|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Dailydave] Madwifi SIOCSIWSCAN vulnerability (CVE-2006-6332)
From: TINNES Julien RD-MAPS-ISS (julien.tinnes
francetelecom.com)
Date: Fri Dec 08 2006 - 04:44:56 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Here it is, metasploit 3 DoS module and a very simple and raw local
exploit (which needs to be triggered by the DoS module).
A full remote exploit is possible, which would be triggered by "iwlist
ath0 scan".
You can inject code into the process' address space by using some
information elements.
--
Julien TINNES - & france telecom - R&D Division/MAPS/NSS
Research Engineer - Internet/Intranet Security
GPG: C050 EF1A 2919 FD87 57C4 DEDD E778 A9F0 14B9 C7D6
Name: Madwifi SIOCGIWSCAN buffer overflow
Vendor: http://www.madwifi.org
Release date: December, 7th 2006
CVE ID: CVE-2006-6332
Authors: Laurent BUTTI, Jerome RAZNIEWSKI, Julien TINNES
1. Description
There is a buffer overflow in the madwifi Atheros driver in some
functions called by SIOCSIWSCAN ioctl.
This issue is remotely exploitable because ioctl SIOCSIWSCAN may be
called automatically by some connexion managers (either directly, by
using iwlib or by calling iwlist) when trying to get a list of nearby
access points.
2. Details
There is a stack buffer overflow in both the giwscan_cb() and
encode_ie() functions (ieee80211_wireless.c). The first issue, in
giwscan_cb, is related with insufficient checks on the length in some
802.11 information elements which are controlled by the attacker:
memcpy(buf, se->se_wpa_ie, se->se_wpa_ie[1] + 2);
The second issue is improper boundary checks in encode_ie() where ielen
is never checked with bufsize.
for (i = 0; i < ielen && bufsize > 2; i++)
p += sprintf(p, "%02x", ie[i]);
A properly crafted 802.11 beacon or probe response frame will trigger
the bug when a process tries to get scanning results by calling ioctl
SIOCGIWSCAN. The information element used by the attacker can be either
WPA IE, RSN IE, WMM IE or ATH IE and will lead to a kernel stack
overflow.
3. Vendor status
The vendor was notified on December, 6th 2006 and issued version 0.9.2.1
to correct the issue.
4. Authors
Laurent BUTTI <laurent.butti at francetelecom.com>
Jerome RAZNIEWSKI <jerome.razniewski at francetelecom.com>
Julien TINNES <julien.tinnes at francetelecom.com>
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
- text/x-csrc attachment: madexploit.c
- application/x-ruby attachment: madwifi_giwscan_cb.rb
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]