Wi-Fi Exploits Coming to Metasploit

The open-source project plans to add 802.11 exploits to a new version of its controversial attack tool, a move that simplifies the way wireless drivers and devices are exploited.

The Metasploit Project plans to add 802.11 (Wi-Fi) exploits to a new version of its point-and-click attack tool, a move that simplifies the way wireless drivers and devices are exploited.

The controversial open-source project, created and maintained by HD Moore, of Austin, Texas, has added a new exploit class that allows modules to send raw 802.11 frames at one of the most vulnerable parts of the operating system.

In recent months, there has been an increase in public awareness around the severity of wireless driver flaws. At the August 2006 Black Hat Briefings in Las Vegas, researchers David Maynor and Jon "Johnny Cache" Ellch showed off a new technique for breaking into computers via Wi-Fi driver vulnerabilities on Windows and Mac systems.

The Black Hat demo pushed several vendors—Intel, Apple and Toshiba—to release patches and prompted Microsoft to invite Ellch to its internal BlueHat security conference to explain the risks to Redmond executives and employees.

/zimages/4/28571.gifClick here to read more about a warning that Wi-Fi-enabled computers are sitting ducks for code execution attacks.

According to Moore, Metasploit 3 will integrate kernel-mode payloads to allow users to use existing user-mode payloads for both kernel and non-kernel exploits.

Because the framework provides an easy-to-use interface for connecting vulnerabilities to actual payloads, this Metasploit gives users an avenue to target the most sensitive part of the operating system.

Moore told eWEEK he is collaborating with Ellch on an actual 802.11 exploit. The plan is to use Ellchs LORCON (Loss of Radio Connectivity) hacking tool to send exploits at Wi-Fi bugs that are haunting widely used devices and computers.

"Right now, this only supports the Linux platform, but we are planning for Windows support very soon," Moore explained.

Moore shrugged off criticisms that Metasploit gives black hat hackers all the tools needed to launch attacks, insisting that the target market can be broken into three categories.

"[This is for] penetration testers and network administrators that want to demonstrate the impact of an unpatched wireless vulnerability," he said.

Moore said security researchers looking for an easy way to investigate wireless device and driver vulnerabilities can also find value in the code, which can also be used to develop "fuzzers" for discovering new vulnerabilities.

Fuzzers, or fuzz testers, are used to pinpoint security vulnerabilities by sending random input to an application. If the program contains a vulnerability that leads to an exception, crash or server error, researchers can parse the results of the test to pinpoint the cause of the crash.

Moore, who works as director of security research at BreakingPoint Systems, in Austin, Texas, said security solution developers can also use the new Metasploit capabilities to perform QA (quality assurance) tests on their products.

"Depending on my available free time, we should have some working and useful demonstrations of this within a week," he said.

"Were close to completing work on injecting code into the Windows kernel in a way that causes it to run a standard Metasploit payload without crashing the target system," he explained.

"We need at least one solid example of a wireless driver exploit that can be used to demonstrate the system," he added.

This is where Ellchs expertise comes in.

"[Johnny] has a number of these that would work, but one in particular is both reliable and easy to demonstrate. He demonstrated [it] at the Microsoft BlueHat conference and were waiting for his go-ahead before adding the exploit code to the public source repository," Moore said.

/zimages/4/28571.gifClick here to read more about a fix for a "high risk" vulnerability in the Toshiba Bluetooth wireless device driver.

Ellch confirmed his code was being used in the Metasploit refresh, but declined an eWEEK request to comment on the extent of his involvement.

Widely regarded as an authority on wireless security issues, Ellch believes the 802.11 link-layer wireless protocol is an "overly complicated" protocol that has not been implemented securely by many vendors.

However, during his recent trip to Microsofts Redmond campus for BlueHat, he said he was happy to see the software vendor paying serious attention to Wi-Fi bugs.

"They have already re-implemented many tools similar to my own and are actively finding bugs in other vendors device drivers that they dont necessarily have access to the code for. I cant imagine a more serious response," Ellch said in an interview with eWEEK.

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.