-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Happy PPC Hacking Project www.hardened-php.net -= Security Advisory =- Advisory: KisMAC Cisco Vendor Tag Encapsulated SSID Overflow Release Date: 2006/03/23 Last Modified: 2006/03/23 Author: Stefan Esser [sesser (at) hardened-php (dot) net [email concealed]] Application: KisMAC < dev version 113 KisMAC < 73p Severity: Special crafted 80211 management frames may cause a stackoverflow that eventually leads to remote code execution Risk: Critical Vendor Status: Vendor has a released an updated version References: http://www.hardened-php.net/advisory_032006.115.html Overview: Quote from www.kismac.de: "KisMAC is a free stumbler application for MacOS X, that puts your card into the monitor mode. Unlike most other applications for OS X it has the ability to run completely invisible and send no probe requests." While playing around with wifi, raw packets, MacOS X, ppc and KisMAC a quick audit revealed a remotely triggerable buffer overflow in KisMAC's parser for tagged data in 80211 management frames, that can lead to execution of arbitrary code. To exploit this vulnerability an attacker must either trick the victim in opening a pcap file containing the special crafted management frames OR the attacker must send such raw frames while the victim is performing a passive network scan. Details: When KisMAC receives a 80211 management frame (or finds one in a imported pcap file) it parses the attached tagged data with the function WavePacket:parseTaggedData. With the help of this method the SSID, the channel and the rates get extracted from the management packet. The function in question also supports a special Cisco vendor tag, which is scanned by KisMAC for additional SSIDs. Unfortunately it then copies the SSIDs found into a 33 bytes big stackbuffer without any kind of size check. slen = (*(ssidl + 5)); // <-- reading SSID length (UINT8) ssidl += 6; if ((len -= slen) < 0) break; @try { memcpy(ssid, ssidl, slen); // <-- copying without check into 33 // bytes big stackbuffer ssid[slen]=0; [_SSIDs addObject:[NSString stringWithUTF8String:ssid]]; } @catch (NSException *exception) { [_SSIDs addObject:[NSString stringWithCString:(char*)(ssidl) length:slen]]; } Due to the try/catch block around the memcpy() the stacklayout allows to overwrite the jump_buf for setjmp/longjump which are used for the exception handling. This actually means it is not only possible to control the execution flow by manipulating the program counter (pc) but also to have control over the content of all registers once the execution flow has been manipulated. It should be obvious that this eventually leads to the execution of arbitrary code. Proof of Concept: The Happy PPC Hacking Project is not going to release exploits for this vulnerability to the public. Disclosure Timeline: 22. March 2006 - Contacted KisMAC developers by email 22. March 2006 - Vendor releases KisMAC update 23. March 2006 - Public Disclosure Recommendation: It is strongly recommended to upgrade to the newest version of KisMAC which you can download at: http://trac.kismac.de GPG-Key: http://www.hardened-php.net/hardened-php-signature-key.asc pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1 Copyright 2006 Stefan Esser. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQFEIlt4RDkUzAqGSqERAk9kAJ96iwq93+EeDAMlk5JmRTUUxgkP1gCeKY1v WZy/+ASNSsw9PqRGLFb1FZs= =zmaa -----END PGP SIGNATURE-----