Created attachment 403115 [details]
Demonstrates denial-of-service in all aircrack-ng tools
Description of problem:
We can cause aircrack-ng and airdecap-ng to crash when reading specially crafted dump-files and can also crash remote airodump-ng sessions by sending specifically crafted packets over the air. I am 90% sure that this denial-of-service can be escalated to remote-code-execution by carefully introducing new stations to airolib-ng (for memory allocation) and then causing a heap corruption as demonstrated.
The tools’ code responsible for parsing IEEE802.11-packets assumes the
self-proclaimed length of a EAPOL-packet to be correct and never to exceed
a (arbitrary) maximum size of 256 bytes for packets that are part of the
EAPOL-authentication. We can exploit this by letting the code parse packets
a) proclaim to be larger than they really are, possibly causing the code
to read from invalid memory locations while copying the packet;
b) really do exceed the maximum size allowed and overflow data structures
allocated on the heap, overwriting libc’s allocation-related
structures. This causes heap-corruption.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Get example file from "http://pyrit.googlecode.com/svn/tags/opt/aircrackng_exploit.cap" or generate it via "http://pyrit.googlecode.com/svn/tags/opt/aircrackng_exploit.py"
2. Run it through aircrack-ng, airdecap-ng or airodump-ng ("airodump-ng -r aircrackng_exploit.cap")
A SIGSEGV is thrown as all tools try to copy 65k from a buffer that is only a ~150 bytes long.
The code should check the size of the buffer first and ignore hostile packets.
aircrack-ng-1.0-2.fc13 has been submitted as an update for Fedora 13.
aircrack-ng-1.0-2.fc11 has been submitted as an update for Fedora 11.
aircrack-ng-1.0-2.fc12 has been submitted as an update for Fedora 12.
This update does *NOT* fix the vulnerability, upstream screwed up on this one...
* The code checks if the self-proclaimed size of the packet is larger than the real packet size. If the packet is larger than 256 bytes AND correctly tells about that, the heap will still be overwritten...
* The self-proclaimed size of the packet is compared to uninitialized data, resulting in random results
* They forgot to patch airbase-ng.c
I reported this upstream:
(In reply to comment #4)
> This update does *NOT* fix the vulnerability, upstream screwed up on this
> * The code checks if the self-proclaimed size of the packet is larger than the
> real packet size. If the packet is larger than 256 bytes AND correctly tells
> about that, the heap will still be overwritten...
> * The self-proclaimed size of the packet is compared to uninitialized data,
> resulting in random results
> * They forgot to patch airbase-ng.c
They claim to have the bug fixed in aircrack-ng-1.1. Do you agree?
My comments are always rejected as spam by Akismet :-)
I've only checked airodump-ng and as far as I can see the fix is incorrect as the field "pkh.len" is uninitialized. It just happens to contain a value that prevents the bug from getting triggered - this is left to a random value on the stack however. It should read "caplen" instead of "pkh.len".
Why don't you just compare the promoted size of the EAPOL-frame to "sizeof(wpa.eapol_frame)" ?
(In reply to comment #7)
> My comments are always rejected as spam by Akismet :-)
Sorry, I thought I already forwared this to upstream, but it seems I somehow screw up. I did this now:
This message is a reminder that Fedora 12 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 12. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora
'version' of '12'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version prior to Fedora 12's end of life.
Bug Reporter: Thank you for reporting this issue and we are sorry that
we may not be able to fix it before Fedora 12 is end of life. If you
would still like to see this bug fixed and are able to reproduce it
against a later version of Fedora please change the 'version' of this
bug to the applicable version. If you are unable to change the version,
please add a comment here and someone will do it for you.
Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
The process we are following is described here:
Fedora 12 changed to end-of-life (EOL) status on 2010-12-02. Fedora 12 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.
If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version.
Thank you for reporting this bug and we are sorry it could not be fixed.