Home / vulnerabilities madwifi.txt
Posted on 09 December 2006
Source : packetstormsecurity.org Link
Name: Madwifi SIOCGIWSCAN buffer overflow
Vendor: http://www.madwifi.org
Release date: December, 7th 2006
CVE ID: CVE-2006-6332
Authors: Laurent BUTTI, Jerome RAZNIEWSKI, Julien TINNES
1. Description
There is a buffer overflow in the madwifi Atheros driver in some
functions called by SIOCSIWSCAN ioctl.
This issue is remotely exploitable because ioctl SIOCSIWSCAN may be
called automatically by some connexion managers (either directly, by
using iwlib or by calling iwlist) when trying to get a list of nearby
access points.
2. Details
There is a stack buffer overflow in both the giwscan_cb() and
encode_ie() functions (ieee80211_wireless.c). The first issue, in
giwscan_cb, is related with insufficient checks on the length in some
802.11 information elements which are controlled by the attacker:
memcpy(buf, se->se_wpa_ie, se->se_wpa_ie[1] + 2);
The second issue is improper boundary checks in encode_ie() where ielen
is never checked with bufsize.
for (i = 0; i < ielen && bufsize > 2; i++)
p += sprintf(p, "%02x", ie[i]);
A properly crafted 802.11 beacon or probe response frame will trigger
the bug when a process tries to get scanning results by calling ioctl
SIOCGIWSCAN. The information element used by the attacker can be either
WPA IE, RSN IE, WMM IE or ATH IE and will lead to a kernel stack
overflow.
3. Vendor status
The vendor was notified on December, 6th 2006 and issued version 0.9.2.1
to correct the issue.
4. Authors
Laurent BUTTI <laurent.butti at francetelecom.com>
Jerome RAZNIEWSKI <jerome.razniewski at francetelecom.com>
Julien TINNES <julien.tinnes at francetelecom.com>
--
Tyop?
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/