User: Password:
Subscribe / Log in / New account


Wireless networking driver vulnerabilities

July 12, 2006

This article was contributed by Jake Edge.

One of the major conveniences of wireless networking is its invisibility, but that is also one of its major weaknesses. A recent announcement of wireless driver flaws serves as a reminder that simply having a wireless card installed may be enough to allow unauthorized access. Unlike other network devices, there is no wire to remind the user that they may be making their computer vulnerable to malware.

Two security researchers used an open source tool called lorcon to send a large number of wireless packets to various wireless devices. They were looking to see if they could cause the drivers to fail when they received unexpected data. The result was that they found many flaws in the wireless drivers, including one that would allow a malicious user to take over a machine that was equipped with the vulnerable wireless card. Many of the driver flaws they found did not require that the user or wireless card actually be connected to the network to be exploited.

It is unclear whether this exploit is of concern to Linux users as the researchers are not releasing many details until their talk at the Black Hat conference on 2 August. It is clear, however, that this is an area that is ripe for exploitation on Linux as well as other platforms. Wireless cards do a lot of things invisibly in order to determine what other devices there are in the neighborhood and these actions are often completely outside of the control of the user.

Normally, open source drivers provide at least a path to quickly fix any security problems discovered -- unfortunately, this is not the case with many of the wireless drivers used on Linux systems. Wireless card manufacturers have so far been mostly unwilling to release enough information for kernel hackers to create full open source drivers for those devices. Because of this, many users are installing closed source drivers to access their wireless cards.

In some cases, users are installing Windows drivers and using NdisWrapper to link those into the Linux kernel. Because the wireless vendors are relatively likely to fix the windows drivers, this approach may provide a reasonably quick resolution to security problems. At least, that may be the case for currently-supported hardware, if the vulnerability does not originate in the interaction between the driver and ndiswrapper, and if the user knows to download and install the updated driver. It is likely that any closed source native Linux wireless driver would have a lower priority for a vendor to fix and therefore a security vulnerability might remain unpatched for a significant amount of time.

It is far better, of course, to use hardware which has open-source support. Vulnerabilities in open-source drivers should be fixed quickly, and those fixes will be made available by the distributor's package management system.

As wireless technology becomes more prevalent and more devices and protocols are deployed, it is clear that more exploits and vulnerabilities will be found. Italian researchers recently ran an experiment at the Milan airport to highlight the number of potentially exploitable Bluetooth devices they could find; in 23 hours were able to spot 1400 of them. Wireless manufacturers and standards committees do not seem to learn from the security flaws of the past and that will lead to exploits in the future.

Comments (4 posted)

New vulnerabilities

gimp: arbitrary code execution

Package(s):gimp CVE #(s):CVE-2006-3404
Created:July 10, 2006 Updated:July 27, 2006
Description: Henning Makholm discovered that gimp did not sufficiently validate the 'num_axes' parameter in XCF files. By tricking a user into opening a specially crafted XCF file with Gimp, an attacker could exploit this to execute arbitrary code with the user's privileges.
Slackware SSA:2006-207-03 gimp 2006-07-27
rPath rPSA-2006-0135-1 gimp 2006-07-24
Gentoo 200607-08:02 gimp 2006-07-23
Gentoo 200607-08 gimp 2006-07-23
Gentoo 200607-08:02 gimp 2006-07-23
Debian DSA-1116-1 gimp 2006-07-21
Mandriva MDKSA-2006:127 gimp 2006-07-18
Red Hat RHSA-2006:0598-01 gimp 2006-07-18
Fedora FEDORA-2006-795 gimp 2006-07-11
Fedora FEDORA-2006-794 gimp 2006-07-11
Ubuntu USN-312-1 gimp 2006-07-10

