Dailydave mailing list archives
Re: Cisco and Vocera wireless LAN VoIP devices don't check certificates
From: "George Ou" <george_ou () lanarchitect net>
Date: Thu, 21 Feb 2008 13:19:10 -0800
Sure, if the client does not lock down the "server name" subject field in the certificate, and the certificate authority isn't locked down to an internal CA, then it's as good as wide open. The EAP clients are very hard to properly configure unlike the typical web browser which automatically compares the certificate subject field to the URL address. This Vocera/Cisco case is much worse though, since no amount of care in the deployment is going to help you. The client makes zero effort to verify the certificate due to CPU resource limitations in these Wireless embedded devices. George -----Original Message----- From: Joshua Wright [mailto:jwright () hasborg com] Sent: Thursday, February 21, 2008 6:26 AM To: George Ou Cc: dailydave () lists immunitysec com Subject: Re: [Dailydave] Cisco and Vocera wireless LAN VoIP devices don't check certificates -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 | That means you can basically put up your own bogus access point with a rogue | RADIUS backend with your own self-signed digital certificate claiming it's | the same as the certificate the client is use to seeing. Since the client | never bothers to cryptographically check the signature, it thinks it's | talking to the right server and it will send its hashed password or pin to | the server making it very easy to crack. Similarly, if you have a valid certificate for RADIUS from a trusted CA for any organization, you can impersonate other legitimate RADIUS servers and get access to inner EAP authentication credentials (MS-CHAP, PAP and CHAP, for example). This was the premise for the talk I gave with Brad Antoniewicz at Shmoocon on Sunday FreeRADIUS WPE (Wireless Pwnage Edition) simplifies this attack by customizing FreeRADIUS behavior and configuration: http://www.willhackforsushi.com/FreeRADIUS_WPE.html - -Josh -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) iQIVAwUBR72KDjWX3FIa1TkuAQLHVBAAhdLLWhe9WR10X/JX+KIdYcjsEov6WHYN hSVlGkgEfO2EJEBycEd0S7JFOyAa5ZBORKOi4p2ayzVPWR2aOmiaTDi+cndlpzUs jYc7+5amS3Qz78F2CIMXbgewTFBEdTdjn09P6ktCNTi+uyLC5D2Ldup0QFt4ljH2 42RQhKe47B8fGqtxYlGZWr/9vnXIUsmfZ5G8+8fCbmuJ1fG21Ie7AQu5Hfn1kMH7 fAcXO/oVPAE+GcF2kd+MhiabcLz+Zz1zLCbi1cKSt4+7HCj7UlyXaoKopdRLQqXP TqcUK+B31hcQV1il+acA1QzrVAlet6yNtDDVhmPejtrumQdF4YTQ1bUoIZQ/ulj2 fRT0/51xRFcuDJ0xXDOZ/2cc5FyMBy2jkAP9GBXIYvCeMJJr9d2V6cnUqxYdopP7 lPLQkH3wTB3TVdQ9wt0GhGqVR//ZBoBcBFNiufhOI9VqRgxj+ing9Z0IVjrKhIa4 kkwvFsqllPzGwh5mvMMJmWnB6M6AzWkSBVrsLPNkrBIUgPdDhQ4XNMU+Y3jQdpI0 9oUB4L+btWsB9VcbZ4ue4y98kurISwg1ezhRHw9EfT/6J1/M1OQhfRbSJ+GWITLZ Um7xR7MgN9byDgRtfxeTFsCx5p/0gNXI06awlDjK8E//1whGt5jARiTKQOxWM63F sOFFVJvfPF8= =z8q7 -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Cisco and Vocera wireless LAN VoIP devices don't check certificates George Ou (Feb 21)
- Re: Cisco and Vocera wireless LAN VoIP devices don't check certificates Joshua Wright (Feb 21)
- Re: Cisco and Vocera wireless LAN VoIP devices don't check certificates George Ou (Feb 21)
- Re: Cisco and Vocera wireless LAN VoIP devices don't check certificates Joshua Wright (Feb 21)