Profile cover photo
Profile photo
Dragos Ruiu
Stop, Think, Pwn.
Stop, Think, Pwn.
About
Communities and Collections
View all
Posts

Post has attachment
WiFi random number generator (RNG) algorithm is broken and group keys can be predicted allowing traffic injection and decryption.

The paper and their conclusion:

“Although the generation of pairwise 802.11 keys has been widely analyzed, we have shown the same is not true for group keys. For certain devices the group key is easily predictable, which is caused by the faulty random number generator proposed in the 802.11 standard. This is especially problematic for Wi-Fi stacks in embedded devices, as they generally do not have other (standardized) sources of randomness. Furthermore, we have demonstrated a downgrade attack against the 4-way handshake, resulting in the usage of RC4 to protect the group key. An adversary can abuse this in an attempt to recover the group key.

We also showed that the group key can be used to inject any type of packet, and can even be used decrypt all internet traffic in a network. Combined with the faulty 802.11 random number generator, this enables an adversary to easily bypass both WPA-TKIP and AES-CCMP. To mitigate some of these issues, we also proposed and implemented a strong random number generator tailored for 802.11 platforms.”

Paper: http://goo.gl/32gyus

P.S. RIP Wil Allsopp may your memories find a place of belonging.
Add a comment...

Post has attachment
Add a comment...

Post has attachment
The folks from Armis will be presenting their Blueborne Bluetooth bugs and research at PacSec in Tokyo on Nov1/2.

http://goo.gl/3FuYHj
Add a comment...

Post has attachment
Add a comment...

Post has attachment
If you run Linux somewhere (desktop, routers, IoT, …) check out these vulnerabilities (3 RCE, 1 info leak and 3 DoS) in the DNS Masquerade (dnsmasq) software nearly every distro installs. Time to update. Exploitable through DNS and DHCP.

http://goo.gl/dJGMNY

Conversation with a customer this morning on unrelated matter.

Me(aside): oh yeah a heads up, did you see the Linux dnsmasq thing and update?

Customer: yeah saw that, we don’t run any Linux.

Me(incredulous): Really? You have an office wifi network?

Customer: yeah.

Me: I bet you are. The answer “we aren’t running Linux” makes me think “you need to look.”
Add a comment...

Post has attachment

Post has attachment
Well isn’t that amusing, a “dumb” Cisco eight port office switch that sends Realtek RRCP Ethertype 0x8899 packets on its own....
Photo
Add a comment...

Post has attachment
How timely.

‪About that Broadcom WiFi chip firmware you haven’t updated yet on all your devices because you (erroneously) thought it only affected Android.

BroadPWN Volume 2 part 1
iPhone Exploitation.
http://goo.gl/dhGqmV
Add a comment...

Post has attachment
I wonder if all the folks who are counting on their infrastructure (or access point) filtering to do host isolation at the IP level on wifi to stop clients from talking (and attacking) each other also filter out the Tunnelled Direct Link Setup (TDLS) peer-to-peer wifi channels it seems all the new wifi chips and any router purchased in the last three years or so support (802.11z). I somehow suspect not. (Oh also this affects any AP or network based logging as they will not see this traffic. Stealthy unlogged attacks for a bonus!)

Oh BTW this TDLS tunnel traffic on “special” ethertypes 0x886c (Broadcom) and 0x890d (general?) is also the home of the overflows used to compromise the ARM core inside the Broadcom wifi chipsets in the BroadPWN exploits.

P.S. Linux and probably all the OSes (and device manufacturers too) should consider more actively maintaining and updating the chipset firmware their drivers load to keep up to security issue fixes, because ATM it looks like almost no-one sends out updates for these. The BroadPWN vuln and fw updates for it looks to have been ignored by a lot of people who should have been paying attention. Somehow folks read the articles about it and erroneously assumed it was just an Android issue. It is not, it is a heap overflow and code execution on wifi chip itself and can probably be leveraged to exploit any platform with a BCM83xx wifi chip (and that is a lot of stuff). Some exploits will be harder, but it’s clear that all the newer PCie based chips make exploitation trivial through direct DMA from the pwned ARM core, and even if you have an older SDIO based chip, you aren’t necessarily immune. If you have any of these many, many, Broadcom wifi chips in your router, laptop, netfridge, or whatever OS equipment, you need to upgrade your wifi chip firmware. A lot of manufacturers haven’t even provided new firmware images to update the chipsets in their products a few months after it was disclosed. Sigh...
http://www.google.com/patents/WO2012048210A1?cl=en
Add a comment...

Post has attachment
‪Patch your Bluetooth today, from this unauth, unpaired, remote command execution over the air, and contemplate gazillions of unpatchable wormable embedded/IoT netfridges and such... http://goo.gl/jx9NWf

My question is how do I patch my car? Ruh-Roh

P.S. Anyone else find it hilarious that this hits all the OSes and devices , except.... Windows Phone. NYPD gets the last laugh....
Add a comment...
Wait while more posts are being loaded