[exploits] Madwifi SIOCSIWSCAN vulnerability (CVE-2006-6332)

Tyop? tyoptyop at gmail.com
Fri Dec 8 13:10:12 CST 2006 

From: TINNES Julien RD-MAPS-ISS <julien.tinnes at francetelecom.com>


Here it is, metasploit 3 DoS module and a very simple and raw local
exploit (which needs to be triggered by the DoS module).

A full remote exploit is possible, which would be triggered by "iwlist
ath0 scan".
You can inject code into the process' address space by using some
information elements.

--
Julien TINNES - & france telecom - R&D Division/MAPS/NSS
Research Engineer - Internet/Intranet Security
GPG: C050 EF1A 2919 FD87 57C4 DEDD E778 A9F0 14B9 C7D6


Name:           Madwifi SIOCGIWSCAN buffer overflow
Vendor:         http://www.madwifi.org
Release date:   December, 7th 2006
CVE ID:         CVE-2006-6332
Authors:        Laurent BUTTI, Jerome RAZNIEWSKI, Julien TINNES


1. Description

There  is a  buffer  overflow  in the  madwifi  Atheros  driver in  some
functions called by SIOCSIWSCAN ioctl.

This  issue is  remotely exploitable  because ioctl  SIOCSIWSCAN may  be
called  automatically by  some connexion  managers (either  directly, by
using iwlib or  by calling iwlist) when  trying to get a  list of nearby
access points.

2. Details

There  is  a  stack  buffer   overflow  in  both  the  giwscan_cb()  and
encode_ie()  functions  (ieee80211_wireless.c).   The  first  issue,  in
giwscan_cb, is  related with insufficient  checks on the length  in some
802.11 information elements which are controlled by the attacker:

        memcpy(buf, se->se_wpa_ie, se->se_wpa_ie[1] + 2);

The second issue is improper  boundary checks in encode_ie() where ielen
is never checked with bufsize.

        for (i = 0; i < ielen && bufsize > 2; i++)
                p += sprintf(p, "%02x", ie[i]);

A properly  crafted 802.11 beacon  or probe response frame  will trigger
the bug  when a process tries  to get scanning results  by calling ioctl
SIOCGIWSCAN. The information element used  by the attacker can be either
WPA  IE, RSN  IE, WMM  IE or  ATH IE  and will  lead to  a kernel  stack
overflow.

3. Vendor status

The vendor was notified on December, 6th 2006 and issued version 0.9.2.1
to correct the issue.

4. Authors

Laurent BUTTI <laurent.butti at francetelecom.com>
Jerome RAZNIEWSKI <jerome.razniewski at francetelecom.com>
Julien TINNES <julien.tinnes at francetelecom.com>


-- 
Tyop?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: madexploit.c
Type: text/x-csrc
Size: 12384 bytes
Desc: not available
Url : http://whitestar.linuxbox.org/pipermail/exploits/attachments/20061208/16feac36/attachment.c 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: madwifi_giwscan_cb.rb
Type: application/x-ruby
Size: 4278 bytes
Desc: not available
Url : http://whitestar.linuxbox.org/pipermail/exploits/attachments/20061208/16feac36/attachment.bin

More information about the exploits mailing list