Real Wireless Vulnerability
At ShmooCon one talk discussed a somewhat obvious and not that exciting (to me) feature of Windows wireless networking. I don't consider automatic network connectivity to be a vulnerability, only a bad design choice. However, this morning I read this advisory on a real wireless vulnerability in FreeBSD's (and possible other BSD's) wireless code. From the advisory:
That's cool. Insert wireless NIC, be 0wn3d. I'm glad I heard about this prior to Black Hat Federal next week.
II. Problem Description
An integer overflow in the handling of corrupt IEEE 802.11 beacon or
probe response frames when scanning for existing wireless networks can
result in the frame overflowing a buffer.
III. Impact
An attacker able broadcast a carefully crafted beacon or probe response
frame may be able to execute arbitrary code within the context of the
FreeBSD kernel on any system scanning for wireless networks.
That's cool. Insert wireless NIC, be 0wn3d. I'm glad I heard about this prior to Black Hat Federal next week.
Comments
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:05.80211.asc
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/net80211/ieee80211_ioctl.c
no
I thought that was an issue involving secure levels?
yes
I too will be at Black Hat Federal 2006 next week and would like very much not to be owned when I fire up my laptop (although I don't start any of my interfaces at boot, I will probably be looking for some wi-fi at some point).
Jeff
soekris:/root# uname -a
FreeBSD soekris.taosecurity.com 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Nov 3 09:36:13 UTC 2005 root@x64.samsco.home:/usr/obj/usr/src/sys/GENERIC i386
soekris:/root# freebsd-update fetch
Fetching public key...
Fetching updates signature...
Fetching updates...
Fetching hash list signature...
Fetching hash list...
Examining local system...
Fetching updates...
/boot/kernel/ipfw.ko...
/boot/kernel/kernel...
/boot/kernel/linker.hints...
/boot/kernel/nfsclient.ko...
/boot/kernel/wlan.ko...
/usr/bin/cpio...
/usr/bin/edit...
/usr/bin/ee...
/usr/bin/ree...
/usr/bin/texindex...
/usr/share/man/man1/cpio.1.gz...
Updates fetched
To install these updates, run: '/usr/local/sbin/freebsd-update install'
soekris:/root# freebsd-update install
Backing up /boot/kernel/ipfw.ko...
Installing new /boot/kernel/ipfw.ko...
Backing up /boot/kernel/kernel...
Installing new /boot/kernel/kernel...
Backing up /boot/kernel/linker.hints...
Installing new /boot/kernel/linker.hints...
Backing up /boot/kernel/nfsclient.ko...
Installing new /boot/kernel/nfsclient.ko...
Backing up /boot/kernel/wlan.ko...
Installing new /boot/kernel/wlan.ko...
Backing up /usr/bin/cpio...
Installing new /usr/bin/cpio...
Backing up /usr/bin/edit...
Installing new /usr/bin/edit...
Backing up /usr/bin/ee...
Recreating hard link from /usr/bin/edit to /usr/bin/ee...
Backing up /usr/bin/ree...
Recreating hard link from /usr/bin/edit to /usr/bin/ree...
Backing up /usr/bin/texindex...
Installing new /usr/bin/texindex...
Backing up /usr/share/man/man1/cpio.1.gz...
Installing new /usr/share/man/man1/cpio.1.gz...
soekris:/root# shutdown -r now
soekris:/root# uname -a
FreeBSD soekris.taosecurity.com 6.0-SECURITY FreeBSD 6.0-SECURITY #0: Wed Jan 18 05:55:04 UTC 2006 root@builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386