exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Hardened-PHP Project Security Advisory 2006-03.115

Hardened-PHP Project Security Advisory 2006-03.115
Posted Apr 1, 2006
Authored by Stefan Esser, Hardened-PHP Project | Site hardened-php.net

KisMAC versions below 73p and development versions below 113 suffer from a stack overflow when handling specially crafted 802.11 management frames.

tags | advisory, overflow
SHA-256 | a6f4fdecd7231d6ebfdad685575d72676300a2933903cc1aa6d21407c8be0a02

Hardened-PHP Project Security Advisory 2006-03.115

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Happy PPC Hacking Project
www.hardened-php.net

-= Security Advisory =-



Advisory: KisMAC Cisco Vendor Tag Encapsulated SSID Overflow
Release Date: 2006/03/23
Last Modified: 2006/03/23
Author: Stefan Esser [sesser@hardened-php.net]

Application: KisMAC < dev version 113
KisMAC < 73p
Severity: Special crafted 80211 management frames may cause
a stackoverflow that eventually leads to remote
code execution
Risk: Critical
Vendor Status: Vendor has a released an updated version
References: http://www.hardened-php.net/advisory_032006.115.html


Overview:

Quote from www.kismac.de:
"KisMAC is a free stumbler application for MacOS X, that puts
your card into the monitor mode. Unlike most other applications
for OS X it has the ability to run completely invisible and
send no probe requests."

While playing around with wifi, raw packets, MacOS X, ppc and
KisMAC a quick audit revealed a remotely triggerable buffer
overflow in KisMAC's parser for tagged data in 80211 management
frames, that can lead to execution of arbitrary code.

To exploit this vulnerability an attacker must either trick the
victim in opening a pcap file containing the special crafted
management frames OR the attacker must send such raw frames
while the victim is performing a passive network scan.


Details:

When KisMAC receives a 80211 management frame (or finds one in
a imported pcap file) it parses the attached tagged data with
the function WavePacket:parseTaggedData. With the help of this
method the SSID, the channel and the rates get extracted from
the management packet.

The function in question also supports a special Cisco vendor tag,
which is scanned by KisMAC for additional SSIDs. Unfortunately it
then copies the SSIDs found into a 33 bytes big stackbuffer
without any kind of size check.


slen = (*(ssidl + 5)); // <-- reading SSID length (UINT8)
ssidl += 6;

if ((len -= slen) < 0) break;

@try {
memcpy(ssid, ssidl, slen); // <-- copying without check into 33
// bytes big stackbuffer
ssid[slen]=0;
[_SSIDs addObject:[NSString stringWithUTF8String:ssid]];
}
@catch (NSException *exception) {
[_SSIDs addObject:[NSString stringWithCString:(char*)(ssidl) length:slen]];
}


Due to the try/catch block around the memcpy() the stacklayout
allows to overwrite the jump_buf for setjmp/longjump which are
used for the exception handling. This actually means it is not
only possible to control the execution flow by manipulating the
program counter (pc) but also to have control over the content
of all registers once the execution flow has been manipulated.

It should be obvious that this eventually leads to the execution
of arbitrary code.


Proof of Concept:

The Happy PPC Hacking Project is not going to release exploits
for this vulnerability to the public.


Disclosure Timeline:

22. March 2006 - Contacted KisMAC developers by email
22. March 2006 - Vendor releases KisMAC update
23. March 2006 - Public Disclosure


Recommendation:

It is strongly recommended to upgrade to the newest version of
KisMAC which you can download at:

http://trac.kismac.de


GPG-Key:

http://www.hardened-php.net/hardened-php-signature-key.asc

pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1


Copyright 2006 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFEIlt4RDkUzAqGSqERAk9kAJ96iwq93+EeDAMlk5JmRTUUxgkP1gCeKY1v
WZy/+ASNSsw9PqRGLFb1FZs=
=zmaa
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close