Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 311797 (CVE-2010-1159) - <net-wireless/aircrack-ng-1.1-r2: Buffer overflow (CVE-2010-1159)
Summary: <net-wireless/aircrack-ng-1.1-r2: Buffer overflow (CVE-2010-1159)
Alias: CVE-2010-1159
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
: 315341 (view as bug list)
Depends on:
Reported: 2010-03-28 16:59 UTC by ebfe
Modified: 2013-11-05 02:38 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Demonstrates denial-of-service in all aircrack-ng tools (aircrackng_exploit.cap,191 bytes, application/octet-stream)
2010-03-28 17:00 UTC, ebfe
no flags Details
-r1 ebuild that includes patch. (aircrack-ng-1.1-r1.ebuild,2.21 KB, text/plain)
2011-03-21 05:21 UTC, Tim Sammut (RETIRED)
no flags Details
Patch for review (aircrack-ng-1.1-r1-CVE-2010-1159.patch,1014 bytes, patch)
2011-03-21 05:22 UTC, Tim Sammut (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description ebfe 2010-03-28 16:59:03 UTC
We can cause aircrack-ng and airdecap-ng to crash when reading specially
crafted dump-files and can also crash remote airodump-ng sessions by sending
specifically crafted packets over the air. I am 90% sure that this
denial-of-service can be escalated to remote-code-execution by carefully
introducing new stations to airolib-ng (for memory allocation) and then causing
a heap corruption as demonstrated.

The tools’ code responsible for parsing IEEE802.11-packets assumes the
self-proclaimed length of a EAPOL-packet to be correct and never to exceed
a (arbitrary) maximum size of 256 bytes for packets that are part of the
EAPOL-authentication. We can exploit this by letting the code parse packets
a) proclaim to be larger than they really are, possibly causing the code
to read from invalid memory locations while copying the packet;
b) really do exceed the maximum size allowed and overflow data structures
allocated on the heap, overwriting libc’s allocation-related
structures. This causes heap-corruption.

Reproducible: Always

Steps to Reproduce:
1. Get example file from
"" or generate
it via ""

2. Run it through aircrack-ng, airdecap-ng or airodump-ng ("airodump-ng -r

Actual Results:  
A SIGSEGV is thrown as all tools try to copy 65k from a buffer that is only a
~150 bytes long. More careful layout of the packet's content may lead to heap corruption and remote code execution.

Expected Results:  
The code should check the size of the buffer first and ignore hostile packets.
Comment 1 ebfe 2010-03-28 17:00:08 UTC
Created attachment 225585 [details]
Demonstrates denial-of-service in all aircrack-ng tools
Comment 2 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2010-04-29 21:07:18 UTC
*** Bug 315341 has been marked as a duplicate of this bug. ***
Comment 3 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2010-04-29 21:14:24 UTC
Please stabilize net-wireless/aircrack-ng-1.1.
Comment 4 ebfe 2010-04-30 06:16:14 UTC
Bug is not fixed in 1.1
Comment 5 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2010-09-23 16:34:54 UTC
ebfe: Do the following revisions fix the remaining problems?
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2011-03-21 05:21:33 UTC
Created attachment 266675 [details]
-r1 ebuild that includes patch.

@netmon and @crypto, ping? There appears to be considerable interest in getting this package updated.

Unless I am mistaken, these are the three fixes we need, and in reality, 1702 updates the changes made by 1699 and 1702.


I've attached an -r1 ebuild and patch that *should* correct this issue. Please review and consider. Thanks!
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2011-03-21 05:22:04 UTC
Created attachment 266677 [details, diff]
Patch for review
Comment 9 Alon Bar-Lev (RETIRED) gentoo-dev 2012-12-15 21:47:01 UTC
aircrack-ng-1.1-r2 in tree with patch.
Comment 10 Sean Amoss (RETIRED) gentoo-dev Security 2012-12-16 16:11:55 UTC
(In reply to comment #9)
> aircrack-ng-1.1-r2 in tree with patch.
> Thanks!

Thanks, Alon. 

Arches, please test and mark stable.
Comment 11 Agostino Sarubbo gentoo-dev 2012-12-16 16:54:57 UTC
amd64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2012-12-16 16:55:18 UTC
x86 stable
Comment 13 Agostino Sarubbo gentoo-dev 2012-12-16 17:04:37 UTC
ppc stable
Comment 14 Markus Meier gentoo-dev 2012-12-23 18:17:40 UTC
arm stable, all arches done.
Comment 15 Sean Amoss (RETIRED) gentoo-dev Security 2012-12-23 23:19:30 UTC
Thanks, everyone.

New GLSA request filed.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2013-10-07 09:25:25 UTC
This issue was resolved and addressed in
 GLSA 201310-06 at
by GLSA coordinator Sergey Popov (pinkbyte).
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2013-11-05 02:38:40 UTC
CVE-2010-1159 (
  Multiple heap-based buffer overflows in Aircrack-ng before 1.1 allow remote
  attackers to cause a denial of service (crash) and execute arbitrary code
  via a (1) large length value in an EAPOL packet or (2) long EAPOL packet.