wpa_supplicant P2P SSID Parsing Flaw May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID: 1032192|
SecurityTracker URL: http://securitytracker.com/id/1032192
(Links to External Site)
Date: Apr 23 2015
Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): 1.0 - 2.4; with CONFIG_P2P build option enabled|
A vulnerability reported in wpa_supplicant. A remote user can cause denial of service conditions, obtain potentially sensitive information, or potentially execute arbitrary code on the target system.|
A remote user on the wireless network can send specially crafted SSID data to trigger a buffer overflow and potentially execute arbitrary code on the target system.
Specially crafted management frames that create or update P2P peer entries (e.g., Probe Response frame, P2P Public Action frames) can trigger this flaw.
The Google security team and smart hardware research group of Alibaba security team reported this vulnerability.
A remote user may be able to execute arbitrary code on the target system.|
A remote user can cause denial of service conditions.
A remote user can obtain potentially sensitive information.
The vendor has issued a patch, available at:|
The fix will be included in version 2.5.
The vendor's advisory is available at:
Vendor URL: w1.fi/wpa_supplicant/ (Links to External Site)
|Underlying OS: Android, Linux (Any), UNIX (FreeBSD), UNIX (NetBSD), UNIX (OpenBSD), UNIX (macOS/OS X), Windows (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: [oss-security] wpa_supplicant P2P SSID processing vulnerability|
Published: April 22, 2015
Latest version available from: http://w1.fi/security/2015-1/
A vulnerability was found in how wpa_supplicant uses SSID information
parsed from management frames that create or update P2P peer entries
(e.g., Probe Response frame or number of P2P Public Action frames). SSID
field has valid length range of 0-32 octets. However, it is transmitted
in an element that has a 8-bit length field and potential maximum
payload length of 255 octets. wpa_supplicant was not sufficiently
verifying the payload length on one of the code paths using the SSID
received from a peer device.
This can result in copying arbitrary data from an attacker to a fixed
length buffer of 32 bytes (i.e., a possible overflow of up to 223
bytes). The SSID buffer is within struct p2p_device that is allocated
from heap. The overflow can override couple of variables in the struct,
including a pointer that gets freed. In addition about 150 bytes (the
exact length depending on architecture) can be written beyond the end of
the heap allocation.
This could result in corrupted state in heap, unexpected program
behavior due to corrupted P2P peer device information, denial of service
due to wpa_supplicant process crash, exposure of memory contents during
GO Negotiation, and potentially arbitrary code execution.
wpa_supplicant v1.0-v2.4 with CONFIG_P2P build option enabled
Attacker (or a system controlled by the attacker) needs to be within
radio range of the vulnerable system to send a suitably constructed
management frame that triggers a P2P peer device information to be
created or updated.
The vulnerability is easiest to exploit while the device has started an
active P2P operation (e.g., has ongoing P2P_FIND or P2P_LISTEN control
interface command in progress). However, it may be possible, though
significantly more difficult, to trigger this even without any active
P2P operation in progress.
Thanks to Google security team for reporting this issue and smart
hardware research group of Alibaba security team for discovering it.
Possible mitigation steps
- Merge the following commits to wpa_supplicant and rebuild it:
P2P: Validate SSID element length before copying it (CVE-2015-1863)
This patch is available from http://w1.fi/security/2015-1/
- Update to wpa_supplicant v2.5 or newer, once available
- Disable P2P (control interface command "P2P_SET disabled 1" or
"p2p_disabled=1" in (each, if multiple interfaces used) wpa_supplicant
- Disable P2P from the build (remove CONFIG_P2P=y)
Jouni Malinen PGP id EFC895FA