Debian Bug report logs - #512995
Possible security flaw in ad-hoc probe request processing

version graph

Package: rt73; Maintainer for rt73 is (unknown);

Reported by: Ben Hutchings <ben@decadent.org.uk>

Date: Sun, 25 Jan 2009 16:18:01 UTC

Severity: critical

Tags: security, upstream

Found in version 1:1.0.3.6-cvs20080623-dfsg1-2

Fixed in version rt73/1:1.0.3.6-cvs20080623-dfsg1-3

Done: Ben Hutchings <ben@decadent.org.uk>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian Ralink packages maintainers <pkg-ralink-maintainers@lists.alioth.debian.org>:
Bug#512995; Package rt73. (Sun, 25 Jan 2009 16:18:03 GMT) (full text, mbox, link).


Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian Ralink packages maintainers <pkg-ralink-maintainers@lists.alioth.debian.org>. (Sun, 25 Jan 2009 16:18:04 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Cc: rt2400-devel@lists.sourceforge.net
Subject: Possible security flaw in ad-hoc probe request processing
Date: Sun, 25 Jan 2009 16:21:57 +0000
Package: rt73
Severity: critical
Tags: security, upstream

"Aviv" <springsec@gmail.com> wrote on Bugtraq:
> Some Ralinktech wireless cards drivers are suffer from integer
> overflow. by sending malformed 802.11 Probe Request packet with no
> care about victim's MAC\BSS\SSID can cause to remote code execution in
> kernel mode.
> 
> In order to exploit this issue, the attacker should send a Probe
> Request packet with SSID length bigger then 128 bytes (but less then
> 256) when the victim's card is in ADHOC mode.  attacker shouldn't be
> on the same network nor even know the MAC\BSS\SSID, he can just send
> it broadcast.
> 
> Tested on Ralink USB wireless adapter (RT73) V3.08 on win2k with the
> latest driver version.

(Archived at
<http://archives.neohapsis.com/archives/bugtraq/2009-01/0167.html>.)

No CVE number appears to have been assigned to this yet.

Ralink's Linux drivers are based on their Windows drivers and the
following code in PeerProbeReqSanity() in the source file sanity.c
appears to have exactly this flaw:

    if ((pFrame->Octet[0] != IE_SSID) || (pFrame->Octet[1] > MAX_LEN_OF_SSID))
    {
        DBGPRINT(RT_DEBUG_TRACE, "PeerProbeReqSanity fail - wrong SSID IE(Type=%d,Len=%d)\n",pFrame->Octet[0],pFrame->Octet[1]);
        return FALSE;
    }

    *pSsidLen = pFrame->Octet[1];
    memcpy(Ssid, &pFrame->Octet[2], *pSsidLen);

pFrame->Octet is an array of signed char and MAX_LEN_OF_SSID expands
to a decimal literal which will have type int.  Therefore unsigned
values in the range [128, 255] will be treated as values in the range
[-128, -1] and will pass the test.

Similar code exists in the rt2400, rt2500, rt2570, rt61 and rt2860
drivers.

Ben.




Bug 512995 cloned as bugs 512999, 513000, 513001, 513002. Request was from Ben Hutchings <ben@decadent.org.uk> to control@bugs.debian.org. (Sun, 25 Jan 2009 16:27:07 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Ralink packages maintainers <pkg-ralink-maintainers@lists.alioth.debian.org>:
Bug#512995; Package rt73. (Sun, 25 Jan 2009 18:00:02 GMT) (full text, mbox, link).


Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Ralink packages maintainers <pkg-ralink-maintainers@lists.alioth.debian.org>. (Sun, 25 Jan 2009 18:00:02 GMT) (full text, mbox, link).


