Ben Hutchings
2009-Jan-25 16:21 UTC
[Secure-testing-team] Bug#512995: Possible security flaw in ad-hoc probe request processing
Package: rt73 Severity: critical Tags: security, upstream "Aviv" <springsec at gmail.com> wrote on Bugtraq:> Some Ralinktech wireless cards drivers are suffer from integer > overflow. by sending malformed 802.11 Probe Request packet with no > care about victim''s MAC\BSS\SSID can cause to remote code execution in > kernel mode. > > In order to exploit this issue, the attacker should send a Probe > Request packet with SSID length bigger then 128 bytes (but less then > 256) when the victim''s card is in ADHOC mode. attacker shouldn''t be > on the same network nor even know the MAC\BSS\SSID, he can just send > it broadcast. > > Tested on Ralink USB wireless adapter (RT73) V3.08 on win2k with the > latest driver version.(Archived at <http://archives.neohapsis.com/archives/bugtraq/2009-01/0167.html>.) No CVE number appears to have been assigned to this yet. Ralink''s Linux drivers are based on their Windows drivers and the following code in PeerProbeReqSanity() in the source file sanity.c appears to have exactly this flaw: if ((pFrame->Octet[0] != IE_SSID) || (pFrame->Octet[1] > MAX_LEN_OF_SSID)) { DBGPRINT(RT_DEBUG_TRACE, "PeerProbeReqSanity fail - wrong SSID IE(Type=%d,Len=%d)\n",pFrame->Octet[0],pFrame->Octet[1]); return FALSE; } *pSsidLen = pFrame->Octet[1]; memcpy(Ssid, &pFrame->Octet[2], *pSsidLen); pFrame->Octet is an array of signed char and MAX_LEN_OF_SSID expands to a decimal literal which will have type int. Therefore unsigned values in the range [128, 255] will be treated as values in the range [-128, -1] and will pass the test. Similar code exists in the rt2400, rt2500, rt2570, rt61 and rt2860 drivers. Ben.