Android WiFi Management Component wpa_supplicant presence of high-risk vulnerabilities that can lead to leaked memory information, DoS, denial of service or arbitrary code execution-vulnerability warning-the black bar safety net

ID MYHACK58:62201561596
Type myhack58
Reporter 佚名
Modified 2015-04-24T00:00:00


Popular WLAN Wireless Network Management Component cwpa_supplicant exposed high-risk vulnerabilities CVE-2 0 1 5-1 8 6 3, and can lead to leaked memory information, DoS, denial of service or arbitrary code execution. cwpa_supplicant in Android, Linux, BSD, Mac OS X, Windows and some otheroperating systemon the run. The vulnerability mainly affects the Android system, while other systems may also be affected. Vulnerability background description This program was supposed to be an open-source program, Google later porting it to the Android system. Development and maintenance of this program the personnel Jouni Malinen shows, the wpa_supplicant on the PC side and the embedded system can be very well run, the program is designed to run in the background for management control. On Wednesday Malinen announced that this vulnerability number CVE-2 0 1 5-1 8 6 3 to. He said the vulnerability affects wpa_supplicant version v1. 0-v2. 4, and the system needs to be enabled CONFIG_P2P build options. A hacker by sending a specific management Frame content, and then wait for the target system on the wpa_supplicant the use of this management frame is used to create upgrade P2P entry of the SSID information for analysis, to finally trigger this vulnerability. Vulnerability details description This vulnerability stems from data validation are lacking, especially on the transmission data length of the check. A hacker can use a more than valid 3 2 bit byte data of the P2P SSID name, override the other memory space data is written. It in to memory to write data may cause wpa_supplicant and the WIFI service crashes, thereby forming a DOS attack. In order to achieve the attack, the hackers only need to WIFI probe request, or on the P2P network of the Public Action message is sent in response. At the same time, the hacker can through the P2P network communication in the three-way handshake to the target memory to write data, or on the target system for background execution of arbitrary code. The vulnerability is somewhat similar to the previous bleeding heart loophole, but the difference is that, in the wpa_supplicant vulnerability, hackers can access and modify the memory data. If the device has been activated, the P2P operation, then trigger the vulnerability becomes very simple, such as in-process already exists P2P_FIND or P2P_LISTEN Management Interface process. Not only that, even without any activation of the P2P operation process, it is also possible in some cases to trigger the vulnerability. Vulnerability to submit and repair The vulnerability is by Alibaba security team members submit. Google official has to this end released patch, wpa_supplicant v2. 5 no longer has this problem. At the same time, if you disable the system's P2P, it can also be disguised to avoid this vulnerability.