Wednesday, January 18, 2006

Real Wireless Vulnerability

At ShmooCon one talk discussed a somewhat obvious and not that exciting (to me) feature of Windows wireless networking. I don't consider automatic network connectivity to be a vulnerability, only a bad design choice. However, this morning I read this advisory on a real wireless vulnerability in FreeBSD's (and possible other BSD's) wireless code. From the advisory:

II. Problem Description

An integer overflow in the handling of corrupt IEEE 802.11 beacon or
probe response frames when scanning for existing wireless networks can
result in the frame overflowing a buffer.

III. Impact

An attacker able broadcast a carefully crafted beacon or probe response
frame may be able to execute arbitrary code within the context of the
FreeBSD kernel on any system scanning for wireless networks.

That's cool. Insert wireless NIC, be 0wn3d. I'm glad I heard about this prior to Black Hat Federal next week.

7 comments:

Anonymous said...

Patched a few hours ago...

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:05.80211.asc

http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/net80211/ieee80211_ioctl.c

Colin Percival said...

Note that exploiting this issue does not require that a system be connected to a wireless network -- rather, it simply requires that the system scan to determine which networks are available.

Srijith said...

Is this the same vul. for which OpenBSD decided that a fix will not be issued?

Richard Bejtlich said...

I thought that was an issue involving secure levels?

Anonymous said...

Is this the same vul. for which OpenBSD decided that a fix will not be issued?

no

I thought that was an issue involving secure levels?

yes

Jeff Cross said...

I have been keeping my FreeBSD 6.0 system up-to-date using freebsd-update. Is this patch rolled out through the updates issued with freebsd-update or should I update using another source?

I too will be at Black Hat Federal 2006 next week and would like very much not to be owned when I fire up my laptop (although I don't start any of my interfaces at boot, I will probably be looking for some wi-fi at some point).

Jeff

Richard Bejtlich said...

Jeff - yes. wlan.ko is updated below.

soekris:/root# uname -a
FreeBSD soekris.taosecurity.com 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Nov 3 09:36:13 UTC 2005 root@x64.samsco.home:/usr/obj/usr/src/sys/GENERIC i386

soekris:/root# freebsd-update fetch
Fetching public key...
Fetching updates signature...
Fetching updates...
Fetching hash list signature...
Fetching hash list...
Examining local system...
Fetching updates...
/boot/kernel/ipfw.ko...
/boot/kernel/kernel...
/boot/kernel/linker.hints...
/boot/kernel/nfsclient.ko...
/boot/kernel/wlan.ko...
/usr/bin/cpio...
/usr/bin/edit...
/usr/bin/ee...
/usr/bin/ree...
/usr/bin/texindex...
/usr/share/man/man1/cpio.1.gz...
Updates fetched


To install these updates, run: '/usr/local/sbin/freebsd-update install'
soekris:/root# freebsd-update install
Backing up /boot/kernel/ipfw.ko...
Installing new /boot/kernel/ipfw.ko...
Backing up /boot/kernel/kernel...
Installing new /boot/kernel/kernel...
Backing up /boot/kernel/linker.hints...
Installing new /boot/kernel/linker.hints...
Backing up /boot/kernel/nfsclient.ko...
Installing new /boot/kernel/nfsclient.ko...
Backing up /boot/kernel/wlan.ko...
Installing new /boot/kernel/wlan.ko...
Backing up /usr/bin/cpio...
Installing new /usr/bin/cpio...
Backing up /usr/bin/edit...
Installing new /usr/bin/edit...
Backing up /usr/bin/ee...
Recreating hard link from /usr/bin/edit to /usr/bin/ee...
Backing up /usr/bin/ree...
Recreating hard link from /usr/bin/edit to /usr/bin/ree...
Backing up /usr/bin/texindex...
Installing new /usr/bin/texindex...
Backing up /usr/share/man/man1/cpio.1.gz...
Installing new /usr/share/man/man1/cpio.1.gz...
soekris:/root# shutdown -r now

soekris:/root# uname -a
FreeBSD soekris.taosecurity.com 6.0-SECURITY FreeBSD 6.0-SECURITY #0: Wed Jan 18 05:55:04 UTC 2006 root@builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386