Closed
Description
There is a overflow vulnerability in function handle_prism while handle wifipacp's caplen.
void WifiPacket::handle_prism(const u_char *pc, size_t len)
{
....
cbs->HandlePrism( *this, &hdr, pc + 144, len - 144);
}
if the caplen < 144, we can cause a integer overflow vulnerability in function handle_80211, which will result in a out-of-bounds read and may allow access to sensitive memory(or just a ddos).
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0xe42faad4
RBX: 0x9e9c60 --> 0x0
RCX: 0x23a0
RDX: 0x23a0
RSI: 0x30 ('0')
RDI: 0xffffffffffffff6d
RBP: 0xffffffffffffff71
RSP: 0x7fffffffd340 --> 0x0
RIP: 0x4603fb (<WifiPacket::handle_80211(unsigned char const*, unsigned long)+571>: xor r11b,BYTE PTR [rbx+rdx*1])
R8 : 0xffffffffffffff71
R9 : 0x0
R10: 0x7ffff763f280 --> 0xfffed4f0fffed500
R11: 0xe42faad4
R12: 0x7fffffffd3d0 --> 0x6b2320 --> 0x4921b8 --> 0x45d200 (<TFCB::~TFCB()>: push r12)
R13: 0x0
R14: 0x0
R15: 0x18
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x4603f2 <WifiPacket::handle_80211(unsigned char const*, unsigned long)+562>:xor ecx,ecx
0x4603f4 <WifiPacket::handle_80211(unsigned char const*, unsigned long)+564>:nop DWORD PTR [rax+0x0]
0x4603f8 <WifiPacket::handle_80211(unsigned char const*, unsigned long)+568>:mov r11d,eax
=> 0x4603fb <WifiPacket::handle_80211(unsigned char const*, unsigned long)+571>:xor r11b,BYTE PTR [rbx+rdx*1]
0x4603ff <WifiPacket::handle_80211(unsigned char const*, unsigned long)+575>:shr eax,0x8
0x460402 <WifiPacket::handle_80211(unsigned char const*, unsigned long)+578>:movzx edx,r11b
0x460406 <WifiPacket::handle_80211(unsigned char const*, unsigned long)+582>:xor eax,DWORD PTR [rdx*4+0x492a40]
0x46040d <WifiPacket::handle_80211(unsigned char const*, unsigned long)+589>:lea edx,[rcx+0x1]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd340 --> 0x0
0008| 0x7fffffffd348 --> 0x9e9c60 --> 0x0
0016| 0x7fffffffd350 --> 0xffffffffffffff71
0024| 0x7fffffffd358 --> 0x7fffffffd3d0 --> 0x6b2320 --> 0x4921b8 --> 0x45d200 (<TFCB::~TFCB()>: push r12)
0032| 0x7fffffffd360 --> 0x77 ('w')
0040| 0x7fffffffd368 --> 0x9e9bd0 --> 0x7ffff61d1b30 --> 0x0
0048| 0x7fffffffd370 --> 0x45c840 (<dl_prism(unsigned char*, pcap_pkthdr const*, unsigned char const*)>: mov rcx,rsi)
0056| 0x7fffffffd378 --> 0x4612cf (<WifiPacket::handle_prism(unsigned char const*, unsigned long)+143>: mov rax,QWORD PTR [rsp+0x28])
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00000000004603fb in crc32_ccitt_seed (seed=0xffffffff,
len=0xffffffffffffff6d, buf=0x9e9c60 "") at wifipcap/wifipcap.cpp:308
308 crc32 = crc32_ccitt_table[(crc32 ^ buf[i]) & 0xff] ^ (crc32 >> 8);
Metadata
Metadata
Assignees
Labels
No labels