Vigil@nce: Linux kernel, buffer overflow of Libertas
January 2010 by Vigil@nce
An attacker can send a Wi-Fi frame, in order to generate an
overflow of one byte in the Libertas driver, which leads to a
denial of service, and eventually to code execution.
– Severity: 2/4
– Consequences: administrator access/rights, denial of service of
computer
– Provenance: radio connection
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 07/01/2010
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The Linux kernel has a driver for Libertas Wi-Fi/802.11 devices.
The 802.11 protocol uses a SSID to identify a BSS (Basic Service
Set) network.
The lbs_get_essid() function of the drivers/net/wireless/libertas/wext.c
file copies the SSID contained in the frame. However, this
function appends an additional null byte after the end of a 32
byte SSID.
An attacker can therefore send a Wi-Fi frame, in order to generate
an overflow of one byte in the Libertas driver, which leads to a
denial of service, and eventually to code execution.
CHARACTERISTICS
– Identifiers: VIGILANCE-VUL-9325
– Url: http://vigilance.fr/vulnerability/Linux-kernel-buffer-overflow-of-Libertas-9325