FreeBSD: IEEE 802.11 buffer overflow
Results 1 to 3 of 3

Thread: FreeBSD: IEEE 802.11 buffer overflow

  1. #1
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401

    FreeBSD: IEEE 802.11 buffer overflow

    II. Problem Description

    An integer overflow in the handling of corrupt IEEE 802.11 beacon or
    probe response frames when scanning for existing wireless networks can
    result in the frame overflowing a buffer.

    III. Impact

    An attacker able broadcast a carefully crafted beacon or probe response
    frame may be able to execute arbitrary code within the context of the
    FreeBSD kernel on any system scanning for wireless networks.
    ftp://ftp.freebsd.org/pub/FreeBSD/CE...6:05.80211.asc
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  2. #2
    Senior Member Deeboe's Avatar
    Join Date
    Nov 2005
    Posts
    185
    I will admit, I don't seem to understand this one too well (havent had my coffee yet!).

    Is my understanding of this correct? A client searching for a wireless signal can be subjected to a buffer overflow? That seems pretty severe!

    If this is true, has this vulnerability (or similiar one) ever popped up on any other OS's?

    Thanks for the info!
    -Deeboe
    If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
    - Sun Tzu, The Art of War

    http://tazforum.**********.com/

  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by Deeboe
    I will admit, I don't seem to understand this one too well (havent had my coffee yet!).

    Is my understanding of this correct? A client searching for a wireless signal can be subjected to a buffer overflow? That seems pretty severe!
    Correct. If a client recieves a specially crafted beacon or a probe response it is possible to trigger an overflow on the client. Because this is handled by a kernel driver the client would be in deep sh*t. Watch out for rogue APs!

    If this is true, has this vulnerability (or similiar one) ever popped up on any other OS's?
    Might be possible. A lot of the net80211 code on FreeBSD is based on code from NetBSD. IIRC the code on OpenBSD is based on FreeBSD/NetBSD.. So it's likely this bug exists on all BSDs..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •