Wireless Access Points and ARP Poisoning

[aleph1 () securityfocus com]

Wireless Access Points and ARP Poisoning:
Wireless vulnerabilities that expose the wired network
Bob Fleck <rfleck () cigital com>, Jordan Dimov <jdimov () cigital com>

Address resolution protocol (ARP) cache poisoning is a MAC layer attack that
can only be carried out when an attacker is connected to the same local 
network as the target machines, limiting its effectiveness only to networks 
connected with switches, hubs, and bridges; not routers. Most 802.11b access 
points acts as transparent MAC layer bridges, which allow ARP packets to 
pass back and forth between the wired and wireless networks. This 
implementation choice for access points allows ARP cache poisoning attacks 
to be executed against systems that are located behind the access point. In 
unsafe deployments, wireless attackers can compromise traffic between 
machines on the wired network behind the wireless network, and also 
compromise traffic between other wireless machine including roaming clients 
in other cells. Of particular note is the vulnerability of home combination 
devices that offer a wireless access point, a switch, and a DSL/cable modem 
router in one package. These popular consumer devices allow a wireless 
attacker to compromise traffic between computes connected to the built-in 
switch. 

http://www.cigitallabs.com/resources/papers/download/arppoison.pdf

-- 
Elias Levy
SecurityFocus
http://www.securityfocus.com/
Si vis pacem, para bellum