We can cause aircrack-ng and airdecap-ng to crash when reading specially
crafted dump-files and can also crash remote airodump-ng sessions by sending
specifically crafted packets over the air. I am 90% sure that this
denial-of-service can be escalated to remote-code-execution by carefully
introducing new stations to airolib-ng (for memory allocation) and then causing
a heap corruption as demonstrated.
The tools’ code responsible for parsing IEEE802.11-packets assumes the
self-proclaimed length of a EAPOL-packet to be correct and never to exceed
a (arbitrary) maximum size of 256 bytes for packets that are part of the
EAPOL-authentication. We can exploit this by letting the code parse packets
a) proclaim to be larger than they really are, possibly causing the code
to read from invalid memory locations while copying the packet;
b) really do exceed the maximum size allowed and overflow data structures
allocated on the heap, overwriting libc’s allocation-related
structures. This causes heap-corruption.
Steps to Reproduce:
1. Get example file from
"http://pyrit.googlecode.com/svn/tags/opt/aircrackng_exploit.cap" or generate
it via "http://pyrit.googlecode.com/svn/tags/opt/aircrackng_exploit.py"
2. Run it through aircrack-ng, airdecap-ng or airodump-ng ("airodump-ng -r
A SIGSEGV is thrown as all tools try to copy 65k from a buffer that is only a
~150 bytes long. More careful layout of the packet's content may lead to heap corruption and remote code execution.
The code should check the size of the buffer first and ignore hostile packets.
Created attachment 225585 [details]
Demonstrates denial-of-service in all aircrack-ng tools
*** Bug 315341 has been marked as a duplicate of this bug. ***
Please stabilize net-wireless/aircrack-ng-1.1.
Bug is not fixed in 1.1
ebfe: Do the following revisions fix the remaining problems?
version 1.1 was released with the following fix:
This bug was then opened stating the fix was incomplete:
And then the following commits were done post-1.1:
Created attachment 266675 [details]
-r1 ebuild that includes patch.
@netmon and @crypto, ping? There appears to be considerable interest in getting this package updated.
Unless I am mistaken, these are the three fixes we need, and in reality, 1702 updates the changes made by 1699 and 1702.
I've attached an -r1 ebuild and patch that *should* correct this issue. Please review and consider. Thanks!
Created attachment 266677 [details, diff]
Patch for review
aircrack-ng-1.1-r2 in tree with patch.
(In reply to comment #9)
> aircrack-ng-1.1-r2 in tree with patch.
Arches, please test and mark stable.
arm stable, all arches done.
New GLSA request filed.
This issue was resolved and addressed in
GLSA 201310-06 at http://security.gentoo.org/glsa/glsa-201310-06.xml
by GLSA coordinator Sergey Popov (pinkbyte).
Multiple heap-based buffer overflows in Aircrack-ng before 1.1 allow remote
attackers to cause a denial of service (crash) and execute arbitrary code
via a (1) large length value in an EAPOL packet or (2) long EAPOL packet.