Re: Slashback!

["Dino A. Dai Zovi" <ddz () theta44 org>]

On Jan 16, 2006, at 12:57 PM, Alexander Bochmann wrote:

> ...on Sun, Jan 15, 2006 at 09:56:14AM -0600, Technocrat wrote:
>
> > Dave Aitel wrote:
> > > How does this: http://it.slashdot.org/it/06/01/15/0815207.shtml
> > > Differ from this:
> > > http://www.theta44.org/karma/index.html
> > Good point, I have heard of this attack before now..it isn't very  
> > "new"
> > just not talked about in a large public forum before now.
>
> Perhaps I'm missing something critical here, but this
> seems exactly like the thing that hotspotter[1] is
> targeting, and that was released in April 2004.
>
> > From the readme: "A Windows XP client will probe for all
> the preferred network names listed in the wireless client
> configuration during startup, powersave-wakeup and when
> the driver reports signal loss for the current network name.
> [..] Due to this configuration, it is possible to force a client
> to disclose the list of configured profiles, and then establish
> a connection to a rogue network using one of the preferred
> network names."
>
> Alex.
>
> [1] http://www.remote-exploit.org/index.php/Hotspotter_main

Yep, they attack basically the same problem :).  Hotspotter came out  
right as we were working on this (I referenced it in the paper, but I  
don't think I put it on our slides which I should have).

Hotspotter checks probes against a database of known hotspot names  
and then configures a HostAP network with that name if there is a  
match.  KARMA takes a different approach and uses a modified driver  
to automatically respond to any probe request.  This attacks all  
clients in parallel, helps win the race if there is another network  
the client may join, and uncovered the "random SSID" wireless network  
association vulnerabilities in Windows and MacOS X AirPort Classic.   
Apple fixed this in an AirPort update this summer, Microsoft said  
they'd fix it in the next service pack (it only affects older 802.11b- 
only cards).

-Dino