Full Disclosure mailing list archives
Re: [Fwd: Bugtraq: Linksys WRT54G Denial of Service Vulnerability]
From: "Jonathan A. Zdziarski" <jonathan () nuclearelephant com>
Date: Thu, 04 Dec 2003 02:03:11 -0500
What do you mean with "externally"? WLAN? Internet? I don't know this particular device, but I know that lots of other Access Points that have a web interface regard any request from WLAN as being internal. If this is also the case for the WRT54G, the attack can be made from anyone who is in reach of the Access Point as described in the vulnerability report.
I would hope that users of this device would at least be taking advantage of the integrated WPA functionality to keep unwanted visitors off the network - although this still presents a vulnerability, it is (at the present time) more difficult to hack your way onto a WPA-protected network than an unencrypted or WEP-encrypted system.
WRT54G is said to have an https? Or do you mean SSL for authentication of users before they can access anything on (or behind) the network the Access Point is attached to?
I was referring to https...if it supports it, that's great...they are certainly working hard to make the newer hardware more secure. For authentication, WPA supports certificate-based authentication, but I doubt any residential user would be using this. Most would probably just use the pre-shared key...which used alone doesn't quite make much more sense than WEP (although it takes away some of the 'cracking wep' fun). If, for example, someone were to be a legitimate user on that network or intercept or deduce the pre-shared key (somehow), it seems as though it would be relatively easy to decode all subsequent packets for any user by simply following the stream of new keys generated for each packet. This would require capturing every packet from the start of a session, but appears to still leave a hole open for someone who wanted to write such a tool (i'm sure WPA-PSK decoding will be part of some new version of Kismet eventually, as WEP decoding is already). 'Course being that WPA is new, there's plenty of time for people to spend cracking it before it goes mainstream. Jonathan _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [Fwd: Bugtraq: Linksys WRT54G Denial of Service Vulnerability] Michael Renzmann (Dec 03)
- Re: [Fwd: Bugtraq: Linksys WRT54G Denial of Service Vulnerability] Jonathan A. Zdziarski (Dec 03)
- Re: [Fwd: Bugtraq: Linksys WRT54G Denial of Service Vulnerability] Michael Renzmann (Dec 03)
- Re: [Fwd: Bugtraq: Linksys WRT54G Denial of Service Vulnerability] Jonathan A. Zdziarski (Dec 03)
- Re: [Fwd: Bugtraq: Linksys WRT54G Denial of Service Vulnerability] Tim (Dec 04)
- Re: [Fwd: Bugtraq: Linksys WRT54G Denial of Service Vulnerability] Michael Renzmann (Dec 03)
- Re: [Fwd: Bugtraq: Linksys WRT54G Denial of Service Vulnerability] kang () insecure ws (Dec 04)
- Re: [Fwd: Bugtraq: Linksys WRT54G Denial of Service Vulnerability] Jonathan A. Zdziarski (Dec 03)