<< Previous Next >>
wireless technology
- Security Management
- Social Engineering
- Virtualisation
- VoIP Technology
- Web Security
- Wireless Technology
Please note, that we are a non-product, non-vendor biased security
conference and do not welcome vendor pitches in the conference talks or
trainings. We will provide an opportunity for vendor self presentation
through sponsorship and vendor booths in the conference lounge, where
Note: Only firmware version major numbers are displayed on the
administration web interface: 1.20, 1.30, 1.31
Background Information:
D-Link DAP-1160 is a wireless access points that allow wireless clients
connectivity to wired networks.
Supported 802.11b and 802.11g protocols. WEP, WPA and WPA2 supported.
Summary:
Although usually the SNMP write community string must be guessed/cracked
for a SNMP injection [1] attack to work, some embedded devices come with
SNMP read/write access enabled by default. Some examples include many
ZyXEL Prestige router models [2] used in residential and SOHO networks,
and also products used in corporate and government environments such as
the Proxim Tsunami MP.11 2411 Wireless Point-to-Multipoint System.
- From Proxim Tsunami MP.11 2411's user manual:
"
SNMP Read/Write Community Password
Remote exploitation of an information disclosure vulnerability in Oral B’s SmartGuide management system allows attackers to obtain sensitive information.
This vulnerability exists due to a lack of authentication between the toothbrush and the monitoring device. The simple association key is easily compromised allowing the toothbrush and monitoring device to be spoofed using by a malicious attacker.
There is also a possible wireless denial of service where a malicious attacker could stop the radio feedback and monitoring.
The trashbin feature of the SmartMonitor device does not overwrite deleted data.
III. ANALYSIS
Risk Level:
Medium - Spoofed image injection, redirection of uploaded content,
remote DoS of Eye-Fi service.
Summary:
The Eye-Fi is an instant solution to add wireless upload capability to
any digital camera that supports an SD card. In the version of software
tested, the solution has numerous vulnerabilities that can allow
unauthorized image uploades to a PC, remotely altering the destination
folder, remote crashing of the Eye-Fi service, and more.
#ATI security Group has discovered a Denial of Service Vulnerability in the Belkin Wireless G Router's.
#Vulnerability: Denial of Service (SYN FLOOD)
#Simple Dork: http://RouterIp (DoS SYN FLOOD on ROUTER)
#Vulnerable Product; Belkin Wireless G Router
Router Model #F5D7230-4
#Tested on; Belkin Wireless G F5D7230-4
Additional info
---------------
This vulnerability has been found using a novel wireless fuzzing
approach developed in a joint project by the Secure Systems Lab
(Technical University of Vienna) and the SEC Consult Vulnerability Lab.
The technique, which allows very effective stateful fuzzing of wireless
drivers by using emulated wireless chipsets, will be presented in detail
on the Blackhat Briefings Japan [2] as well as the DeepSec IDSC in
maybe I am making a huge mistake for responding to your message, but
let see. this is what I think about security in depth in a bit more
detail.
let say that we have a wireless network which is guarded by "security
in depth" network administrators. the first thing they will do is to
secure the actual network by some massive segmentation exercises...
then the connection with enhanced privacy/encryption schemes (WPA2).
They will put more layers on the top of that. For example, the users
need to authenticate with client-side certificates. Now the network
# 3G/3.5G/4G Cellular Networks
# Apple / OS X vulnerabilities
# SS7/Backbone telephony networks
# Smart Card Security and Biometric Systems
# UMTS, HSDPA, GPRS and CDMA Security
# Security of Wimax, WLAN, Bluetooth, GPS and other wireless technology
# Analysis of network and security vulnerabilities
# Firewall and Intrusion detection technology
# Data Recovery and Incident Response
# Network Protocol and Analysis
# Analysis of malicious code
# 3G/3.5G/4G Cellular Networks
# Apple / OS X vulnerabilities
# SS7/Backbone telephony networks
# Smart Card Security and Biometric Systems
# UMTS, HSDPA, GPRS and CDMA Security
# Security of Wimax, WLAN, Bluetooth, GPS and other wireless technology
# Analysis of network and security vulnerabilities
# Firewall and Intrusion detection technology
# Data Recovery and Incident Response
# Network Protocol and Analysis
# Analysis of malicious code
Secure Network - Security Research Advisory
Vuln name: HTTP Basic Authentication Bypass
Systems affected: Boa/0.93.15 (with Intersil Extensions) based systems (i.e. FreeLan 802.11g Wireless Access Point (RO80211G-AP))
Severity: High
Local/Remote: Remote
Vendor URL: http://www.boa.org - http://isl3893.sourceforge.net - http://www.roper-europe.com
Author(s): Luca "ikki" Carettoni - luca.carettoni@securenetwork.it, Claudio "paper" Merloni - claudio.merloni@securenetwork.it
Vendor disclosure: 24th August 2007
Vendor acknowledged: -
- Real-time data structure recovery
- Reverse engineering (malicious code analysis technique, vulnerability research)
- Intrusion detection and anti-detection technique
- Traffic analysis
--- Wireless & VoIP security
- 802.11x, CDPD, Bluetooth, WAP/TDMA, GSM, SMS
- PDA & mobile protocol analysis
- Palm, Pocket Pc
- Wireless gateway
- VoIP security & vulnerability analysis
- Real-time data structure recovery
- Reverse engineering (malicious code analysis technique, vulnerability research)
- Intrusion detection and anti-detection technique
- Traffic analysis
--- Wireless & VoIP security
- 802.11x, CDPD, Bluetooth, WAP/TDMA, GSM, SMS
- PDA & mobile protocol analysis
- Palm, Pocket Pc
- Wireless gateway
- VoIP security & vulnerability analysis
> - Reverse engineering (malicious code analysis technique,
> vulnerability research)
> - Traffic analysis
> - Intrusion detection and anti-detection technique
>
> --- Wireless & VoIP security
> - 802.11x, CDPD, Bluetooth, WAP/TDMA, GSM, SMS
> - PDA & mobile protocol analysis
> - Palm, Pocket Pc
> - Wireless gateway
> - VoIP security & vulnerability analysis
PRODUCT:
---------------------------------------------------
The Cisco WLC 4402 is a Wireless LAN Controller, which is manageable via
an integrated embedded webserver (emweb httpd).
AFFECTED VERSIONS:
>> - Reverse engineering (malicious code analysis technique,
>> vulnerability research)
>> - Traffic analysis
>> - Intrusion detection and anti-detection technique
>>
>> --- Wireless & VoIP security
>> - 802.11x, CDPD, Bluetooth, WAP/TDMA, GSM, SMS
>> - PDA & mobile protocol analysis
>> - Palm, Pocket Pc
>> - Wireless gateway
>> - VoIP security & vulnerability analysis
Vulnerability present also on firmware ver.3.04.03 (US)
Other models and/or firmware versions may be also affected.
Background Information:
Linksys WAP54G is a wireless access points that allow wireless clients
connectivity to wired networks.
Supported 802.11b and 802.11g protocols, with data rates up to 54Mbit/s.
Summary:
Vulnerability present also on firmware ver.3.04.03 (US)
Other models and/or firmware versions may be also affected.
Background Information:
Linksys WAP54G is a wireless access points that allow wireless clients
connectivity to wired networks.
Supported 802.11b and 802.11g protocols, with data rates up to 54Mbit/s.
Summary:
Background
==========
NDISwrapper is a Linux kernel module that enables the use of Microsoft
Windows drivers for wireless network devices.
Affected packages
=================
-------------------------------------------------------------------
Your submission should include:
# Name, title, address, email and phone/contact number
# Short biography, qualification, occupation (limit 250 words)
# Summary or abstract for your presentation (limit 1250 words)
# Technical requirements (video, internet, wireless, audio, etc.)
Each non-resident speaker will receive accommodation for 3 nights / 4
days. For each non-resident speaker, HITB will cover travel expenses up
to USD 1,200.00.
