what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

madwifi.txt

madwifi.txt
Posted Dec 8, 2006
Authored by Laurent Butti, Jerome RAZNIEWSKI, Julien Tinnes

There is a buffer overflow in the Madwifi Atheros driver in some functions called by SIOCSIWSCAN ioctl.

tags | advisory, overflow
advisories | CVE-2006-6332
SHA-256 | ae78388667ab3deb4319d8f83bc674032a7c7b8df47d26ab5490c18a34bceb0c

madwifi.txt

Change Mirror Download
Name:           Madwifi SIOCGIWSCAN buffer overflow
Vendor: http://www.madwifi.org
Release date: December, 7th 2006
CVE ID: CVE-2006-6332
Authors: Laurent BUTTI, Jerome RAZNIEWSKI, Julien TINNES


1. Description

There is a buffer overflow in the madwifi Atheros driver in some
functions called by SIOCSIWSCAN ioctl.

This issue is remotely exploitable because ioctl SIOCSIWSCAN may be
called automatically by some connexion managers (either directly, by
using iwlib or by calling iwlist) when trying to get a list of nearby
access points.

2. Details

There is a stack buffer overflow in both the giwscan_cb() and
encode_ie() functions (ieee80211_wireless.c). The first issue, in
giwscan_cb, is related with insufficient checks on the length in some
802.11 information elements which are controlled by the attacker:

memcpy(buf, se->se_wpa_ie, se->se_wpa_ie[1] + 2);

The second issue is improper boundary checks in encode_ie() where ielen
is never checked with bufsize.

for (i = 0; i < ielen && bufsize > 2; i++)
p += sprintf(p, "%02x", ie[i]);

A properly crafted 802.11 beacon or probe response frame will trigger
the bug when a process tries to get scanning results by calling ioctl
SIOCGIWSCAN. The information element used by the attacker can be either
WPA IE, RSN IE, WMM IE or ATH IE and will lead to a kernel stack
overflow.

3. Vendor status

The vendor was notified on December, 6th 2006 and issued version 0.9.2.1
to correct the issue.

4. Authors

Laurent BUTTI <laurent.butti at francetelecom.com>
Jerome RAZNIEWSKI <jerome.razniewski at francetelecom.com>
Julien TINNES <julien.tinnes at francetelecom.com>


--
Tyop?

Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close