Message #12 received at 512995@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>
To: Bryan Batten <BryanBatten@sbcglobal.net>
Cc: 512995@bugs.debian.org, rt2400-devel@lists.sourceforge.net
Subject: Re: [Rt2400-devel] Possible security flaw in ad-hoc probe request processing
Date: Sun, 25 Jan 2009 18:02:15 +0000
[Message part 1 (text/plain, inline)]
On Sun, 2009-01-25 at 08:43 -0800, Bryan Batten wrote:
> Ben Hutchings wrote:
> > Package: rt73 Severity: critical Tags: security, upstream
> > 
> > "Aviv" <springsec@gmail.com> wrote on Bugtraq:
> >> Some Ralinktech wireless cards drivers are suffer from integer 
> >> overflow. by sending malformed 802.11 Probe Request packet with
> >> no care about victim's MAC\BSS\SSID can cause to remote code
> >> execution in kernel mode.
> ...
> > pFrame->Octet is an array of signed char and MAX_LEN_OF_SSID
> > expands to a decimal literal which will have type int.  Therefore
> > unsigned values in the range [128, 255] will be treated as values
> > in the range [-128, -1] and will pass the test.
> ...
> Hi Ben,
> 
> Thanks for the info. Do you know if redefining the FRAME_802_11 
> structure in mlme.h so that the Octet member is UCHAR fixes the problem?

I think it probably would, but I'm a bit wary of doing that.

I reviewed sanity.c in the Debian package (CVS snapshot from 2008-06-23
but I don't believe the driver has changed much) and I found only one
more case of signed/unsigned confusion.  My proposed patch is:

--- rt73.orig/Module/sanity.c
+++ rt73/Module/sanity.c
@@ -447,7 +447,7 @@
 
     COPY_MAC_ADDR(pAddr2, pFrame->Hdr.Addr2);
 
-    if ((pFrame->Octet[0] != IE_SSID) || (pFrame->Octet[1] > MAX_LEN_OF_SSID))
+    if ((pFrame->Octet[0] != IE_SSID) || ((UCHAR)pFrame->Octet[1] > MAX_LEN_OF_SSID))
     {
         DBGPRINT(RT_DEBUG_TRACE, "PeerProbeReqSanity fail - wrong SSID IE(Type=%d,Len=%d)\n",pFrame->Octet[0],pFrame->Octet[1]);
         return FALSE;
@@ -649,8 +649,8 @@
 					pCfParm->bValid = TRUE;
 					pCfParm->CfpCount = pEid->Octet[0];
 					pCfParm->CfpPeriod = pEid->Octet[1];
-					pCfParm->CfpMaxDuration = pEid->Octet[2] + 256 * pEid->Octet[3];
-					pCfParm->CfpDurRemaining = pEid->Octet[4] + 256 * pEid->Octet[5];
+					pCfParm->CfpMaxDuration = (UCHAR)pEid->Octet[2] + 256 * (UCHAR)pEid->Octet[3];
+					pCfParm->CfpDurRemaining = (UCHAR)pEid->Octet[4] + 256 * (UCHAR)pEid->Octet[5];
 				}
 				else
 				{
--- END ---

(The code for IE_QBSS_LOAD has a similar problem, but it's disabled by
#if 0.)

Ben.

[signature.asc (application/pgp-signature, inline)]

Bug 512995 cloned as bug 513022. Request was from Ben Hutchings <ben@decadent.org.uk> to control@bugs.debian.org. (Sun, 25 Jan 2009 19:21:05 GMT) (full text, mbox, link).


Blocking bugs of 513022 added: 512995 Request was from Ben Hutchings <ben@decadent.org.uk> to control@bugs.debian.org. (Sun, 25 Jan 2009 19:21:09 GMT) (full text, mbox, link).


Bug marked as found in version 1:1.0.3.6-cvs20080623-dfsg1-2. Request was from Ben Hutchings <ben@decadent.org.uk> to control@bugs.debian.org. (Wed, 28 Jan 2009 00:48:08 GMT) (full text, mbox, link).


Reply sent to Ben Hutchings <ben@decadent.org.uk>:
You have taken responsibility. (Wed, 28 Jan 2009 01:27:07 GMT) (full text, mbox, link).


Notification sent to Ben Hutchings <ben@decadent.org.uk>:
Bug acknowledged by developer. (Wed, 28 Jan 2009 01:27:07 GMT) (full text, mbox, link).


Message #23 received at 512995-close@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>
To: 512995-close@bugs.debian.org
Subject: Bug#512995: fixed in rt73 1:1.0.3.6-cvs20080623-dfsg1-3
Date: Wed, 28 Jan 2009 01:17:06 +0000
Source: rt73
Source-Version: 1:1.0.3.6-cvs20080623-dfsg1-3

We believe that the bug you reported is fixed in the latest version of
rt73, which is due to be installed in the Debian FTP archive:

rt73-common_1.0.3.6-cvs20080623-dfsg1-3_all.deb
  to pool/contrib/r/rt73/rt73-common_1.0.3.6-cvs20080623-dfsg1-3_all.deb
rt73-source_1.0.3.6-cvs20080623-dfsg1-3_all.deb
  to pool/contrib/r/rt73/rt73-source_1.0.3.6-cvs20080623-dfsg1-3_all.deb
rt73_1.0.3.6-cvs20080623-dfsg1-3.diff.gz
  to pool/contrib/r/rt73/rt73_1.0.3.6-cvs20080623-dfsg1-3.diff.gz
rt73_1.0.3.6-cvs20080623-dfsg1-3.dsc
  to pool/contrib/r/rt73/rt73_1.0.3.6-cvs20080623-dfsg1-3.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 512995@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ben Hutchings <ben@decadent.org.uk> (supplier of updated rt73 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 28 Jan 2009 00:53:13 +0000
Source: rt73
Binary: rt73-source rt73-common
Architecture: source all
Version: 1:1.0.3.6-cvs20080623-dfsg1-3
Distribution: unstable
Urgency: high
Maintainer: Debian Ralink packages maintainers <pkg-ralink-maintainers@lists.alioth.debian.org>
Changed-By: Ben Hutchings <ben@decadent.org.uk>
Description: 
 rt73-common - RT73(RT2571W) Wireless Lan Linux Driver - common files
 rt73-source - RT73(RT2571W) Wireless Lan Linux Driver - kernel module sources
Closes: 512995
Changes: 
 rt73 (1:1.0.3.6-cvs20080623-dfsg1-3) unstable; urgency=high
 .
   * Fixed buffer overflow vulnerability in processing of ad-hoc probe
     requests (CVE-2009-0282) (closes: bug#512995)
Checksums-Sha1: 
 f8d24ce0488c3e1df55845cea14da8b63a88c6f3 1341 rt73_1.0.3.6-cvs20080623-dfsg1-3.dsc
 c67b4c371db04448af94a45b4d9381c866db3b76 10146 rt73_1.0.3.6-cvs20080623-dfsg1-3.diff.gz
 5d1f9e15cbaab1c2407fd7888f466b099d6db108 241998 rt73-source_1.0.3.6-cvs20080623-dfsg1-3_all.deb
 5082ef225766e769a5e84166262a5646bff76fa7 17202 rt73-common_1.0.3.6-cvs20080623-dfsg1-3_all.deb
Checksums-Sha256: 
 4e2092770ea5157564f75e6b1cfc2f8beae71a2824715fa2edd22393c67bdaee 1341 rt73_1.0.3.6-cvs20080623-dfsg1-3.dsc
 74c8acd71e09b29ee2ca6276b4d6bf36746ef60920e63e0bff4301603024d0b8 10146 rt73_1.0.3.6-cvs20080623-dfsg1-3.diff.gz
 8b42bb102999333e88264f246a2245180cc85f4e1c28bcb164128749e99ee9f1 241998 rt73-source_1.0.3.6-cvs20080623-dfsg1-3_all.deb
 9f99cfdb44da19345fdfb726d3a88b480787b9685e676e5f33e33a9d1f3ba1ef 17202 rt73-common_1.0.3.6-cvs20080623-dfsg1-3_all.deb
Files: 
 f7105818c270676fd464ca8299c1cae9 1341 contrib/net extra rt73_1.0.3.6-cvs20080623-dfsg1-3.dsc
 d29fd22cee4eddbf5d9bfed615b0d35c 10146 contrib/net extra rt73_1.0.3.6-cvs20080623-dfsg1-3.diff.gz
 4c6f4cd65ab875534f8362f4229663b6 241998 contrib/net extra rt73-source_1.0.3.6-cvs20080623-dfsg1-3_all.deb
 f94259fcfda4c07f526d1a8e9a417d61 17202 contrib/net extra rt73-common_1.0.3.6-cvs20080623-dfsg1-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJf7Da79ZNCRIGYgcRAqF2AJ9D1pffLrTOKSiTgN5NzlghKK21GwCgulBS
vy2saCBw4VoV1QMBMJZQ6EM=
=8y0I
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Mar 2009 10:40:20 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 11:02:22 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.