FreeBSD: IEEE 802.11 buffer overflow

[SirDice]

II. Problem Description

An integer overflow in the handling of corrupt IEEE 802.11 beacon or
probe response frames when scanning for existing wireless networks can
result in the frame overflowing a buffer.

III. Impact

An attacker able broadcast a carefully crafted beacon or probe response
frame may be able to execute arbitrary code within the context of the
FreeBSD kernel on any system scanning for wireless networks.

ftp://ftp.freebsd.org/pub/FreeBSD/CE...6:05.80211.asc

[Deeboe]

I will admit, I don't seem to understand this one too well (havent had my coffee yet!).

Is my understanding of this correct? A client searching for a wireless signal can be subjected to a buffer overflow? That seems pretty severe!

If this is true, has this vulnerability (or similiar one) ever popped up on any other OS's?

Thanks for the info!
-Deeboe

[SirDice]

Originally posted here by Deeboe
I will admit, I don't seem to understand this one too well (havent had my coffee yet!).

Is my understanding of this correct? A client searching for a wireless signal can be subjected to a buffer overflow? That seems pretty severe!

Correct. If a client recieves a specially crafted beacon or a probe response it is possible to trigger an overflow on the client. Because this is handled by a kernel driver the client would be in deep sh*t. Watch out for rogue APs!

If this is true, has this vulnerability (or similiar one) ever popped up on any other OS's?

Might be possible. A lot of the net80211 code on FreeBSD is based on code from NetBSD. IIRC the code on OpenBSD is based on FreeBSD/NetBSD.. So it's likely this bug exists on all BSDs..