We can cause aircrack-ng and airdecap-ng to crash when reading specially crafted dump-files and can also crash remote airodump-ng sessions by sending specifically crafted packets over the air. I am 90% sure that this denial-of-service can be escalated to remote-code-execution by carefully introducing new stations to airolib-ng (for memory allocation) and then causing a heap corruption as demonstrated. The tools’ code responsible for parsing IEEE802.11-packets assumes the self-proclaimed length of a EAPOL-packet to be correct and never to exceed a (arbitrary) maximum size of 256 bytes for packets that are part of the EAPOL-authentication. We can exploit this by letting the code parse packets which: a) proclaim to be larger than they really are, possibly causing the code to read from invalid memory locations while copying the packet; b) really do exceed the maximum size allowed and overflow data structures allocated on the heap, overwriting libc’s allocation-related structures. This causes heap-corruption. Reproducible: Always Steps to Reproduce: 1. Get example file from "http://pyrit.googlecode.com/svn/tags/opt/aircrackng_exploit.cap" or generate it via "http://pyrit.googlecode.com/svn/tags/opt/aircrackng_exploit.py" 2. Run it through aircrack-ng, airdecap-ng or airodump-ng ("airodump-ng -r aircrackng_exploit.cap") Actual Results: A SIGSEGV is thrown as all tools try to copy 65k from a buffer that is only a ~150 bytes long. More careful layout of the packet's content may lead to heap corruption and remote code execution. Expected Results: The code should check the size of the buffer first and ignore hostile packets. http://pyrit.wordpress.com/2010/03/28/remote-exploit-against-aircrack-ng/
Created attachment 225585 [details] Demonstrates denial-of-service in all aircrack-ng tools
*** Bug 315341 has been marked as a duplicate of this bug. ***
Please stabilize net-wireless/aircrack-ng-1.1.
Bug is not fixed in 1.1 See https://bugzilla.redhat.com/show_bug.cgi?id=577654
ebfe: Do the following revisions fix the remaining problems? http://trac.aircrack-ng.org/changeset/1699 http://trac.aircrack-ng.org/changeset/1701 http://trac.aircrack-ng.org/changeset/1702
version 1.1 was released with the following fix: http://trac.aircrack-ng.org/changeset/1676 This bug was then opened stating the fix was incomplete: http://trac.aircrack-ng.org/ticket/728 https://bugzilla.redhat.com/show_bug.cgi?id=577654 And then the following commits were done post-1.1: http://trac.aircrack-ng.org/changeset/1683 http://trac.aircrack-ng.org/changeset/1687 http://trac.aircrack-ng.org/changeset/1699 http://trac.aircrack-ng.org/changeset/1701 http://trac.aircrack-ng.org/changeset/1702
Created attachment 266675 [details] -r1 ebuild that includes patch. @netmon and @crypto, ping? There appears to be considerable interest in getting this package updated. Unless I am mistaken, these are the three fixes we need, and in reality, 1702 updates the changes made by 1699 and 1702. > http://trac.aircrack-ng.org/changeset/1699 > http://trac.aircrack-ng.org/changeset/1701 > http://trac.aircrack-ng.org/changeset/1702 I've attached an -r1 ebuild and patch that *should* correct this issue. Please review and consider. Thanks!
Created attachment 266677 [details, diff] Patch for review
aircrack-ng-1.1-r2 in tree with patch. Thanks!
(In reply to comment #9) > aircrack-ng-1.1-r2 in tree with patch. > Thanks! Thanks, Alon. Arches, please test and mark stable.
amd64 stable
x86 stable
ppc stable
arm stable, all arches done.
Thanks, everyone. New GLSA request filed.
This issue was resolved and addressed in GLSA 201310-06 at http://security.gentoo.org/glsa/glsa-201310-06.xml by GLSA coordinator Sergey Popov (pinkbyte).
CVE-2010-1159 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1159): Multiple heap-based buffer overflows in Aircrack-ng before 1.1 allow remote attackers to cause a denial of service (crash) and execute arbitrary code via a (1) large length value in an EAPOL packet or (2) long EAPOL packet.
