Trango Broadband Wireless Interception

2009-12-15T00:00:00
ID PACKETSTORM:83866
Type packetstorm
Reporter Blair
Modified 2009-12-15T00:00:00

Description

                                        
                                            `--------------------------------------------------------------------------  
  
Trango Broadband Wireless  
M5830 Series Rogue SU Authentication Bug  
Date : 15 December, 2009  
By: Blair - jediblair@gmail.com  
  
--------------------------------------------------------------------------  
  
Background  
----------  
  
Trango Broadband (www.trangobroadband.com) produce a line of unlicensed  
5.3/5.8 Ghz point-to-multipoint broadband wireless radios which are used  
by many wireless ISPs around the world to provide internet and private  
office services to hard-to-reach customers.  
  
Currently there is a flaw in the authentication mechanism of these radios  
which, if an attacker knows some details, can allow interception of  
ethernet packets broadcast from the Access Point to the Subscriber Unit  
and potentially allows injection into the communication from the Subscriber Unit  
to the Access Point.  
  
There are two parts to the 5830 series radio system, an Access Point, and  
a Subscriber Unit. Access Points are generally deployed at a radio tower  
or smaller repeater sites, and the Subscriber Units on a clients building.  
The radios are designed to be mounted externally, and have a single  
ethernet feed and integrated antenna.  
  
These radios are straight ethernet bridges, there is no routing  
functionality built in to the radio software which adds to the ease of  
exploitation.  
  
This attack focuses on the Subscriber Unit (SU) end, however, if one knows  
the correct information, one could potentially configure a rogue Access  
Point and MiTM a target as well, though this is not the topic of this  
advisory.  
  
The Problem  
-----------  
  
The Access5830 series of radios contains a flaw in the authentication of  
subscriber units. This flaw has been fixed with the 900Mhz and 2.4Ghz  
products, whereby the APID and SUID system has changed significantly,  
and the SU units are assigned an ID when they connect, only if their  
MAC is in the SUDB. Trango has neglected to bring this functionality  
to the older 5800 series radios, nor have they introduced new hardware  
implementing this functionality in the 5.8Ghz spectrum.  
  
When a new subscriber is added, the MAC address of their SU device is  
entered into the Subscriber Database (SUDB) on the Access Point, and they  
are assigned an arbitrary numeric Subscriber ID or SUID in the range of  
1-8190 by the Administrator. This SUID is configured on the SU device,  
along with the APID and BaseID of the Access Point. For most situations,  
the APID and BaseID are the same.  
  
The bug lies in the synchronization of any SU in the SUDB by the AP.  
Once an SU has been synchronized to the AP with the correct MAC  
address, any further attempts by another SU of the same SUID but with  
a different MAC address to synchronize will succeed.  
  
When configuring and mounting an SU, you can do a frequency scan (site  
survey) from the unit, which will display the available access points  
in the area, along with their APID and BaseID - this is the information  
you will need to exploit the Trango network in the area.  
  
The Exploit  
-----------  
  
To carry out this exploit you need to have an SU which is capable of  
connecting to the 5800 or 5830 AP. This would generally be a 5800 or  
5830 SU-I or SU-EXT, or one of the smaller FOX 5800 SU, or the newer FOX  
5580M-FSU - these can be found readily either buying direct from Trango,  
or from a number of wireless systems resellers. Probably good if this is  
the same type of unit as the target, though not required.  
  
The information you need to enter into the SU is based on whatever you  
have found via the site survey information - apsearch and survey commands  
on the radio's CLI. The full command listing and user guide can be  
downloaded from the Trango website.  
  
To carry out the attack, you would need to find line-of-sight and have  
good signal strength (between -40 and -80 dBm) to the target AP, and  
have knowledge of an SUID which is already connected, or try random  
numbers until you find one which works - most providers have quite a  
number of subscribers per AP so this should not be hard. Many providers  
will physically mark their SUs with the SUID and APID with a permanant  
marker, so if you have physical access to a connected SU, finding this  
information is probably trivial.  
  
Once you have configured the SU with the BaseID, APID and SUID and  
verified signal strength, you simply turn opmode on, and your rogue SU  
will authenticate, regardless if it's MAC is in the SUDB or not.  
  
Once synchronized, you will start to receive traffic to the ethernet  
port of the radio as if it was the target unit. Because the unit is a  
simple bridge, you can look at this traffic with a packet capture utility  
such as wireshark or tcpdump. Depending on signal strength, the target may  
or may not notice any loss of service or packet loss. It may be possible  
to inject packets to the network from a computer behind the rogue SUID,  
depending on the configuration of the switching and/or routing at the far  
end.  
  
Vendor Response  
---------------  
  
I contacted Trango to advise them of this problem several years ago and  
they stated that they were not interested in providing a fix, as it would  
require a major rewrite of their software to implement. I believe enough  
time has passed for them to have reasonably fixed the problem, and they  
have not. So, here it is, public disclosure. Shame on you Trango, you've  
let all your customers down.  
  
  
- Blair  
`