Created attachment 403115 [details] Demonstrates denial-of-service in all aircrack-ng tools Description of problem: We can cause aircrack-ng and airdecap-ng to crash when reading specially crafted dump-files and can also crash remote airodump-ng sessions by sending specifically crafted packets over the air. I am 90% sure that this denial-of-service can be escalated to remote-code-execution by carefully introducing new stations to airolib-ng (for memory allocation) and then causing a heap corruption as demonstrated. The tools’ code responsible for parsing IEEE802.11-packets assumes the self-proclaimed length of a EAPOL-packet to be correct and never to exceed a (arbitrary) maximum size of 256 bytes for packets that are part of the EAPOL-authentication. We can exploit this by letting the code parse packets which: a) proclaim to be larger than they really are, possibly causing the code to read from invalid memory locations while copying the packet; b) really do exceed the maximum size allowed and overflow data structures allocated on the heap, overwriting libc’s allocation-related structures. This causes heap-corruption. Version-Release number of selected component (if applicable): All How reproducible: Always Steps to Reproduce: 1. Get example file from "http://pyrit.googlecode.com/svn/tags/opt/aircrackng_exploit.cap" or generate it via "http://pyrit.googlecode.com/svn/tags/opt/aircrackng_exploit.py" 2. Run it through aircrack-ng, airdecap-ng or airodump-ng ("airodump-ng -r aircrackng_exploit.cap") Actual results: A SIGSEGV is thrown as all tools try to copy 65k from a buffer that is only a ~150 bytes long. Expected results: The code should check the size of the buffer first and ignore hostile packets. Additional info: http://pyrit.wordpress.com/2010/03/28/remote-exploit-against-aircrack-ng/
aircrack-ng-1.0-2.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/aircrack-ng-1.0-2.fc13
aircrack-ng-1.0-2.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/aircrack-ng-1.0-2.fc11
aircrack-ng-1.0-2.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/aircrack-ng-1.0-2.fc12
This update does *NOT* fix the vulnerability, upstream screwed up on this one... * The code checks if the self-proclaimed size of the packet is larger than the real packet size. If the packet is larger than 256 bytes AND correctly tells about that, the heap will still be overwritten... * The self-proclaimed size of the packet is compared to uninitialized data, resulting in random results * They forgot to patch airbase-ng.c
I reported this upstream: http://trac.aircrack-ng.org/ticket/728
(In reply to comment #4) > This update does *NOT* fix the vulnerability, upstream screwed up on this > one... > > * The code checks if the self-proclaimed size of the packet is larger than the > real packet size. If the packet is larger than 256 bytes AND correctly tells > about that, the heap will still be overwritten... > * The self-proclaimed size of the packet is compared to uninitialized data, > resulting in random results > * They forgot to patch airbase-ng.c They claim to have the bug fixed in aircrack-ng-1.1. Do you agree? Reference: http://trac.aircrack-ng.org/ticket/728#comment:2
My comments are always rejected as spam by Akismet :-) """ I've only checked airodump-ng and as far as I can see the fix is incorrect as the field "pkh.len" is uninitialized. It just happens to contain a value that prevents the bug from getting triggered - this is left to a random value on the stack however. It should read "caplen" instead of "pkh.len". Why don't you just compare the promoted size of the EAPOL-frame to "sizeof(wpa.eapol_frame)" ? """
(In reply to comment #7) > My comments are always rejected as spam by Akismet :-) Sorry, I thought I already forwared this to upstream, but it seems I somehow screw up. I did this now: http://trac.aircrack-ng.org/ticket/728#comment:3
This message is a reminder that Fedora 12 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 12. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '12'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 12's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 12 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Fedora 12 changed to end-of-life (EOL) status on 2010-12-02. Fedora 12 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.