1. Advisory Information Advisory URL: http://ift.tt/1GleH5o Date published: 2015-04-23 Date of last update: 2015-04-23 2. Vulnerability Information Class: heap overflow Impact: memory information leak and remote code execution Remote Exploitable: Yes Local Exploitable: No CVE Name: CVE-2015-1863 Vulnerability Information and Patch: http://ift.tt/1DBNVBw 3. Vulnerability Description In Android, wpa_supplicant is designed to be a "daemon" program that runs in the background and acts as the backend component controlling the wireless connection.. When WLAN Direct function of wpa_supplicant is enabled, a malformed p2p invitation type packet with long ssid can trigger a heap overflow vulnerability. An attacker could launch a remote attack in the wireless device signal coverage, access to the victim's android device and execute native code with the corresponding user privileges (in the android is wifi user). The user has permission to read the saved WIFI password, change network configuration, hijacking all Wi-Fi traffic. When combined with a local privilege escalation vulnerability that allows an attacker to remotely control a host of victims, implant Trojans and other underlying implant systems. 4. Vulnerable Packages Android 4/Android 5 wpa_supplicant 2.x 5. Credits Smart hardware research group of Alibaba security team for discovering the vulnerability. 6. Technical Description wpa_supplicant malloc a p2p_device structure, the oper_ssid field size of which is 0x20 bytes. In the p2p invitation packet the size of ssid field is described with an octet, the max of which is 0xff. When copy to oper_ssid field, the length is not checked. When the size of ssid exceeds 0x20 bytes, it can overflow other fields of the p2p_device structure and overflow heap structure when exceeds 0x40 bytes. In the android version 5.1, the source is: ============ p2p_device structure( wpa_supplicant/p2p/p2p_i.h)============ struct p2p_device { [……….] int oper_freq; u8 oper_ssid[32];
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment