Windows Wi-Fi Flaw Lets Others See Your Stuff

Am I missing something.
Wasn't this sort of obvious all along ?

News Flashes about a serious Windows Wireless Security Hole
"Windows Wi-Fi Flaw Lets Others See Your Stuff

Windows XP and 2000's techniques for looking for wireless connections
can be used by attackers to read unsuspecting targets' hard drives.

By Gregg Keizer
TechWeb News

Jan 17, 2006 05:49 PM

A security researcher warned over the weekend that the way Windows XP
and 2000 look for wireless connections can be used by hackers to dip
into unsuspecting users' hard drives.

Calling the flaw a "configuration error" rather than a true
vulnerability, researcher Mark Loveless claimed that when Windows
powers up but doesn't find a wireless access point, it creates an ad
hoc network, complete with the SSID, the Wi-Fi network identifier, like
"linkysys" or "actiontec," of the last network connection.

Other laptops, when set to sniff for the same SSID, can listen for such
connections, and when they find one, create a peer-to-peer link between
the two PCs, said Loveless. Once connected, the attacker could
conceivably introduce malicious code and/or access files on the
laptop's hard drive.

"In Windows 2000 and Windows XP and [XP] SP1, this all happens in the
background without the user's knowledge,"

> Wasn't this sort of obvious all along ?

Yep, I don't see it as any worse than sniffing for the AP's that the
machine is searching for and then setting up a honeypot AP with a
matching SSID.

Machine will connect if the security settings are appropriate, typcially
blank if the user has visited a hotspot and you're in.

The degree to which files can be viewed will depend on personal firewall
settings and password strength which is no different in principle to how
securely people leave their car. Most are happy to lock it and walk
away with the windows letting people see what's inside. Well ok, not
the best analogy but the whole security picture hasn't been portrayed in
that article but then if it were, it wouldn't seem as sensational would
it?

David.

"(E-Mail Removed)" <(E-Mail Removed)> wrote:
>Calling the flaw a "configuration error" rather than a true
>vulnerability, researcher Mark Loveless claimed that when Windows
>powers up but doesn't find a wireless access point, it creates an ad
>hoc network, complete with the SSID, the Wi-Fi network identifier, like
>"linkysys" or "actiontec," of the last network connection.

I've seen that happen on XP Pro SP2, thought I was having a flashback
to the previous client, I guess I'm just glad it was my computer
having a flashback. 8*)

Does the author mention how to configure your way out of it?

Microsoft Windows Silent Adhoc Network Advertisement

Platforms : Windows 2000/XP/2003
Application: Wireless Network Connection
(aka Microsoft Wireless Client)
Severity : High (albeit lame)

Synopsis
--------

This advisory documents an anomaly involving Microsoft's Wireless
Network
Connection. If a laptop connects to an ad-hoc network it can later
start
beaconing the ad-hoc network's SSID as its own ad-hoc network without
the
laptop owner's knowledge. This can allow an attacker to attach to the
laptop
as a prelude to further attack.


Details
-------

The following is a sample scenario:

- Alice has a wireless access point at home with an SSID of "linksys",
which
she has successfully set up and connected to with her laptop.
- Alice goes to the airport (or train station or coffee shop) and
opens her
laptop.
- Bob, who is sitting next to Alice, has a laptop configured with an
ad-hoc
network advertising an SSID of "linksys".
- Alice's laptop when started looks for the SSID of "linksys", and
attachs to
Bob's ad-hoc network.
- The next time Alice boots up the laptop when the Ethernet cable is
not
attached and there is no "linksys" SSID in range, Alice starts
advertising
an ad-hoc network with an SSID of "linksys".

This is basically a configuration error that spreads virus-like from
laptop to
laptop. In field tests, numerous ad-hoc SSIDs such as "linksys",
"dlink",
"tmobile", "hpsetup", and others have been documented.

Yes this is lame. I know this...

Here is collected data from 4 domestic flights within the U.S.
conducted during
September and October 2005. The data was collected using NetStumbler,
NMap,
and Metasploit Framework [4] from a laptop running Windows XP:

Aircraft Laptops* Ad-hoc Nets** Live Targets Vulnerable***
-------- -------- ------------- ------------ -------------
MD80 8 2 3 1
MD80 12 5 5 4
757 22 1 3 3
MD80 14 4 4 3

* Number of laptops out and running at approximately the halfway
point of the
flight.
** In some cases, an ad-hoc network would form and other laptops would
attach
to it instead of advertising their own ad-hoc network.
*** A system was classified as vulnerable if it could be remotely
compromised
or it was open enough to allow files to be copied to or from the
hard
drive. Vulnerabilities included CVE-2005-0059 (MS05-017),
CVE-2005-1983
(MS05-039), open shares, and NULL access.


William P.N. Smith wrote:
> "(E-Mail Removed)" <(E-Mail Removed)> wrote:
> >Calling the flaw a "configuration error" rather than a true
> >vulnerability, researcher Mark Loveless claimed that when Windows
> >powers up but doesn't find a wireless access point, it creates an ad
> >hoc network, complete with the SSID, the Wi-Fi network identifier, like
> >"linkysys" or "actiontec," of the last network connection.
>
> I've seen that happen on XP Pro SP2, thought I was having a flashback
> to the previous client, I guess I'm just glad it was my computer
> having a flashback. 8*)
>
> Does the author mention how to configure your way out of it?

William P.N. Smith <(E-Mail Removed)> wrote:
> Does the author mention how to configure your way out of it?

WinXP-Sp2. Network Connections, right click on the wireless network,
properties, "Wireless Networks" tab at the top, "Advanced" in the lower
right. Select "Access Point only".

If you are using some client manager rather than ""Use Windows to
configure", there should be some corresponding setting.

This would help you with this particular exploit, but as David notes, you
might fall prey to some other unsecured network name that you automatically
connect to. "tmobile" might be a good guess at a SSID that you would want
to connect to with no credentials.

On the page where you clicked "advanced", there is a list of Preferred
networks. Things like tmobile should be noted as (on demand), not
(Automatic). If you have security enabled, automatic is okay.

--
---
Clarence A Dold - Hidden Valley (Lake County) CA USA 38.8,-122.5

from the original article:
Solution/Workaround
-------------------

Until Microsoft releases Service Packs for the affected platforms, use
one of
the following three workarounds:

Workaround #1:

Disable wireless when not in use. Simple, eh?

Workaround #2:

Use an alternate Wireless Client Manager, (e.g. for an integrated
Intel Wifi
connector, use Intel PROSet/Wireless) as all others tested do not seem
to
have the problem (this testing was not all-inclusive).

Workaround #3 (recommended):

1. Click on the Wireless option in the System Tray and open the
Wireless
Network Connection window.
2. Click on "Change advanced settings".
3. In the Wireless Network Connection Properties window, click on the
Wireless
Networks tab.
4. Click on the Advanced button.
5. Click on "Access point (infrastructure) networks only"

This workaround prevents you from connecting to any ad-hoc network in
the
first place.




(E-Mail Removed) wrote:
> William P.N. Smith <(E-Mail Removed)> wrote:
> > Does the author mention how to configure your way out of it?
>
> WinXP-Sp2. Network Connections, right click on the wireless network,
> properties, "Wireless Networks" tab at the top, "Advanced" in the lower
> right. Select "Access Point only".
>
> If you are using some client manager rather than ""Use Windows to
> configure", there should be some corresponding setting.
>
> This would help you with this particular exploit, but as David notes, you
> might fall prey to some other unsecured network name that you automatically
> connect to. "tmobile" might be a good guess at a SSID that you would want
> to connect to with no credentials.
>
> On the page where you clicked "advanced", there is a list of Preferred
> networks. Things like tmobile should be noted as (on demand), not
> (Automatic). If you have security enabled, automatic is okay.
>
> --
> ---
> Clarence A Dold - Hidden Valley (Lake County) CA USA 38.8,-122.5

(E-Mail Removed) wrote:
>William P.N. Smith <(E-Mail Removed)> wrote:
>> Does the author mention how to configure your way out of it?

>WinXP-Sp2. Network Connections, right click on the wireless network,
>properties, "Wireless Networks" tab at the top, "Advanced" in the lower
>right. Select "Access Point only".

> [Also turn off generic SSIDs that might be spoofed, 'linksys' etc]

Thanks!

> connect to. "tmobile" might be a good guess at a SSID that you would want
> to connect to with no credentials.

You don't even need to guess, you can either watch the list of AP's
probed for with something like Kismet or if you're feeling really lazy,
just fire up hotspotter which is designed to listen to these probes and
then assume the SSID accordingly, automatically. It already has a huge
list of typical SSID's to listen to.

David.

"David Taylor" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) d.com...
> > connect to. "tmobile" might be a good guess at a SSID that you would
want
> > to connect to with no credentials.
>
> You don't even need to guess, you can either watch the list of AP's
> probed for with something like Kismet or if you're feeling really lazy,
> just fire up hotspotter which is designed to listen to these probes and
> then assume the SSID accordingly, automatically. It already has a huge
> list of typical SSID's to listen to.
>
> David.

I use Boingo. Does a great job of finding signals.

> I use Boingo. Does a great job of finding signals.

It doesn't act like an access point though and respond to probing
clients does it?