOM /29

21 Discovered vulnerabilities by Laurent BUTTI with his Wi-Fi fuzzing Figure 12, 13, 14 «net80211/ieee80211_scan.c» MadWiFi source code Function giwscan_cb ENSIMAG 2A TELECOM /29

22 Discovered vulnerabilities by Laurent BUTTI with his Wi-Fi fuzzing Figure 15 «net80211/ieee80211_scan.c» MadWiFi source code Function encode_ie ENSIMAG 2A TELECOM /29

23 Summary Introduction, overview Historic, Wi-Fi standards, usages Technical specificities Networking modes Wi-Fi frames Security of Wi-Fi networks Which issues? How to perform vulnerability tests? Fuzzing What is fuzzing? Implementation of a fuzzer Discovered vulnerabilities Fuzzers limitation, countermeasures Demonstration (!) Final words, summary ENSIMAG 2A TELECOM /29

24 Fuzzer Limitations, counter-measure Limitations : the developer's comprehension of the protocol cannot help you to find Complex 'Bugs' needs to manage Wi-Fi states needs to have the same level of performance as the client cannot be sure a frame was analysed needs to understand bugs activated by fuzzer Driver's patches may prevent them. Or add some! Or only partially correct them J Figure 16 Logo of madwifi ENSIMAG 2A TELECOM /29

25 Demonstration (!) ENSIMAG 2A TELECOM /29

26 Summary Introduction, overview Historic, Wi-Fi standards, usages Technical specificities Networking modes Wi-Fi frames Security of Wi-Fi networks Which issues? How to perform vulnerability tests? Fuzzing What is fuzzing? Implementation of a fuzzer Discovered vulnerabilities Fuzzers limitation, countermeasures Demonstration (!) Final words, summary ENSIMAG 2A TELECOM /29

27 Conclusion Many vulnerabilities came with Fuzzing is the best way to make testing Tests wireless cards with : o his states o Information elements Helps to Discover obvious bug, and critical bugs. Can discover more complex bug o developer needs to know standards really well. ENSIMAG 2A TELECOM /29

28 Conclusion Other things to do : o extensions are coming o wireless devices : WUSB, Bluetooth 3.0, o fuzzing access point ENSIMAG 2A TELECOM /29

29 References Figure 1 Ref : intermonde_wifi_wimax.shtml Figure 2 Ref : definition of wifi frames Ref : article.php/ Logo madwifi: ENSIMAG 2A TELECOM /29