This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours

Bug 577654

Summary: Remote buffer overflow in aircrack-ng causes DOS and possible code execution
Product: [Fedora] Fedora Reporter: Lukas Lueg <knabberknusperhaus>
Component: aircrack-ngAssignee: Till Maas <opensource>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: huzaifas, opensource
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-03 11:38:56 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On:    
Bug Blocks: 582417    
Attachments:
Description Flags
Demonstrates denial-of-service in all aircrack-ng tools none

Description Lukas Lueg 2010-03-28 12:53:25 EDT
Created attachment 403115 [details]
Demonstrates denial-of-service in all aircrack-ng tools

Description of problem:

We can cause aircrack-ng and airdecap-ng to crash when reading specially crafted dump-files and can also crash remote airodump-ng sessions by sending specifically crafted packets over the air. I am 90% sure that this denial-of-service can be escalated to remote-code-execution by carefully introducing new stations to airolib-ng (for memory allocation) and then causing a heap corruption as demonstrated.

The tools’ code responsible for parsing IEEE802.11-packets assumes the
self-proclaimed length of a EAPOL-packet to be correct and never to exceed
a (arbitrary) maximum size of 256 bytes for packets that are part of the
EAPOL-authentication. We can exploit this by letting the code parse packets
which:
a) proclaim to be larger than they really are, possibly causing the code
to read from invalid memory locations while copying the packet;
b) really do exceed the maximum size allowed and overflow data structures
allocated on the heap, overwriting libc’s allocation-related
structures. This causes heap-corruption.


Version-Release number of selected component (if applicable):

All


How reproducible:

Always


Steps to Reproduce:
1. Get example file from "http://pyrit.googlecode.com/svn/tags/opt/aircrackng_exploit.cap" or generate it via "http://pyrit.googlecode.com/svn/tags/opt/aircrackng_exploit.py"

2. Run it through aircrack-ng, airdecap-ng or airodump-ng ("airodump-ng -r aircrackng_exploit.cap")

  
Actual results:

A SIGSEGV is thrown as all tools try to copy 65k from a buffer that is only a ~150 bytes long.


Expected results:

The code should check the size of the buffer first and ignore hostile packets.


Additional info:

http://pyrit.wordpress.com/2010/03/28/remote-exploit-against-aircrack-ng/
Comment 1 Fedora Update System 2010-04-01 16:10:45 EDT
aircrack-ng-1.0-2.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/aircrack-ng-1.0-2.fc13
Comment 2 Fedora Update System 2010-04-01 16:10:49 EDT
aircrack-ng-1.0-2.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/aircrack-ng-1.0-2.fc11
Comment 3 Fedora Update System 2010-04-01 16:10:56 EDT
aircrack-ng-1.0-2.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/aircrack-ng-1.0-2.fc12
Comment 4 Lukas Lueg 2010-04-01 17:16:46 EDT
This update does *NOT* fix the vulnerability, upstream screwed up on this one...

* The code checks if the self-proclaimed size of the packet is larger than the real packet size. If the packet is larger than 256 bytes AND correctly tells about that, the heap will still be overwritten...
* The self-proclaimed size of the packet is compared to uninitialized data, resulting in random results
* They forgot to patch airbase-ng.c
Comment 5 Till Maas 2010-04-01 17:42:08 EDT
I reported this upstream:
http://trac.aircrack-ng.org/ticket/728
Comment 6 Till Maas 2010-04-27 17:31:35 EDT
(In reply to comment #4)
> This update does *NOT* fix the vulnerability, upstream screwed up on this
> one...
> 
> * The code checks if the self-proclaimed size of the packet is larger than the
> real packet size. If the packet is larger than 256 bytes AND correctly tells
> about that, the heap will still be overwritten...
> * The self-proclaimed size of the packet is compared to uninitialized data,
> resulting in random results
> * They forgot to patch airbase-ng.c    

They claim to have the bug fixed in aircrack-ng-1.1. Do you agree?
Reference:
http://trac.aircrack-ng.org/ticket/728#comment:2
Comment 7 Lukas Lueg 2010-04-28 02:47:25 EDT
My comments are always rejected as spam by Akismet :-)

"""
I've only checked airodump-ng and as far as I can see the fix is incorrect as the field "pkh.len" is uninitialized. It just happens to contain a value that prevents the bug from getting triggered - this is left to a random value on the stack however. It should read "caplen" instead of "pkh.len".

Why don't you just compare the promoted size of the EAPOL-frame to "sizeof(wpa.eapol_frame)" ?
"""
Comment 8 Till Maas 2010-05-11 18:19:06 EDT
(In reply to comment #7)
> My comments are always rejected as spam by Akismet :-)

Sorry, I thought I already forwared this to upstream, but it seems I somehow screw up. I did this now:
http://trac.aircrack-ng.org/ticket/728#comment:3
Comment 9 Bug Zapper 2010-11-03 14:24:36 EDT
This message is a reminder that Fedora 12 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 12.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '12'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 12's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 12 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 10 Bug Zapper 2010-12-03 11:38:56 EST
Fedora 12 changed to end-of-life (EOL) status on 2010-12-02. Fedora 12 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.