14 DAY TRIAL // A vulnerability in cross platform Wi-Fi software “wpa_supplicant” can be exploited by attackers to perpetrate attacks ranging from a denial-of-service state of the wireless connection to reading memory contents during the group owner negotiation process.
Maintained by Jouni Malinen, the package is a free implementation of the IEEE 802.1X/WPA component in clients and it is used for controlling wireless connections (secure key negotiation, scanning, authentication, transmission of normal data packets).
It is present in operating systems for mobile devices (Android), desktop computers (Windows, Linux, BSD, OS X), as well as in embedded systems.
Attackers may be able to run arbitrary code on memory
The glitch (CVE-2015-1863) affects wpa_supplicant versions 1.0 through 2.4 that have the Config_P2P option turned on. It was discovered by the security team at Alibaba (smart hardware research group) and reported by Google’s security team.
Successful exploitation is possible when the client is engaged in a peer-to-peer (P2P) operation, and it could crash the wpa_supplicant process, expose sensitive information available in the memory of the client device, and cause potential arbitrary code execution.
Payload length not checked, arbitrary data can be added
The details of the flaw, published on the Open Source Software Security mailing list on Wednesday, explain that the trouble stems from insufficient verification of the payload length when receiving the SSID (Service Set Identifier) information.
The SSID field has a maximum length of 32 octets but it is delivered via an element that supports a total payload length of 255 octets, thus allowing additional arbitrary data to be appended, when connecting to a malicious wireless network.
“This can result in copying arbitrary data from an attacker to a fixed length buffer of 32 bytes (i.e., a possible overflow of up to 223 bytes). The SSID buffer is within struct p2p_device that is allocated from heap. The overflow can override a couple of variables in the struct, including a pointer that gets freed. In addition about 150 bytes (the exact length depending on architecture) can be written beyond the end of the heap allocation,” Malinen wrote in the advisory.
Patch code is now available from the maintainer, who advises rebuilding the affected wpa_supplicant variants with it.
Alternatively, developers integrating the wpa_supplicant code into their products can wait for version 2.5 to become available.