[Dailydave] Madwifi SIOCSIWSCAN vulnerability (CVE-2006-6332)
TINNES Julien RD-MAPS-ISS
julien.tinnes at francetelecom.com
Thu Dec 7 13:48:00 EST 2006
There is a kernel stack buffer overflow in Madwifi SIOCSIWSCAN ioctl
which is used to list scanned AP.
All version prior to 0.9.2.1 are probably vulnerable.
Users listing nearby access points (such as with "iwlist ath0 scan")
manually are at risk. As a lot of distributions are performing automatic
access point listings, this can put passive users at risk as well.
We wrote a remote DoS as well as a reliable local privilege escalation
exploit (which needs to be triggered by the remote DoS).
As the impact is not very critical (you have to be able to execute code
on the host AND to send a wireless packet), they will be released soon
as proof of concept.
A real remote exploit is very likely to be possible, against iwlist or
any other process using this ioctl (being in process context helps!),
however we've not investigated it further for now.
PS: Dave, will we have Wifi support in Canvas ?
--
Julien TINNES - & france telecom - R&D Division/MAPS/NSS
Research Engineer - Internet/Intranet Security
GPG: C050 EF1A 2919 FD87 57C4 DEDD E778 A9F0 14B9 C7D6
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 2006-12-07-madwifi-siocgiwscan.txt
Url: http://lists.immunitysec.com/pipermail/dailydave/attachments/20061207/cdf6237f/attachment-0001.txt
More information about the Dailydave
mailing list