lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1192187120.8109.13.camel@b4byl0n>
Date: Fri, 12 Oct 2007 13:05:20 +0200
From: Bernhard Mueller <research@...-consult.com>
To: Full Disclosure <full-disclosure@...ts.grok.org.uk>,
	Bugtraq <bugtraq@...urityfocus.com>
Subject: SEC Consult SA-20071012-0 :: Madwifi xrates element remote DOS

SEC Consult Security Advisory 20071012-0
===================================================================================
                  title: Madwifi xrates element remote DOS
                program: Madwifi linux wlan driver for atheros chipsets
     vulnerable version: Madwifi <= 0.9.3.2
               homepage: www.madwifi.org
                  found: July 2007
                     by: Clemens Kolbitsch, Sylvester Keil
                         Secure Systems Lab / Technical University of
Vienna
                           http://seclab.tuwien.ac.at/
                         SEC Consult Vulnerability Lab
                           http://www.sec-consult.com/
             perm. link: http://www.sec-consult.com/298.html
===================================================================================

Vendor description:
---------------

MadWifi is one of the most advanced WLAN drivers available for Linux
today. It is stable and has an established userbase. The driver itself
is open source but depends on the proprietary Hardware Abstraction Layer
(HAL) that is available in binary form only.


Vulnerability overview:
---------------

A specially crafted beacon frame causes the driver to exit(), leading to
a kernel panic on the affected machine. An attacker could crash client
machines that are listening for beacons using a fake access point.

Vulnerability details:
--------------- 

In short, the driver exits (via the BUG() macro) if a beacon frame with
a high length value (>15) in the extended supported rates element is
received. This leads to a kernel panic.


>>From net80211/ieee80211_scan_sta.c: 217  static int sta_add(...):

        KASSERT(sp->rates[1] <= IEEE80211_RATE_MAXSIZE,
                ("rate set too large: %u", sp->rates[1]));
        memcpy(ise->se_rates, sp->rates, 2 + sp->rates[1]);
        if (sp->xrates != NULL) {
                /* XXX validate xrates[1] */
                KASSERT(sp->xrates[1] <= IEEE80211_RATE_MAXSIZE,
                        ("xrate set too large: %u", sp->xrates[1]));
                memcpy(ise->se_xrates, sp->xrates, 2 + sp->xrates[1]);
        } else
                ise->se_xrates[1] = 0;

IEEE80211_RATE_MAXSIZE is defined as 15. If the KASSERT() fails the
BUG-macro, which exits the driver, is called.


Vulnerability status:
---------------

The bug has been fixed in SVN revision 2736 [1].


Timeline:
---------------
vendor notified: 2007-10-11
vendor response: 2007-10-11
patch available: 2007-10-12


Additional info
---------------

This vulnerability has been found using a novel wireless fuzzing
approach developed in a joint project by the Secure Systems Lab
(Technical University of Vienna) and the SEC Consult Vulnerability Lab.
The technique, which allows very effective stateful fuzzing of wireless
drivers by using emulated wireless chipsets, will be presented in detail
on the Blackhat Briefings Japan [2] as well as the DeepSec IDSC in
Vienna, Austria [3] in the talks by Sylvester Keil and Clemens
Kolbitsch.


References
----------

[1] http://madwifi.org/changeset/2736
[2] http://www.blackhat.com/html/bh-japan-07/bh-jp-07-main.html
[3] https://deepsec.net/


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
EOF Bernhard Mueller / research [at] sec-consult [dot] com


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