Red-M's Bluetooth Server Vulnerable

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article/0,3658,s=712&a=27812,00.asp

June 5, 2002 
By Dennis Fisher 

Security researchers have identified numerous flaws in the Bluetooth
short-range wireless access points sold by Red-M Communications Ltd.,
the most serious of which could compromise the administration
password.

@stake Inc., a security research and consultant firm in Cambridge,
Mass., discovered the six vulnerabilities in Red-M's 1050AP, which is
the only server on the market that supports access by multiple
Bluetooth clients.

Although Bluetooth has been in existence for several years, vendors
have been slow to produce devices that support it. Designed mainly for
linking desktop and notebook computers to peripherals such as cell
phones and headsets, some advocates have touted the protocol as a more
secure alternative to 802.11b.

But, security experts say, Bluetooth gear is not immune from many of
the same design flaws that have resulted in security problems for
wired and other wireless networks.

"The design and implementation issues haven't been resolved because
[Bluetooth networks] rely on corporate networks to be secure," said
Ollie Whitehouse, director of security architecture and team leader of
@stake's Wireless Security Center of Excellence, which discovered the
flaws. "We suffer from the same problems in the wireless world as in
the wired world. They're common programming issues as opposed to
Bluetooth issues."

The company's advisory is due to be published Wednesday.

Red-M, based in Bucks, England, responded to @stake's discoveries by
saying that the attacks and vulnerabilities the researchers identified
would result from the access point being installed on a poorly secured
wired network. However, Red-M has fixed the denial-of-service flaws in
a recent firmware upgrade and plans to address the others in its next
update, due in August.

Whitehouse said that none of the vulnerabilities or attacks his team
identified was very difficult to find or execute.

"It's not going to take someone with a high level of intellect to
exploit these," he said. "We spent a total of two weeks on this."

Potentially the most damaging vulnerability is a flaw in the TFTP
server that ships with the 1050AP. The server, which is used for
configuration backups and firmware updates, cannot be disabled and an
attacker could use it to launch a UDP-based attack to crack the
administrative password, according to Whitehouse. Combined with the
fact that the device's password is case insensitive and can be no
longer than 16 characters, this vulnerability gives an attacker an
effective way of cracking the administrative password.

The 1050AP also has a vulnerability in its management session state
storage capability that is susceptible to several different attacks.  
When a user logs into the Web interface with the administrative
password, the device does not send a cookie, session ID or any
authentication data to the client, nor does the client send any to the
server. Instead, the server remembers until the session times out or
the user logs out that that particular IP address has been
authenticated.

As a result, a second user coming via the same proxy server can
connect to the administrative interface without having to authenticate
himself. Or, if the first user connects to the 1050AP through a
firewall that does network address translation, any other user behind
the same IP address can access the administrative interface as well.

Also, because the device does not ask for the current password when a
user tries to change the administrator's password, once he's logged
on, an attacker could lock the administrator out of the device, @stake
says.

The Red-M device also broadcasts its name via UDP to a specific
broadcast IP address about once a minute, Whitehouse said. Anyone
looking to find an access point on a given network would need simply
to listen on port 8887, and could easily determine the 1050 AP's name,
IP address, netmask, serial number and aerial address.

@stake also identified two separate denial-of-service vulnerabilities
in the access point. The flaw in the management Web server simply
requires an attacker to enter a long string of characters in the
administrative password field, which will generate a connection error
and cause the server to die until it is manually restarted. The second
such flaw results from an attacker entering an overly long string in
the PPP (point to point protocol) username field.

Red-M officials said they don't see these issues as problems with the
1050AP.

"The current design philosophy for the 1050AP is that it would be used
on a corporate network already secured by implementation of a
corporate security policy," the company wrote in an e-mail response to
@stake's advisory. "This should mitigate the risk of attacks from the
wired network. We believe that [@stake's advisory] does not
demonstrate a practical vulnerability over the wireless interface, as
the 1050AP's wireless security mechanisms has not been shown to be
vulnerable."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.