what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Android wpa_supplicant Heap Overflow

Android wpa_supplicant Heap Overflow
Posted Apr 23, 2015
Authored by Alibaba Security Team

wpa_supplicant version 2.x on Android suffers from a heap overflow that can lead to memory information leaks and remote code execution.

tags | advisory, remote, overflow, code execution
advisories | CVE-2015-1863
SHA-256 | 01ee6f07cd1dc7ed4b4d9fe43c5c2e39e7896e387437595d2ed70ee28df47ecb

Android wpa_supplicant Heap Overflow

Change Mirror Download
1. Advisory Information
Advisory URL: http://security.alibaba.com/blog/blog.htm?spm=0.0.0.0.p1ECc3&id=19
Date published: 2015-04-23
Date of last update: 2015-04-23

2. Vulnerability Information
Class: heap overflow
Impact: memory information leak and remote code execution
Remote Exploitable: Yes
Local Exploitable: No
CVE Name: CVE-2015-1863
Vulnerability Information and Patch: http://w1.fi/security/2015-1/

3. Vulnerability Description
  In Android, wpa_supplicant is designed to be a "daemon" program that runs in the background and acts as the backend component controlling the wireless connection.. When WLAN Direct function of wpa_supplicant is enabled, a malformed p2p invitation type packet with long ssid can trigger a heap overflow vulnerability. An attacker could launch a remote attack in the wireless device signal coverage, access to the victim's android device and execute native code with the corresponding user privileges (in the android is wifi user). The user has permission to read the saved WIFI password, change network configuration, hijacking all Wi-Fi traffic. When combined with a local privilege escalation vulnerability that allows an attacker to remotely control a host of victims, implant Trojans and other underlying implant systems.
4. Vulnerable Packages
Android 4/Android 5
wpa_supplicant 2.x
5. Credits
Smart hardware research group of Alibaba security team for discovering the vulnerability.
6. Technical Description
wpa_supplicant malloc a p2p_device structure, the oper_ssid field size of which is 0x20 bytes. In the p2p invitation packet the size of ssid field is described with an octet, the max of which is 0xff. When copy to oper_ssid field, the length is not checked. When the size of ssid exceeds 0x20 bytes, it can overflow other fields of the p2p_device structure and overflow heap structure when exceeds 0x40 bytes.
In the android version 5.1, the source is:
============ p2p_device structure( wpa_supplicant/p2p/p2p_i.h)============
struct p2p_device {
[……….]
int oper_freq;
u8 oper_ssid[32]; <----- fixed 0x20 bytes
size_t oper_ssid_len;
[……….]
/**
* go_neg_conf - GO Negotiation Confirmation frame
*/
struct wpabuf *go_neg_conf;
int sd_pending_bcast_queries;
};
=========(wpa_supplicant/p2p/p2p.c p2p_add_device ==============
int p2p_add_device(struct p2p_data *p2p, const u8 *addr, int freq,
struct os_reltime *rx_time, int level, const u8 *ies,
size_t ies_len, int scan_res)
{
[……….]
if (os_memcmp(addr, p2p_dev_addr, ETH_ALEN) != 0)
os_memcpy(dev->interface_addr, addr, ETH_ALEN);
if (msg.ssid &&
(msg.ssid[1] != P2P_WILDCARD_SSID_LEN ||
os_memcmp(msg.ssid + 2, P2P_WILDCARD_SSID, P2P_WILDCARD_SSID_LEN)
!= 0)) {
os_memcpy(dev->oper_ssid, msg.ssid + 2, msg.ssid[1]);
//the dest buf is 0x20, but the size is controlled by user input, trigger buffer overflow
dev->oper_ssid_len = msg.ssid[1];
}
[……….]
7. Vulnerability Impact Assessment:
1)Affected product:Affect all devices of android version below 5.1
2)Default configuration exploitable analysis:Although much of android devices enable WLAN direct when user enters WLAN Direct UI, but:
We found some models of well-known mobile phone manufacturers (such as Xiaomi, Huawei), default to open the WLAN Direct. Even if the user
never entered the WLAN Direct UI, the attacker can initiate a WLAN direct connection and trigger this vulnerability without user interaction. However,
an attacker needs to know WLAN Direct MAC address, the address is the MAC address of user equipment with first byte OR 2, MAC address of the user
equipment can acquire easily by WIFI packet sniffer, so you can calculate WLAN Direct MAC address, for example the user device MAC address 14: 12: 34: 56: 78: 90,
then WLAN Direct MAC address is 16:12 : 34: 56: 78: 90, which means that some models of mobile phone, simply open the WIFI service, can suffer from the vulnerability attack.
  For other models without WLAN Direct default enabled need to pay attention, because a lot of file transfer software use WLAN Direct feature and will enable it.
And this feature once enabled, even if the user exits the WLAN Direct UI, the feature is enabled until the device reboot or WIFI restart. During this time the device is affected and can be attack remotely.
3)Impact
This vulnerability can leak information, use leaked information with ROP to bypass ASLR and DEP. Exploit this vulnerability successfully, attackers can execute
native code with wifi user permission. Then with wifi user permission can change wifi configuration and hijack network traffic.
And this vulnerability can be exploited remotely, if composite a local privilege escalation vulnerability, attackers can implant trojan without physically touch victim devices.
So this vulnerability is high risk, especially for wlan direct enabled default devices.
8. Poc and Coredump
See Advisory URL: http://security.alibaba.com/blog/blog.htm?spm=0.0.0.0.p1ECc3&id=19
9. Report Timeline
2015-4-3:send vulnerability report to android security team
2015-4-8:android security team acknowledges the vulnerability and forward it to wpa_supplicant maintainer
2015-4-8:wpa_supplicant maintainer acknowledges
2015-4-13:wpa_supplicant maintainer acknowledges timeline for release a fix
2015-4-22:wpa_supplicant maintainer publish the fix and security advisory
2015-4-23:The advisory is published




Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close