Multiple vulnerabilities identified on Aircrack-ng

About a month ago I identified four vulnerabilities in Aircrack-ng suite. A brief but technical description may be found below. Furthermore, references on the proof-of-concept exploit code and the OSI advisory maybe be found at the end of this article.  

CVE-2014-8322

One of them could lead to remote code execution. Specifically in aireplay's tcp_test function reads nh structure* from remote user which contains a length field. The length field is assigned as len argument on the next recv leading to stack overflow.

Vulnerable code:

struct net_hdr {
    uint8_t     nh_type;
    uint32_t    nh_len;
    uint8_t     nh_data[0];
};

int tcp_test(const char* ip_str, const short port)
{
    unsigned char packet[1024];

    ......
    caplen = read(sock, &nh, sizeof(nh));
    ......
    len = ntohl(nh.nh_len);
    ......
    caplen = read(sock, packet, len);
    ......
}

As a proof-of-concept, I wrote an exploit for this vulnerability for kali linux tested on 1.0.9 with package 1.2-beta3-0kali0 and for kali 1.0.9a with package 1.2-beta3-0kali2. Stack cookie protection has been added in 1.2-beta3-0kali3.

CVE-2014-8321

Another vulnerability is a local code execution and privilege escalation in airodump's gps_tracker function. Airodump connect's to localhost on port 2947 and reads gps data and reads again with buffer argument line plus the length of previous data.

Vulnerable code:

void gps_tracker( void )
{
    int pos;
    char line[256];
   
    ......
    recv(gpsd_sock, line, sizeof( line ) - 1, 0);
    ......
    pos = strlen(line);
    ......
    while (G.do_exit == 0) {
        read(gpsd_sock, line+pos, sizeof(line)-1, 0);
    }
}

This vulnerability could be also used as an example of bypass stack cookie protection on a client side exploit. Since we could send random data with length 256 bytes and then send again data overwriting the pos variable with a value equal to difference between line and ret offset in stack.

CVE-2014-8324

The 3rd vulnerability is a denial of service in net_get. The length field is assigned as len argument and gets returned by reference. As a result net_get will return with a negative length which may be used erroneously as valid.

Vulnerable code:

static int net_get_nopacket(struct priv_net *pn, void *arg, int *len)
{
    int l;
    .......
    net_get( pn->pn_s, buf, &l);
    .......
    memcpy(arg, buf, l);

}

CVE-2014-8323

 The last vulnerability is a denial of service in buddy-ng function handle function subtracts two from len argument and then copies data to cmd with length "len". A segmentation fault occurs when len is equals to one and the result of subtraction is -1.

Vulnerable code:

void handle_dude(int dude, int udp)
{
    rc = recvfrom(udp, buf, sizeof(buf), 0,
        (struct sockaddr*) &s_in, &len);
    handle(dude, buf, rc, &s_in)
}
int handle(int s, unsigned char* data, int len, struct sockaddr_in *s_in)
{
    .....
    plen = len - 2;
    .....
    memcpy(cmd, data+2, plen);
}

References: