Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 311797 (CVE-2010-1159) - <net-wireless/aircrack-ng-1.1-r2: Buffer overflow (CVE-2010-1159)
Summary: <net-wireless/aircrack-ng-1.1-r2: Buffer overflow (CVE-2010-1159)
Status: RESOLVED FIXED
Alias: CVE-2010-1159
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa]
Keywords:
: 315341 (view as bug list)
Depends on:
Blocks:
 
Reported: 2010-03-28 16:59 UTC by ebfe
Modified: 2013-11-05 02:38 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Demonstrates denial-of-service in all aircrack-ng tools (aircrackng_exploit.cap,191 bytes, application/octet-stream)
2010-03-28 17:00 UTC, ebfe
no flags Details
-r1 ebuild that includes patch. (aircrack-ng-1.1-r1.ebuild,2.21 KB, text/plain)
2011-03-21 05:21 UTC, Tim Sammut (RETIRED)
no flags Details
Patch for review (aircrack-ng-1.1-r1-CVE-2010-1159.patch,1014 bytes, patch)
2011-03-21 05:22 UTC, Tim Sammut (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description ebfe 2010-03-28 16:59:03 UTC
We can cause aircrack-ng and airdecap-ng to crash when reading specially
crafted dump-files and can also crash remote airodump-ng sessions by sending
specifically crafted packets over the air. I am 90% sure that this
denial-of-service can be escalated to remote-code-execution by carefully
introducing new stations to airolib-ng (for memory allocation) and then causing
a heap corruption as demonstrated.

The tools’ code responsible for parsing IEEE802.11-packets assumes the
self-proclaimed length of a EAPOL-packet to be correct and never to exceed
a (arbitrary) maximum size of 256 bytes for packets that are part of the
EAPOL-authentication. We can exploit this by letting the code parse packets
which:
a) proclaim to be larger than they really are, possibly causing the code
to read from invalid memory locations while copying the packet;
b) really do exceed the maximum size allowed and overflow data structures
allocated on the heap, overwriting libc’s allocation-related
structures. This causes heap-corruption.

Reproducible: Always

Steps to Reproduce:
1. Get example file from
"http://pyrit.googlecode.com/svn/tags/opt/aircrackng_exploit.cap" or generate
it via "http://pyrit.googlecode.com/svn/tags/opt/aircrackng_exploit.py"

2. Run it through aircrack-ng, airdecap-ng or airodump-ng ("airodump-ng -r
aircrackng_exploit.cap")

Actual Results:  
A SIGSEGV is thrown as all tools try to copy 65k from a buffer that is only a
~150 bytes long. More careful layout of the packet's content may lead to heap corruption and remote code execution.

Expected Results:  
The code should check the size of the buffer first and ignore hostile packets.


http://pyrit.wordpress.com/2010/03/28/remote-exploit-against-aircrack-ng/
Comment 1 ebfe 2010-03-28 17:00:08 UTC
Created attachment 225585 [details]
Demonstrates denial-of-service in all aircrack-ng tools
Comment 2 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2010-04-29 21:07:18 UTC
*** Bug 315341 has been marked as a duplicate of this bug. ***
Comment 3 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2010-04-29 21:14:24 UTC
Please stabilize net-wireless/aircrack-ng-1.1.
Comment 4 ebfe 2010-04-30 06:16:14 UTC
Bug is not fixed in 1.1
See https://bugzilla.redhat.com/show_bug.cgi?id=577654
Comment 5 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2010-09-23 16:34:54 UTC
ebfe: Do the following revisions fix the remaining problems?
http://trac.aircrack-ng.org/changeset/1699
http://trac.aircrack-ng.org/changeset/1701
http://trac.aircrack-ng.org/changeset/1702
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2011-03-21 05:21:33 UTC
Created attachment 266675 [details]
-r1 ebuild that includes patch.

@netmon and @crypto, ping? There appears to be considerable interest in getting this package updated.

Unless I am mistaken, these are the three fixes we need, and in reality, 1702 updates the changes made by 1699 and 1702.

> http://trac.aircrack-ng.org/changeset/1699
> http://trac.aircrack-ng.org/changeset/1701
> http://trac.aircrack-ng.org/changeset/1702

I've attached an -r1 ebuild and patch that *should* correct this issue. Please review and consider. Thanks!
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2011-03-21 05:22:04 UTC
Created attachment 266677 [details, diff]
Patch for review
Comment 9 Alon Bar-Lev gentoo-dev 2012-12-15 21:47:01 UTC
aircrack-ng-1.1-r2 in tree with patch.
Thanks!
Comment 10 Sean Amoss gentoo-dev Security 2012-12-16 16:11:55 UTC
(In reply to comment #9)
> aircrack-ng-1.1-r2 in tree with patch.
> Thanks!

Thanks, Alon. 

Arches, please test and mark stable.
Comment 11 Agostino Sarubbo gentoo-dev 2012-12-16 16:54:57 UTC
amd64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2012-12-16 16:55:18 UTC
x86 stable
Comment 13 Agostino Sarubbo gentoo-dev 2012-12-16 17:04:37 UTC
ppc stable
Comment 14 Markus Meier gentoo-dev 2012-12-23 18:17:40 UTC
arm stable, all arches done.
Comment 15 Sean Amoss gentoo-dev Security 2012-12-23 23:19:30 UTC
Thanks, everyone.

New GLSA request filed.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2013-10-07 09:25:25 UTC
This issue was resolved and addressed in
 GLSA 201310-06 at http://security.gentoo.org/glsa/glsa-201310-06.xml
by GLSA coordinator Sergey Popov (pinkbyte).
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2013-11-05 02:38:40 UTC
CVE-2010-1159 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1159):
  Multiple heap-based buffer overflows in Aircrack-ng before 1.1 allow remote
  attackers to cause a denial of service (crash) and execute arbitrary code
  via a (1) large length value in an EAPOL packet or (2) long EAPOL packet.