SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   wpa_supplicant Vendors:   Malinen, Jouni et al
wpa_supplicant P2P SSID Parsing Flaw May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1032192
SecurityTracker URL:  http://securitytracker.com/id/1032192
CVE Reference:   CVE-2015-1863   (Links to External Site)
Date:  Apr 23 2015
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.0 - 2.4; with CONFIG_P2P build option enabled
Description:   A vulnerability reported in wpa_supplicant. A remote user can cause denial of service conditions, obtain potentially sensitive information, or potentially execute arbitrary code on the target system.

A remote user on the wireless network can send specially crafted SSID data to trigger a buffer overflow and potentially execute arbitrary code on the target system.

Specially crafted management frames that create or update P2P peer entries (e.g., Probe Response frame, P2P Public Action frames) can trigger this flaw.

The Google security team and smart hardware research group of Alibaba security team reported this vulnerability.

Impact:   A remote user may be able to execute arbitrary code on the target system.

A remote user can cause denial of service conditions.

A remote user can obtain potentially sensitive information.

Solution:   The vendor has issued a patch, available at:

http://w1.fi/security/2015-1/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch

The fix will be included in version 2.5.

The vendor's advisory is available at:

http://w1.fi/security/2015-1/wpa_supplicant-p2p-ssid-overflow.txt

Vendor URL:  w1.fi/wpa_supplicant/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Android, Linux (Any), UNIX (FreeBSD), UNIX (NetBSD), UNIX (OpenBSD), UNIX (macOS/OS X), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jun 12 2015 (Red Hat Issues Fix) wpa_supplicant P2P SSID Parsing Flaw May Let Remote Users Execute Arbitrary Code
Red Hat has issued a fix for Red Hat Enterprise Linux 7.
Jun 18 2015 (CentOS Issues Fix) wpa_supplicant P2P SSID Parsing Flaw May Let Remote Users Execute Arbitrary Code
CentOS has issued a fix for CentOS 7.



 Source Message Contents

Subject:  [oss-security] wpa_supplicant P2P SSID processing vulnerability

Published: April 22, 2015
Identifier: CVE-2015-1863
Latest version available from: http://w1.fi/security/2015-1/


Vulnerability

A vulnerability was found in how wpa_supplicant uses SSID information
parsed from management frames that create or update P2P peer entries
(e.g., Probe Response frame or number of P2P Public Action frames). SSID
field has valid length range of 0-32 octets. However, it is transmitted
in an element that has a 8-bit length field and potential maximum
payload length of 255 octets. wpa_supplicant was not sufficiently
verifying the payload length on one of the code paths using the SSID
received from a peer device.

This can result in copying arbitrary data from an attacker to a fixed
length buffer of 32 bytes (i.e., a possible overflow of up to 223
bytes). The SSID buffer is within struct p2p_device that is allocated
from heap. The overflow can override couple of variables in the struct,
including a pointer that gets freed. In addition about 150 bytes (the
exact length depending on architecture) can be written beyond the end of
the heap allocation.

This could result in corrupted state in heap, unexpected program
behavior due to corrupted P2P peer device information, denial of service
due to wpa_supplicant process crash, exposure of memory contents during
GO Negotiation, and potentially arbitrary code execution.

Vulnerable versions/configurations

wpa_supplicant v1.0-v2.4 with CONFIG_P2P build option enabled

Attacker (or a system controlled by the attacker) needs to be within
radio range of the vulnerable system to send a suitably constructed
management frame that triggers a P2P peer device information to be
created or updated.

The vulnerability is easiest to exploit while the device has started an
active P2P operation (e.g., has ongoing P2P_FIND or P2P_LISTEN control
interface command in progress). However, it may be possible, though
significantly more difficult, to trigger this even without any active
P2P operation in progress.


Acknowledgments

Thanks to Google security team for reporting this issue and smart
hardware research group of Alibaba security team for discovering it.


Possible mitigation steps

- Merge the following commits to wpa_supplicant and rebuild it:

  P2P: Validate SSID element length before copying it (CVE-2015-1863)

  This patch is available from http://w1.fi/security/2015-1/

- Update to wpa_supplicant v2.5 or newer, once available

- Disable P2P (control interface command "P2P_SET disabled 1" or
  "p2p_disabled=1" in (each, if multiple interfaces used) wpa_supplicant
  configuration file)

- Disable P2P from the build (remove CONFIG_P2P=y)

-- 
Jouni Malinen                                            PGP id EFC895FA
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC