Trango Broadband Wireless Rogue SU Authentication Bug
2 Jan. 2010
Currently there is a flaw in the authentication mechanism of these radios which, if an attacker knows some details, can allow interception of ethernet packets broadcast from the Access Point to the Subscriber Unit and potentially allows injection into the communication from the Subscriber Unit to the Access Point.
The information has been provided by Blair.
Trango Broadband (www.trangobroadband.com) produce a line of unlicensed
5.3/5.8 Ghz point-to-multipoint broadband wireless radios which are used by many wireless ISPs around the world to provide internet and private office services to hard-to-reach customers.
There are two parts to the 5830 series radio system, an Access Point, and a Subscriber Unit. Access Points are generally deployed at a radio tower or smaller repeater sites, and the Subscriber Units on a clients building.
The radios are designed to be mounted externally, and have a single ethernet feed and integrated antenna.
These radios are straight ethernet bridges, there is no routing functionality built in to the radio software which adds to the ease of exploitation.
This attack focuses on the Subscriber Unit (SU) end, however, if one knows the correct information, one could potentially configure a rogue Access Point and MiTM a target as well, though this is not the topic of this advisory.
The Access5830 series of radios contains a flaw in the authentication of subscriber units. This flaw has been fixed with the 900Mhz and 2.4Ghz products, whereby the APID and SUID system has changed significantly, and the SU units are assigned an ID when they connect, only if their MAC is in the SUDB. Trango has neglected to bring this functionality to the older 5800 series radios, nor have they introduced new hardware implementing this functionality in the 5.8Ghz spectrum.
When a new subscriber is added, the MAC address of their SU device is entered into the Subscriber Database (SUDB) on the Access Point, and they are assigned an arbitrary numeric Subscriber ID or SUID in the range of 1-8190 by the Administrator. This SUID is configured on the SU device, along with the APID and BaseID of the Access Point. For most situations, the APID and BaseID are the same.
The bug lies in the synchronization of any SU in the SUDB by the AP.
Once an SU has been synchronized to the AP with the correct MAC address, any further attempts by another SU of the same SUID but with a different MAC address to synchronize will succeed.
When configuring and mounting an SU, you can do a frequency scan (site
survey) from the unit, which will display the available access points in the area, along with their APID and BaseID - this is the information you will need to exploit the Trango network in the area.
To carry out this exploit you need to have an SU which is capable of connecting to the 5800 or 5830 AP. This would generally be a 5800 or 5830 SU-I or SU-EXT, or one of the smaller FOX 5800 SU, or the newer FOX 5580M-FSU - these can be found readily either buying direct from Trango, or from a number of wireless systems resellers. Probably good if this is the same type of unit as the target, though not required.
The information you need to enter into the SU is based on whatever you have found via the site survey information - apsearch and survey commands on the radio's CLI. The full command listing and user guide can be downloaded from the Trango website.
To carry out the attack, you would need to find line-of-sight and have good signal strength (between -40 and -80 dBm) to the target AP, and have knowledge of an SUID which is already connected, or try random numbers until you find one which works - most providers have quite a number of subscribers per AP so this should not be hard. Many providers will physically mark their SUs with the SUID and APID with a permanant marker, so if you have physical access to a connected SU, finding this information is probably trivial.
Once you have configured the SU with the BaseID, APID and SUID and verified signal strength, you simply turn opmode on, and your rogue SU will authenticate, regardless if it's MAC is in the SUDB or not.
Once synchronized, you will start to receive traffic to the ethernet port of the radio as if it was the target unit. Because the unit is a simple bridge, you can look at this traffic with a packet capture utility such as wireshark or tcpdump. Depending on signal strength, the target may or may not notice any loss of service or packet loss. It may be possible to inject packets to the network from a computer behind the rogue SUID, depending on the configuration of the switching and/or routing at the far end.
Trango was contacted about this problem several years ago and they stated that they were not interested in providing a fix, as it would require a major rewrite of their software to implement. I believe enough time has passed for them to have reasonably fixed the problem, and they have not.