exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

SA-20071012-0.txt

SA-20071012-0.txt
Posted Oct 13, 2007
Authored by Clemens Kolbitsch, Sylvester Keil | Site sec-consult.com

SEC Consult Security Advisory 20071012-0 - A specially crafted beacon frame can cause MadWifi to crash and cause a kernel panic on the affected machine. Versions 0.9.3.2 and below are affected.

tags | advisory, kernel
SHA-256 | 2883ff9ab631d2d6a0fab31e709208bd4004c0c1c42c5cdd645102b1ba2f8088

SA-20071012-0.txt

Change Mirror Download
SEC Consult Security Advisory 20071012-0
===================================================================================
title: Madwifi xrates element remote DOS
program: Madwifi linux wlan driver for atheros chipsets
vulnerable version: Madwifi <= 0.9.3.2
homepage: www.madwifi.org
found: July 2007
by: Clemens Kolbitsch, Sylvester Keil
Secure Systems Lab / Technical University of
Vienna
http://seclab.tuwien.ac.at/
SEC Consult Vulnerability Lab
http://www.sec-consult.com/
perm. link: http://www.sec-consult.com/298.html
===================================================================================

Vendor description:
---------------

MadWifi is one of the most advanced WLAN drivers available for Linux
today. It is stable and has an established userbase. The driver itself
is open source but depends on the proprietary Hardware Abstraction Layer
(HAL) that is available in binary form only.


Vulnerability overview:
---------------

A specially crafted beacon frame causes the driver to exit(), leading to
a kernel panic on the affected machine. An attacker could crash client
machines that are listening for beacons using a fake access point.

Vulnerability details:
---------------

In short, the driver exits (via the BUG() macro) if a beacon frame with
a high length value (>15) in the extended supported rates element is
received. This leads to a kernel panic.


>From net80211/ieee80211_scan_sta.c: 217 static int sta_add(...):

KASSERT(sp->rates[1] <= IEEE80211_RATE_MAXSIZE,
("rate set too large: %u", sp->rates[1]));
memcpy(ise->se_rates, sp->rates, 2 + sp->rates[1]);
if (sp->xrates != NULL) {
/* XXX validate xrates[1] */
KASSERT(sp->xrates[1] <= IEEE80211_RATE_MAXSIZE,
("xrate set too large: %u", sp->xrates[1]));
memcpy(ise->se_xrates, sp->xrates, 2 + sp->xrates[1]);
} else
ise->se_xrates[1] = 0;

IEEE80211_RATE_MAXSIZE is defined as 15. If the KASSERT() fails the
BUG-macro, which exits the driver, is called.


Vulnerability status:
---------------

The bug has been fixed in SVN revision 2736 [1].


Timeline:
---------------
vendor notified: 2007-10-11
vendor response: 2007-10-11
patch available: 2007-10-12


Additional info
---------------

This vulnerability has been found using a novel wireless fuzzing
approach developed in a joint project by the Secure Systems Lab
(Technical University of Vienna) and the SEC Consult Vulnerability Lab.
The technique, which allows very effective stateful fuzzing of wireless
drivers by using emulated wireless chipsets, will be presented in detail
on the Blackhat Briefings Japan [2] as well as the DeepSec IDSC in
Vienna, Austria [3] in the talks by Sylvester Keil and Clemens
Kolbitsch.


References
----------

[1] http://madwifi.org/changeset/2736
[2] http://www.blackhat.com/html/bh-japan-07/bh-jp-07-main.html
[3] https://deepsec.net/


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
EOF Bernhard Mueller / research [at] sec-consult [dot] com

Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    17 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close