Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:15339
HistoryDec 08, 2006 - 12:00 a.m.

[Full-disclosure] [Madwifi] Madwifi SIOCGIWSCAN buffer overflow // France Telecom

2006-12-0800:00:00
vulners.com
15

Name: Madwifi SIOCGIWSCAN buffer overflow
Vendor: http://www.madwifi.org
Release date: December, 7th 2006
CVE ID: CVE-2006-6332
Authors: Laurent BUTTI, Jerome RAZNIEWSKI, Julien TINNES

  1. Description

There is a buffer overflow in the madwifi Atheros driver in some
functions called by SIOCSIWSCAN ioctl.

This issue is remotely exploitable because ioctl SIOCSIWSCAN may be
called automatically by some connexion managers (either directly, by
using iwlib or by calling iwlist) when trying to get a list of nearby
access points.

  1. Details

There is a stack buffer overflow in both the giwscan_cb() and
encode_ie() functions (ieee80211_wireless.c). The first issue, in
giwscan_cb, is related with insufficient checks on the length in some
802.11 information elements which are controlled by the attacker:

   memcpy(buf, se->se_wpa_ie, se->se_wpa_ie[1] + 2);

The second issue is improper boundary checks in encode_ie() where ielen
is never checked with bufsize.

   for (i = 0; i < ielen && bufsize > 2; i++)
           p += sprintf(p, "%02x", ie[i]);

A properly crafted 802.11 beacon or probe response frame will trigger
the bug when a process tries to get scanning results by calling ioctl
SIOCGIWSCAN. The information element used by the attacker can be either
WPA IE, RSN IE, WMM IE or ATH IE and will lead to a kernel stack
overflow.

  1. Vendor status

The vendor was notified on December, 6th 2006 and issued version 0.9.2.1
to correct the issue.

  1. Authors

Laurent BUTTI <laurent.butti at francetelecom.com>
Jerome RAZNIEWSKI <jerome.razniewski at francetelecom.com>
Julien TINNES <julien.tinnes at francetelecom.com>


Tyop?


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Related for SECURITYVULNS:DOC:15339