[Secure-testing-team] Bug#512995: Possible security flaw in ad-hoc probe request processing
Ben Hutchings
ben at decadent.org.uk
Sun Jan 25 16:21:57 UTC 2009
Package: rt73
Severity: critical
Tags: security, upstream
"Aviv" <springsec at gmail.com> wrote on Bugtraq:
> Some Ralinktech wireless cards drivers are suffer from integer
> overflow. by sending malformed 802.11 Probe Request packet with no
> care about victim's MAC\BSS\SSID can cause to remote code execution in
> kernel mode.
>
> In order to exploit this issue, the attacker should send a Probe
> Request packet with SSID length bigger then 128 bytes (but less then
> 256) when the victim's card is in ADHOC mode. attacker shouldn't be
> on the same network nor even know the MAC\BSS\SSID, he can just send
> it broadcast.
>
> Tested on Ralink USB wireless adapter (RT73) V3.08 on win2k with the
> latest driver version.
(Archived at
<http://archives.neohapsis.com/archives/bugtraq/2009-01/0167.html>.)
No CVE number appears to have been assigned to this yet.
Ralink's Linux drivers are based on their Windows drivers and the
following code in PeerProbeReqSanity() in the source file sanity.c
appears to have exactly this flaw:
if ((pFrame->Octet[0] != IE_SSID) || (pFrame->Octet[1] > MAX_LEN_OF_SSID))
{
DBGPRINT(RT_DEBUG_TRACE, "PeerProbeReqSanity fail - wrong SSID IE(Type=%d,Len=%d)\n",pFrame->Octet[0],pFrame->Octet[1]);
return FALSE;
}
*pSsidLen = pFrame->Octet[1];
memcpy(Ssid, &pFrame->Octet[2], *pSsidLen);
pFrame->Octet is an array of signed char and MAX_LEN_OF_SSID expands
to a decimal literal which will have type int. Therefore unsigned
values in the range [128, 255] will be treated as values in the range
[-128, -1] and will pass the test.
Similar code exists in the rt2400, rt2500, rt2570, rt61 and rt2860
drivers.
Ben.
More information about the Secure-testing-team
mailing list