-------------------------------------------------------------------------------- signedness.org public security advisory 0x1 -------------------------------------------------------------------------------- Author : Karl Janmar Application : BSD 802.11 protocol stack Versions : All version are believed to be vulnerable Availability : http://www.signedness.org/advisories/sps-0x1.txt -------------------------------------------------------------------------------- Abstract: -------------------------------------------------------------------------------- There are several exploitable conditions in the BSD 802.11 implementations. Many of these are relatively low risk vulnerabilities. There are however also remotely exploitable kernel stack overflows present, exploiting these an attacker can gain root privileges remotely. Technical details: -------------------------------------------------------------------------------- Throughout the code many calls to memcpy() and other functions are made without any validation of the length argument. In certain cases the data is copied to the stack, leading to a straightforward REMOTE kernel stack overflow. Whilst no proof of concept or exploit code will be made available, we assure you this vulnerability is very much real and NOT theoretical as illustrated by the crash dump shown below. Fatal trap 12: page fault while in kernel mode fault virtual address = 0xdefaced fault code = supervisor read, page not present instruction pointer = 0x20:0xdefaced stack pointer = 0x28:0xdd919b54 frame pointer = 0x28:0x39383736 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 466 (wpa_supplicant) trap number = 12 panic: page fault Uptime: 1m36s on this system: $ uname -a FreeBSD 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Nov 3 09:36:13 UTC 2005 root@x64.samsco.home:/usr/obj/usr/src/sys/GENERIC i386 http://www.signedness.org