Wireless Security Key Programming Gives Wireless Users Full and Unauthenticated Access to Wireless Network
(pfSense Bug #3034 compromises the Wireless Security Key in the pfSense firewall. Anyone can gain unfettered access to a wireless subnet even though it appears to the administrator of the firewall that the wireless security key is enabled.)
Wireless Security Key ( One Security Hole Funnels Me to the Discovery of Another)
Last week, I was required to reboot one of my important Linux boxes due to a necessary kernel update which fixed a flaw in the Linux kernel which could execute a buffer overflow. It could allow a denial of service attack or even worse could give an attacker access to kernel memory. I found this bug when I was doing some research on OMAP4 support for my wife’s Galaxy Nexus smartphone.
It would seem that this bug would allow the attacker to wreak havoc through the Broadcom tg3 Ethernet driver in the Linux kernel that a desktop of mine had installed in it that I was using on the wireless edge of my network.
Being concerned about security I decided to upgrade my kernel to linux-image-3.2. A reboot was required, so I scheduled some time to do it after hours.
Wireless Security Key (The Upgrade Funnel)
To my surprise, I was unable to log in as the sudo user that I used for admin purposes!
I double checked password list that I store in my safe, (a big old thing). Sure enough, I was typing in the right password, and I was sure pretty damn sure that I had not changed it without updating my password journal.
The Cap Lock was not on but I could not gain access. I decided to swap out the keyboard(easy enough)—same problem.
Wireless Security Key (Am I Loosing My Mind?)
Next, I dug in and booted from a CD and checked my logs. /var/log/auth.log showed the password had been changed.
Ok, I thought, I must have forgotten.
Then I noticed the TIME! It was changed at 2:30:16. (The change had occurred in the middle of the night!)
No one else had sudo user access to the Linux password change utility—I had been HACKED!
Wireless Security Key ( Sigh, “A Developer Interrupts Me with a Laptop Problem”)
About that time an employee came to me with his laptop which required a re-install. It was an important developer’s laptop, so I quickly swapped out the existing drive with another that was freshly imaged and quickly syncing his files with the server in a record time of 10 minutes—I had to get back to the issue at hand!
In my rush, I forgot to add the wireless networking encryption shared-key to the laptop before checking that the internet was working, a quick reflex.
Wireless Security Key (The Error that Leads Me to the Discovery)
My heart started pounding when I realized my mistake.
At the same instant that I brought up a web browser on the laptop and did a random search, I realized I had not entered the pre-shared key to the wireless network.
But WAIT, did that just log into my network?
No shared key but full network access? I put two and two together.
Wireless Security Key ( I Had Been Hacked!)
My wireless had been hacked and my kiosk desktop had been hacked!
I realized that the pfSense firewall wireless access point had the WPA2/PSK key installed (let me tell you it was a long one.)
My first thought is that they had hacked the firewall and disabled the security somehow.
Wireless Security Key (Narrowing Down the Cause)
In response to the situation, I decided to back up my routers config to an XML file and took my backup firewall and flashed the latest pfSense image on it (leaving the old one for further analysis offline where it could not do any harm).
I installed the flash card in the router, copied the configuration onto it, and booted it. To my surprise, it had the SAME problem.
The Client did not have the shared key and yet had full network access!
Wireless Security Key (Root Cause)
The configuration showed WPA2/PSK being enabled and active! I had discovered an unintentional overflow in my configuration. It took me nearly 4 hours to figure out that it had been triggered by the shared key being too long. It was approximately 54 digits in length.
Somehow, it was causing it to loop to a zero length password without a warning message!
Wireless Security Key ( The Email & The Record Time Response)
I emailed pfSense with an urgent notice.
Only 5 days went by and the patch had already been added to the pfSense 2.1 release!!!
Thanks for the quick fix guys!
Wireless Security Key (On to the Next Security Flaw)
Now to discover how they pulled off sudo or root access to the passwd command!
Maybe some more offline forensics might lead me to find the next big security hole in Ubuntu!
Time to patch your pfSense firewalls! Hope this helps some other people!