The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Linux Orinoco drivers information leakage


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Wed, 12 Oct 2005 14:34:59 +0800
From: Meder Kydyraliev <meder@o0o.nu.>
To: [email protected]
Subject: Linux Orinoco drivers information leakage
Message-ID: <20051012063459.GA8330@localhost.>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: D00D00 v.0.1
X-PGP-Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xBCC4CF2D
X-PGP-Fingerprint: 37C1 EEA1 8F87 6275 B7A8  4959 FE5C 4BB7 BCC4 CF2D
X-Virus-Scanned: antivirus-gw at tyumen.ru


          Linux Orinoco Driver Information Leakage Vulnerability
          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


I. Background
~~~~~~~~~~~~~

http://sourceforge.net/projects/orinoco

The Linux orinoco driver, included in the kernel since 2.4.3 and in David
Hinds' pcmcia-cs package since 3.1.30 supports a large number of wireless NICs
based on the Lucent/Agere Hermes, Symbol Spectrum24 and Intersil/Conexant
Prism 2/2.5/3 chipsets.


II. Description
~~~~~~~~~~~~~~~

Due to padding of Ethernet frames with uninitialized data, it is possible to
remotely obtain parts of memory which may contain sensitive information [1].

Following sample dumps illustrate the problem:

13:21:58.901746 arp reply 192.168.0.179 is-at 00:09:5b:3e:ca:d4
        0x0000:  0001 0800 0604 0002 0009 5b3e cad4 c0a8  ..........[>....
        0x0010:  00b3 0012 f0bb 22ae c0a8 001f 6f73 743a  ......".....ost:
        0x0020:  7e20 2d20 5368 656c 6c20 4e6f 2e20 7353  ~.-.Shell.No..sS
        0x0030:  8071                                     .q

13:21:17.811889 arp reply 192.168.0.179 is-at 00:09:5b:3e:ca:d4
        0x0000:  0001 0800 0604 0002 0009 5b3e cad4 c0a8  ..........[>....
        0x0010:  00b3 0012 f0bb 22ae c0a8 001f 2054 7261  ......"......Tra
        0x0020:  636b 3035 2e6d 7033 2028 343a 3139 1b62  ck05.mp3.(4:19.b
        0x0030:  6dd1                                     m.

Attacker can use arping(8) to send ARP requests to the target running
vulnerable orinoco drivers and observe contents of uninitialized memory in
the ARP replies.


III. Vendor status 
~~~~~~~~~~~~~~~~~~

Developers of linux orinoco drivers where notified and the fix, which has been
incorporated into 2.6.13.4 kernel, was issued.

Patch can be viewed here:
http://www.kernel.org/hg/linux-2.6/?cmd=filediff;node=feecb2ffde28639e60ede769c6f817dc536c677b;file=drivers/net/wireless/orinoco.c


IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~
4/10/2005 - Issue discovered. Vendor notified.
4/10/2005 - Vendor response received along with the patch to remedy the problem.
10/10/2005 - Confirmed that patch was incorporated into 2.6.13.4 kernel.


V. Acknowledgements
~~~~~~~~~~~~~~~~~~~

Thanks to Pavel Roskin for quick response and fix.


VI. References
~~~~~~~~~~~~~~

1. http://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf


-- 
http://o0o.nu/~meder


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру