>> Deutsch | >> Français
HomeServicesSecurity ContentCareerAbout UsContact
News ArchiveMonthly ContentNewsletter SignupWhitepapersUseful LinksAdvisories
 

 
 

>> Security Content >> Advisories >> Madwifi xrates element remote DOS  
 

SEC-CONSULT Security Advisory 20071012-0 >

==================================================

 

title: Madwifi xrates element remote DOS

program: Madwifi linux wlan driver for atheros chipsets

vulnerable version: Madwifi <= 0.9.3.2

homepage: www.madwifi.org

found: July 2007

by: Clemens Kolbitsch, Sylvester Keil

Secure Systems Lab / Technical University of Vienna

seclab.tuwien.ac.at

SEC Consult Vulnerability Lab

www.sec-consult.com

link: www.sec-consult.com

==================================================

 

Vendor description:

---------------

 

MadWifi is one of the most advanced WLAN drivers available for Linux today. It is stable and has an established userbase. The driver itself is open source but depends on the proprietary Hardware Abstraction Layer (HAL) that is available in binary form only.

 

 

Vulnerability overview:

---------------

 

A specially crafted beacon frame causes the driver to exit(), leading to a kernel panic on the affected machine. An attacker could crash client machines that are listening for beacons using a fake access point.

 

Vulnerability details:

---------------

 

In short, the driver exits (via the BUG() macro) if a beacon frame with a high length value (>15) in the extended supported rates element is received. This leads to a kernel panic.

 

 

From net80211/ieee80211_scan_sta.c: 217 static int sta_add(...):

 

KASSERT(sp->rates[1] <= IEEE80211_RATE_MAXSIZE,

("rate set too large: %u", sp->rates[1]));

memcpy(ise->se_rates, sp->rates, 2 + sp->rates[1]);

if (sp->xrates != NULL) {

/* XXX validate xrates[1] */

KASSERT(sp->xrates[1] <= IEEE80211_RATE_MAXSIZE,

("xrate set too large: %u", sp->xrates[1]));

memcpy(ise->se_xrates, sp->xrates, 2 + sp->xrates[1]);

} else

ise->se_xrates[1] = 0;

 

IEEE80211_RATE_MAXSIZE is defined as 15. If the KASSERT() fails the BUG-macro, which exits the driver, is called.

 

 

Vulnerability status:

---------------

 

The bug has been fixed in SVN revision 2736 [1].

 

 

Timeline:

---------------

vendor notified: 2007-10-11

vendor response: 2007-10-11

patch available: 2007-10-12

 

 

Additional info

---------------

 

This vulnerability has been found using a novel wireless fuzzing approach developed in a joint project by the Secure Systems Lab (Technical University of Vienna) and the SEC Consult Vulnerability Lab. The technique, which allows very effective stateful fuzzing of wireless drivers by using emulated wireless chipsets, will be presented in detail on the Blackhat Briefings Japan [2] as well as the DeepSec IDSC in Vienna, Austria [3] in the talks by Sylvester Keil and Clemens Kolbitsch.

 

 

References

----------

 

[1] madwifi.org/changeset/2736

[2] www.blackhat.com/html/bh-japan-07/bh-jp-07-main.html

[3] https://deepsec.net/

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

EOF Bernhard Mueller / research [at] sec-consult [dot] com

 

 

 
Current

15.09. - 17.09.2008

Implementation of Information Security Management Systems based on ISO 27001:2005 [more...]

 

[Archives]

 


SEC-Advisories
[SA20071204-0] SonicWALL Global VPN Client Format String Vulnerability
[SA20071101-0] Multiple Vulnerabilties in SonicWALL SSL-VPN Client
[SA20071031-0] Perdition IMAP Proxy Format String Vulnerability
[SA20071012-0] Madwifi xrates element remote DOS
[SA20070722-0] Remote Command Execution in Joomla! CMS
[SA20070601-0] PHP chunk_split() Integer Overflow
[more...]
  Impressum :: SEC CONSULT :: PHONE +43/1/890 30 43 - 0 :: FAX - 15 :: EMAIL office@sec-consult.com