Wireless Client Update for Windows XP
Microsoft has finally patched the hole in their Wireless Security Client that I posted about here, as detailed on the Security Fix website here, although most would consider this a security update, Microsoft apparently does not, as it does not show up on Windows Update, even when you look under optional updates. You can read about it and install it from Microsoft’s site here.
The upshot of all this is bad guys can take advantage of these behaviors, as I wrote in January at the Shmoocon hacker conference, where security gadfly Mark “Simple Nomad” Loveless called attention to this problem. Loveless showed that by sniffing the wireless requests sent out by a target XP machine, an attacker can learn the name of a previously associated network and force the target to connect directly to the attacker’s PC, which for all intents and purposes appears to the would-be victim as just another wireless access point (assuming the victim is even paying attention during all of this.)
“In a hall of 400-500 engineers, we hijacked upwards of 100 clients instantly, enough that our Linux laptop became unstable from all the wireless traffic passing through it,” Dai Zovi recalled in a write-up sent to the Bugtraq security mailing list. “In practice, since nearly every roaming laptop has at least one unencrypted hotspot network in [its] preferred/trusted networks, almost all Windows XP and Mac OS X laptops are susceptible to this kind of attack.”
Dai Zovi continues: “The rogue access point coerces the client into connecting to the attacker’s machine, thus obviating the firewall. This usually requires the user having Web or mail software running, but automatic outbound network requests from [those kinds of programs are] very common and these may be attacked.”
This is possible because a laptop with a wireless connection looks for access points it has previously connected to, so it will auto connect to a laptop that says it is one of those previous access points. From Microsoft’s site,
A computer that has the WPA2/WPS IE Update installed lets users manually configure options for WPA2 authentication and encryption. However, until the Wireless Client Update is installed, network administrators cannot centrally configure WPA2 options by using the Wireless Network (IEEE 802.11) Policies node of Computer Configuration Group Policy. Computers that have Windows XP Service Pack 2 and the Wireless Client Update installed can apply these configuration options when they configure the computers by using Computer Configuration Group Policy.
On a computer that is running Windows Vista or that is running Microsoft Windows Server Code Name “Longhorn,” you can specify WPA2 options when you configure wireless networks by using the Wireless Network (IEEE 802.11) Policies node of Computer Configuration Group Policy. Source: Microsoft
This article from Bugtraq talks about how this has been around since 2004.
Our driver responds to EVERY Probe Request as it operates in HostAP mode. The wireless network is “cloaked”, so it does not send out any beacons, but when a client in range sends a Probe Request for a network (“tmobile”, “linksys”, “megacorp”, etc), the driver will respond as if it were that network. In this way, it acts as a virtual AP for any network requested. This yields an extremely effective attack that is able to cause nearly all unassociated wireless clients within range to join the rogue network. KARMA also includes a tool for passively monitoring probe requests sent out by nearby wireless clients and a framework for exploiting client-side vulnerabilities once the client has joined the rogue network (no live exploits are included, though).
In addition, our driver uncovered vulnerabilities in drivers for 802.11b-only cards where they probe for randomly generated network names when the card is not associated to a network. When the KARMA driver responds to this probe, the card and host will join the network and DHCP an address, etc. I reported this to both Microsoft and Apple in the Spring last year. Apple has subsequently fixed the issue  and Microsoft said that a fix would be in the next service pack.
Again, this is not entirely new stuff. Max Moser released his HotSpotter  tool in April 2004 to create a HostAP based on sniffed Probe Requests. We first released our driver implementing the parallel attack in February 2005 at Immunity’s Security Shindig in NYC. However, awareness of these issues appears to still be low.
Update: I just noticed the date on the Microsoft site, guess I need to be better at following up on my posts, looks like this has been out about three weeks already.