Bug 311797 (CVE-2010-1159)

Summary:

<net-wireless/aircrack-ng-1.1-r2: Buffer overflow (CVE-2010-1159)

Product:

Gentoo Security

Reporter:

ebfe <knabberknusperhaus>

Component:

Vulnerabilities

Assignee:

Gentoo Security <security>

Status:

RESOLVED FIXED

Severity:

normal

CC:

chiiph, netmon

Priority:

High

Version:

unspecified

Hardware:

All

OS:

Linux

Whiteboard:

B2 [glsa]

Package list:

Runtime testing required:

---

Attachments:

Description	Flags
Demonstrates denial-of-service in all aircrack-ng tools	none
-r1 ebuild that includes patch.	none
Patch for review	none

Description ebfe 2010-03-28 16:59:03 UTC

We can cause aircrack-ng and airdecap-ng to crash when reading specially
crafted dump-files and can also crash remote airodump-ng sessions by sending
specifically crafted packets over the air. I am 90% sure that this
denial-of-service can be escalated to remote-code-execution by carefully
introducing new stations to airolib-ng (for memory allocation) and then causing
a heap corruption as demonstrated.

The tools’ code responsible for parsing IEEE802.11-packets assumes the
self-proclaimed length of a EAPOL-packet to be correct and never to exceed
a (arbitrary) maximum size of 256 bytes for packets that are part of the
EAPOL-authentication. We can exploit this by letting the code parse packets
which:
a) proclaim to be larger than they really are, possibly causing the code
to read from invalid memory locations while copying the packet;
b) really do exceed the maximum size allowed and overflow data structures
allocated on the heap, overwriting libc’s allocation-related
structures. This causes heap-corruption.

Reproducible: Always

Steps to Reproduce:
1. Get example file from
"http://pyrit.googlecode.com/svn/tags/opt/aircrackng_exploit.cap" or generate
it via "http://pyrit.googlecode.com/svn/tags/opt/aircrackng_exploit.py"

2. Run it through aircrack-ng, airdecap-ng or airodump-ng ("airodump-ng -r
aircrackng_exploit.cap")

Actual Results:
A SIGSEGV is thrown as all tools try to copy 65k from a buffer that is only a
~150 bytes long. More careful layout of the packet's content may lead to heap corruption and remote code execution.

Expected Results:
The code should check the size of the buffer first and ignore hostile packets.

http://pyrit.wordpress.com/2010/03/28/remote-exploit-against-aircrack-ng/

Comment 1 ebfe 2010-03-28 17:00:08 UTC

Created attachment 225585 [details]
Demonstrates denial-of-service in all aircrack-ng tools

Comment 2 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev

2010-04-29 21:07:18 UTC

*** Bug 315341 has been marked as a duplicate of this bug. ***

Comment 3 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev

2010-04-29 21:14:24 UTC

Please stabilize net-wireless/aircrack-ng-1.1.

Comment 4 ebfe 2010-04-30 06:16:14 UTC

Bug is not fixed in 1.1
See https://bugzilla.redhat.com/show_bug.cgi?id=577654

Comment 5 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev

2010-09-23 16:34:54 UTC

ebfe: Do the following revisions fix the remaining problems?
http://trac.aircrack-ng.org/changeset/1699
http://trac.aircrack-ng.org/changeset/1701
http://trac.aircrack-ng.org/changeset/1702

Comment 6 Yury German Gentoo Infrastructure

2011-02-15 03:56:10 UTC

version 1.1 was released with the following fix:
http://trac.aircrack-ng.org/changeset/1676

This bug was then opened stating the fix was incomplete:
http://trac.aircrack-ng.org/ticket/728
https://bugzilla.redhat.com/show_bug.cgi?id=577654

And then the following commits were done post-1.1:
http://trac.aircrack-ng.org/changeset/1683
http://trac.aircrack-ng.org/changeset/1687
http://trac.aircrack-ng.org/changeset/1699
http://trac.aircrack-ng.org/changeset/1701
http://trac.aircrack-ng.org/changeset/1702

Comment 7 Tim Sammut (RETIRED) gentoo-dev

2011-03-21 05:21:33 UTC

Created attachment 266675 [details]
-r1 ebuild that includes patch.

@netmon and @crypto, ping? There appears to be considerable interest in getting this package updated.

Unless I am mistaken, these are the three fixes we need, and in reality, 1702 updates the changes made by 1699 and 1702.

> http://trac.aircrack-ng.org/changeset/1699
> http://trac.aircrack-ng.org/changeset/1701
> http://trac.aircrack-ng.org/changeset/1702

I've attached an -r1 ebuild and patch that *should* correct this issue. Please review and consider. Thanks!

Comment 8 Tim Sammut (RETIRED) gentoo-dev

2011-03-21 05:22:04 UTC

Created attachment 266677 [details, diff]
Patch for review

Comment 9 Alon Bar-Lev (RETIRED) gentoo-dev

2012-12-15 21:47:01 UTC

aircrack-ng-1.1-r2 in tree with patch.
Thanks!

Comment 10 Sean Amoss (RETIRED) gentoo-dev

2012-12-16 16:11:55 UTC

(In reply to comment #9)
> aircrack-ng-1.1-r2 in tree with patch.
> Thanks!

Thanks, Alon. 

Arches, please test and mark stable.

Comment 11 Agostino Sarubbo gentoo-dev

2012-12-16 16:54:57 UTC

amd64 stable

Comment 12 Agostino Sarubbo gentoo-dev

2012-12-16 16:55:18 UTC

x86 stable

Comment 13 Agostino Sarubbo gentoo-dev

2012-12-16 17:04:37 UTC

ppc stable

Comment 14 Markus Meier gentoo-dev

2012-12-23 18:17:40 UTC

arm stable, all arches done.

Comment 15 Sean Amoss (RETIRED) gentoo-dev

2012-12-23 23:19:30 UTC

Thanks, everyone.

New GLSA request filed.

Comment 16 GLSAMaker/CVETool Bot gentoo-dev

2013-10-07 09:25:25 UTC

This issue was resolved and addressed in
 GLSA 201310-06 at http://security.gentoo.org/glsa/glsa-201310-06.xml
by GLSA coordinator Sergey Popov (pinkbyte).

Comment 17 GLSAMaker/CVETool Bot gentoo-dev

2013-11-05 02:38:40 UTC

CVE-2010-1159 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1159):
  Multiple heap-based buffer overflows in Aircrack-ng before 1.1 allow remote
  attackers to cause a denial of service (crash) and execute arbitrary code
  via a (1) large length value in an EAPOL packet or (2) long EAPOL packet.