II. Problem Description
An integer overflow in the handling of corrupt IEEE 802.11 beacon or
probe response frames when scanning for existing wireless networks can
result in the frame overflowing a buffer.
III. Impact
An attacker able broadcast a carefully crafted beacon or probe response
frame may be able to execute arbitrary code within the context of the
FreeBSD kernel on any system scanning for wireless networks.
That's cool. Insert wireless NIC, be 0wn3d. I'm glad I heard about this prior to Black Hat Federal next week.
7 comments:
Patched a few hours ago...
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:05.80211.asc
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/net80211/ieee80211_ioctl.c
Note that exploiting this issue does not require that a system be connected to a wireless network -- rather, it simply requires that the system scan to determine which networks are available.
Is this the same vul. for which OpenBSD decided that a fix will not be issued?
I thought that was an issue involving secure levels?
Is this the same vul. for which OpenBSD decided that a fix will not be issued?
no
I thought that was an issue involving secure levels?
yes
I have been keeping my FreeBSD 6.0 system up-to-date using freebsd-update. Is this patch rolled out through the updates issued with freebsd-update or should I update using another source?
I too will be at Black Hat Federal 2006 next week and would like very much not to be owned when I fire up my laptop (although I don't start any of my interfaces at boot, I will probably be looking for some wi-fi at some point).
Jeff
Jeff - yes. wlan.ko is updated below.
soekris:/root# uname -a
FreeBSD soekris.taosecurity.com 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Nov 3 09:36:13 UTC 2005 root@x64.samsco.home:/usr/obj/usr/src/sys/GENERIC i386
soekris:/root# freebsd-update fetch
Fetching public key...
Fetching updates signature...
Fetching updates...
Fetching hash list signature...
Fetching hash list...
Examining local system...
Fetching updates...
/boot/kernel/ipfw.ko...
/boot/kernel/kernel...
/boot/kernel/linker.hints...
/boot/kernel/nfsclient.ko...
/boot/kernel/wlan.ko...
/usr/bin/cpio...
/usr/bin/edit...
/usr/bin/ee...
/usr/bin/ree...
/usr/bin/texindex...
/usr/share/man/man1/cpio.1.gz...
Updates fetched
To install these updates, run: '/usr/local/sbin/freebsd-update install'
soekris:/root# freebsd-update install
Backing up /boot/kernel/ipfw.ko...
Installing new /boot/kernel/ipfw.ko...
Backing up /boot/kernel/kernel...
Installing new /boot/kernel/kernel...
Backing up /boot/kernel/linker.hints...
Installing new /boot/kernel/linker.hints...
Backing up /boot/kernel/nfsclient.ko...
Installing new /boot/kernel/nfsclient.ko...
Backing up /boot/kernel/wlan.ko...
Installing new /boot/kernel/wlan.ko...
Backing up /usr/bin/cpio...
Installing new /usr/bin/cpio...
Backing up /usr/bin/edit...
Installing new /usr/bin/edit...
Backing up /usr/bin/ee...
Recreating hard link from /usr/bin/edit to /usr/bin/ee...
Backing up /usr/bin/ree...
Recreating hard link from /usr/bin/edit to /usr/bin/ree...
Backing up /usr/bin/texindex...
Installing new /usr/bin/texindex...
Backing up /usr/share/man/man1/cpio.1.gz...
Installing new /usr/share/man/man1/cpio.1.gz...
soekris:/root# shutdown -r now
soekris:/root# uname -a
FreeBSD soekris.taosecurity.com 6.0-SECURITY FreeBSD 6.0-SECURITY #0: Wed Jan 18 05:55:04 UTC 2006 root@builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386
Post a Comment