- Real-time data structure recovery
- Reverse engineering (malicious code analysis technique, vulnerability research)
- Intrusion detection and anti-detection technique
- Traffic analysis
--- Wireless & VoIP security
- 802.11x, CDPD, Bluetooth, WAP/TDMA, GSM, SMS
- PDA & mobile protocol analysis
- Palm, Pocket Pc
- Wireless gateway
- VoIP security & vulnerability analysis
SF> ActiveSync is executed during startup, it is always running - even if
SF> the system is locked.
SF> As a result, a Windows Mobile device can be plugged into a USB
SF> port, from which an attack can be launched. In addition, if the device
SF> has never been synced to the host PC, any wireless card will remain
SF> enabled. As a result, an attacker can connect a device into a PC's USB
SF> port, hide it nearby, establish a wireless connection and remotely
SF> control the device.
SF> An example attack scenario is as follows: connect USB device,
users with a limited number of free IPs.
* MALTEGO - The guys over at Paterva did outstanding work with
Maltego 2.0.2 - which is featured in BackTrack as a community edition.
* The latest mac80211 wireless injection patches are applied, with
several custom patches for rtl8187 injection speed enhancements.
Wireless injection support has never been so broad and functional.
* Unicornscan - Fully functional with postgres logging support and
a web front end.
The MiFi by Novatel Wireless (re-branded and sold by multiple vendors
such as Sprint and Verizon) is a mobile wifi hotspot. The mifi also has
a built in GPS to provide location based searching.
Turns out that the web interface to this little device has a lot going
on that can be exploited, from gaining the user’s GPS data to
terminating the user’s connectivity. The POC isn't online yet due to
vendor lag but it's not all that complicated if you have a MiFi and a
few minutes.
Some Ralinktech wireless cards drivers are suffer from integer overflow. by sending
malformed 802.11 Probe Request packet with no care about victim's MAC\BSS\SSID can cause to
remote code execution in kernel mode.
In order to exploit this issue, the attacker should send a Probe
Request packet with SSID length bigger then 128 bytes (but less then 256) when the victim's card is in ADHOC mode.
attacker shouldn't be on the same network nor even know the MAC\BSS\SSID, he can just send it broadcast.
Tested on Ralink USB wireless adapter (RT73) V3.08 on win2k with the latest driver version.
Status: Unpatched ,vulnerability reported to vendor.
information.
Background
==========
Wicd is an open source wired and wireless network manager for Linux.
Affected packages
=================
-------------------------------------------------------------------
Note: Only firmware version major numbers are displayed on the
administration web interface: 1.20, 1.30, 1.31
Background Information:
D-Link DAP-1160 is a wireless access points that allow wireless clients
connectivity to wired networks.
Supported 802.11b and 802.11g protocols. WEP, WPA and WPA2 supported.
Summary:
- Reverse engineering (malicious code analysis technique,
vulnerability research)
- Traffic analysis
- Intrusion detection and anti-detection technique
--- Wireless & VoIP security
- 802.11x, CDPD, Bluetooth, WAP/TDMA, GSM, SMS
- PDA & mobile protocol analysis
- Palm, Pocket Pc
- Wireless gateway
- VoIP security & vulnerability analysis
Cisco Video Surveillance 2500 Series IP Cameras contain an
information disclosure vulnerability. An authenticated user may be
able to access a vulnerable camera and view any file through the
embedded web server on TCP ports 80 (HTTP) and/or 443 (HTTPS),
depending on the camera configuration. This vulnerability is
documented in Cisco Bug IDs CSCsu05515 and CSCsr96497 (Wireless
Cameras) and has been assigned Common Vulnerabilities and Exposures
(CVE) identifier CVE-2009-2046.
Vulnerability Scoring Details
=============================
Hi!
This bug was finded in the USR5463 802.11g Wireless Router.
<!--
Author: SH4V
BUG: permanent XSS
Firmware: USR5463-v0_01.bin - USR5463-v0_06.bin
Router: USR5463 802.11g Wireless Router
Company: US Robotics
<<Previous Next>>
|
