| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <f0c92dbe1003281257x6d2bc3c0vaa2b032352597c24@mail.gmail.com>
Date: Sun, 28 Mar 2010 21:57:02 +0200
From: Lukas Lueg <lukas.lueg@...glemail.com>
To: bugtraq@...urityfocus.com
Subject: Remote buffer overflow in aircrack-ng causes DOS and possible code
execution
We can cause aircrack-ng and airdecap-ng to crash when reading
specially crafted dump-files and can also crash remote airodump-ng
sessions by sending specially crafted packets over the air. I am 90%
sure that this denial-of-service can be escalated to
remote-code-execution by carefully introducing new stations to
airodump-ng (for memory allocation) and then causing a heap corruption
as demonstrated.
The tools’ code responsible for parsing IEEE802.11-packets assumes the
self-proclaimed length of a EAPOL-packet to be correct and never to
exceed a (arbitrary) maximum size of 256 bytes for packets that are
part of the EAPOL-authentication. We can exploit this by letting the
code parse packets which:
a) proclaim to be larger than they really are, possibly causing the
code to read from invalid memory locations while copying the packet;
b) really do exceed the maximum size allowed and overflow data
structures allocated on the heap, overwriting libc’s
allocation-related structures. This causes heap-corruption.
Steps to Reproduce:
1. Get example file from
"http://pyrit.googlecode.com/svn/tags/opt/aircrackng_exploit.cap" or
generate it via
"http://pyrit.googlecode.com/svn/tags/opt/aircrackng_exploit.py"
2. Run it through aircrack-ng, airdecap-ng or airodump-ng
("airodump-ng -r aircrackng_exploit.cap")
Powered by blists - more mailing lists