lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 20 Feb 2008 22:26:28 +0100
From: "michele dallachiesa" <michele.dallachiesa@...il.com>
To: Full-Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: two (not critical) bugs in libnids 1.22

hi all,
libnids 1.22 has two bugs preventing it to work correctly in 802.11x
networks. I and the libnids author have no time to write a patch.
After some silent months, I decided to public them so probably someone
will do the required fixes and will propose a working patch to the
author.

for libnids code and contacts: http://libnids.sourceforge.net/

a basic description of the bugs follows.


========== BUG1 ==========

in function nids_pcap_handler, you added in version 1.22 the support
for DLT_IEEE802_11_RADIO. but it breaks the support for
DLT_PRISM_HEADER:

when linktype == DLT_PRISM_HEADER, the following code is executed:
---begin---
    case DLT_PRISM_HEADER:
        nids_linkoffset = 144; //sizeof(prism2_hdr);
        linkoffset_tweaked_by_prism_code = 1;DLT_IEEE802_11_RADIO
        //now let DLT_IEEE802_11 do the rest
#endif
#ifdef DLT_IEEE802_11_RADIO
    case DLT_IEEE802_11_RADIO:
        // just get rid of the radio tap header
        nids_linkoffset = 25; // sizeof(radio tap header)
        linkoffset_tweaked_by_radio_code = 1;
        //now let DLT_IEEE802_11 do the rest
#endif
#ifdef DLT_IEEE802_11
    case DLT_IEEE802_11:
---end---

nids_linkoffset is set in DLT_PRISM_HEADER but always overwritten in
DLT_IEEE802_11_RADIO.

========== BUG2 ==========

in function nids_pcap_handler, in DLT_IEEE802_11, you compute
erroneously the header size of 802.11 packets with TYPE 0 (Data frame)
and SUBTYPE 8 (something for QOS). in this situation, you have 2 extra
bytes of header.

the following extra check should fix the problem:

  if (IEEE80211_QOS_HAS_SEQ(wh))
    len += sizeof(u_int16_t);

this macro comes from:
$FreeBSD: src/sys/net80211/ieee80211.h,v 1.9.2.2 2006/08/10 06:07:49 sam Exp $

i did the same for some code i'm writing, it's ok and works well.

==========================

bye!
-- 
Michele Dallachiesa 'xenion' http://xenion.antifork.org
Antifork Research, Inc.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