About a month ago I identified four vulnerabilities in Aircrack-ng suite. A brief but technical description may be found below. Furthermore, references on the proof-of-concept exploit code and the OSI advisory maybe be found at the end of this article.
CVE-2014-8322
One of them could lead to remote code execution. Specifically in aireplay’s tcp_test function reads nh structure* from remote user which contains a length field. The length field is assigned as len argument on the next recv leading to stack overflow.
Vulnerable code:
struct net_hdr {
uint8_t nh_type;
uint32_t nh_len;
uint8_t nh_data[0];
};
int tcp_test(const char* ip_str, const short port)
{
unsigned char packet[1024];
......
caplen = read(sock, &nh, sizeof(nh));
......
len = ntohl(nh.nh_len);
......
caplen = read(sock, packet, len);
......
}
As a proof-of-concept, I wrote an exploit for this vulnerability for kali linux tested on 1.0.9 with package 1.2-beta3-0kali0 and for kali 1.0.9a with package 1.2-beta3-0kali2. Stack cookie protection has been added in 1.2-beta3-0kali3.
CVE-2014-8321
Another vulnerability is a local code execution and privilege escalation in airodump’s gps_tracker function. Airodump connect’s to localhost on port 2947 and reads gps data and reads again with buffer argument line plus the length of previous data.
Vulnerable code:
void gps_tracker( void )
{
int pos;
char line[256];
......
recv(gpsd_sock, line, sizeof( line ) - 1, 0);
......
pos = strlen(line);
......
while (G.do_exit == 0) {
read(gpsd_sock, line+pos, sizeof(line)-1, 0);
}
}
This vulnerability could be also used as an example of bypass stack cookie protection on a client side exploit. Since we could send random data with length 256 bytes and then send again data overwriting the pos variable with a value equal to difference between line and ret offset in stack.
CVE-2014-8324
The 3rd vulnerability is a denial of service in net_get. The length field is assigned as len argument and gets returned by reference. As a result net_get will return with a negative length which may be used erroneously as valid.
Vulnerable code:
static int net_get_nopacket(struct priv_net *pn, void *arg, int *len)
{
int l;
.......
net_get( pn->pn_s, buf, &l);
.......
memcpy(arg, buf, l);
}
CVE-2014-8323
The last vulnerability is a denial of service in buddy-ng function handle function subtracts two from len argument and then copies data to cmd with length “len”. A segmentation fault occurs when len is equals to one and the result of subtraction is -1.
Vulnerable code:
void handle_dude(int dude, int udp)
{
rc = recvfrom(udp, buf, sizeof(buf), 0,
(struct sockaddr*) &s_in, &len);
handle(dude, buf, rc, &s_in)
}
int handle(int s, unsigned char* data, int len, struct sockaddr_in *s_in)
{
.....
plen = len - 2;
.....
memcpy(cmd, data+2, plen);
}