Re: Assessing wireless driver vulnerabilities

Hi Josh,

I applaud your efforts to address this serious issue.  As you mentioned,
there are few tools to deal with these attacks.

I would love to hear from all the Wireless IDS/IPS vendors regarding what
detection/mitigation mechanisms they have in place for this class of
exploits.

Please let me know if you have any questions.

Thanks!

Jason Falciola, GAWN
IBM Internet Security Systems
falciola-r/Jw6+rmf7HQT0dZR+AlfA@xxxxxxxxxxxxxxxx

Tuesday, May 29, 2007 9:21 AM
To: "wifisec-o7tR/nIX9Vi1EmJ4MpGYnQC/G2K4zDHf@xxxxxxxxxxxxxxxx" 
<wifisec-o7tR/nIX9Vi1EmJ4MpGYnQC/G2K4zDHf@xxxxxxxxxxxxxxxx>
cc:
From: Joshua Wright <jwright-iGNaCUDxsatBDgjK7y7TUQ@xxxxxxxxxxxxxxxx>
Subject: Assessing wireless driver vulnerabilities


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Exploiting wireless LAN driver vulnerabilities has been gaining
popularity, and with good reason.  Many driver exploits can be launched
even when users aren't connected to a WLAN, secure authentication and
encryption mechanisms such as EAP/TLS and CCMP don't mitigate any known
vulnerabilities in drivers, no known client tools can detect or mitigate
these vulnerabilities, a successful compromise gives an attacker ring0
access to the compromised host, and there are few tools available to
help organizations assess and remediate this threat.

To help address this issue, I've written a Windows tool to help
organizations assess their exposure to wireless driver vulnerabilities
on Windows systems.  WiFiDEnum (WiFi Driver Enumerator, such a clever
name, I know) uses logged-in or specified credentials to enumerate the
registry of local or remote hosts and identify all installed wireless
drivers.  Using a local database of known driver vulnerabilities,
WiFiDEnum identifies any known vulnerable drivers and can produce a
simple HTML vulnerability assessment report.

WiFiDEnum is freely available at
http://labs.arubanetworks.com/wifidenum.  Screenshot, sample report and
documentation are at http://labs.arubanetworks.com/releases/wifidenum.
Feedback, bug reports and driver name and version information for driver
bugs I'm missing is most appreciated.

My thanks to David Perez and David Rice for their help on this tool.

- -Josh
- --
Joshua Wright
jwright-iGNaCUDxsatBDgjK7y7TUQ@xxxxxxxxxxxxxxxx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iQIVAwUBRlwiBzWX3FIa1TkuAQJSTw/+OZ5X+MHPUH7GpoBGEXom4CHH9cgSDqek
pfXF3NGkBUcmkokJEotq9ZChHFCL0U7he7SE53eyLwuRSs4ywv9ybcx6fSVr0dF9
FglYCKQ5WTU7K5Bz3OtEoNgARsIYBSsLA3Smo2NhT49HUiiAzJcH0TJFprsITVI6
2oLc+hRC9rerQZggYPGPC6MvDebq9pIdRzu77O06nIEeSWCutZRdt6QGI708m8RD
Mmh6H9BFWV2TOd/bQLeMX2j5x2zFAbhjQtZMHnYFPTeMgZq60t0x1GRd7gtle9gl
CUYURMVoMzCIkREfCsBkAtbROqlO5tQxK8xINXKswwIXgbFRvOUVMyalcZdhiM1W
M2XfZZAdfyqbNOnXIQ7hJjZ0pFfGUnl7kJ4FjdhW/A6+CF87FIb2WOTc1uc94Io+
/sPmW/Z+utUoWfnOvMTgd0Y3J2rY7wPJztjS7ovxAMH4sIEYGUhkVqrBNgjVS0+8
2Cmf11qL/M33fAE94ejSUI08ME4vkP5GEldXKoLB1Ejb+xwOVONoDFCYrIrxVeYS
8/lJUO0IMEhAvwXuvEaR/8Hi5cnFSdVpIVG2ad2bxQAj+Xfdb/S0ErrBdZP6QIGd
htGDHKE9AKU1zKcQPLuTyeqIRFd+08C24DQX6JMg+bSuz/Nsk75unJfNfYoECv6L
V/VAS8m860I=
=6ql+
-----END PGP SIGNATURE-----