Comments (none posted)

kernel: privilege escalation

Package(s):kernel CVE #(s):CVE-2006-2451
Created:July 7, 2006 Updated:July 26, 2006
Description: The Linux kernel, versions 2.6.13 through, has a privilege escalation vulnerability that is related to the handling of core dumps. Local users can create a program that can core dump to a directory that the user does not have permission to write to. This can be exploited for the use of a disk consumption denial of service attack, or the unauthorized gaining of root privileges.
SuSE SUSE-SA:2006:042 kernel 2006-07-26
Fedora FEDORA-2006-806 kernel 2006-07-14
Fedora FEDORA-2006-801 kernel 2006-07-14
rPath rPSA-2006-0122-2 kernel 2006-07-07
Ubuntu USN-311-1 linux-source-2.6.10/-2.6.12/-2.6.15 2006-07-11
rPath rPSA-2006-0122-1 kernel 2006-07-07
Red Hat RHSA-2006:0574-01 kernel 2006-07-07

Comments (2 posted)

libmms: buffer overflows

Package(s):libmms CVE #(s):CVE-2006-2200
Created:July 6, 2006 Updated:December 25, 2006
Description: Several buffer overflows were found in libmms. By tricking a user into opening a specially crafted remote multimedia stream with an application using libmms, a remote attacker could overwrite an arbitrary memory portion with zeros, thereby crashing the program.
Slackware SSA:2006-357-05 xine 2006-12-25
Gentoo 200607-07 xine-lib 2006-07-20
Mandriva MDKSA-2006:121 xine-lib 2006-07-12
Mandriva MDKSA-2006:117-1 libmms 2006-07-12
Ubuntu USN-315-1 libmms, xine-lib 2006-07-12
Mandriva MDKSA-2006:117 libmms 2006-07-06
Ubuntu USN-309-1 libmms 2006-07-05

Comments (none posted)

ppp: privilege escalation

Package(s):ppp CVE #(s):CVE-2006-2194
Created:July 6, 2006 Updated:August 14, 2006
Description: Marcus Meissner discovered that the winbind plugin of pppd does not check the result of the setuid() call. On systems that configure PAM limits for the maximum number of user processes and enable the winbind plugin, a local attacker could exploit this to execute the winbind NTLM authentication helper as root. Depending on the local winbind configuration, this could potentially lead to privilege escalation.
Debian DSA-1150-1 shadow 2006-08-12
Mandriva MDKA-2006:119 ppp 2006-07-10
Debian DSA-1106-1 ppp 2006-07-10
Ubuntu USN-310-1 ppp 2006-07-05

Comments (none posted)

samba: memory exhaustion

Package(s):samba CVE #(s):CVE-2006-3403
Created:July 11, 2006 Updated:July 26, 2006
Description: The smbd daemon maintains internal data structures used track active connections to file and printer shares. In certain circumstances an attacker may be able to continually increase the memory usage of an smbd process by issuing a large number of share connection requests. This defect affects all Samba configurations, according to this advisory.
Gentoo 200607-10 samba 2006-07-25
Red Hat RHSA-2006:0591-01 samba 2006-07-25
SuSE SUSE-SR:2006:017 quagga, samba, squirrelmail, CASA 2006-07-21
Slackware SSA:2006-200-01 samba 2006-07-19
Debian DSA-1110-1 samba 2006-07-16
Slackware SSA:2006-195-01 samba 2006-07-17
Fedora FEDORA-2006-808 samba 2006-07-14
Fedora FEDORA-2006-807 samba 2006-07-14
Ubuntu USN-314-1 samba 2006-07-12
rPath rPSA-2006-0128-1 samba 2006-07-11
Mandriva MDKSA-2006:120 samba 2006-07-10

Comments (none posted)

shadow: privilege escalation

Package(s):passwd shadow CVE #(s):
Created:July 6, 2006 Updated:July 12, 2006
Description: Ilja van Sprundel discovered that passwd, when called with the -f, -g, or -s option, did not check the result of the setuid() call. On systems that configure PAM limits for the maximum number of user processes, a local attacker could exploit this to execute chfn, gpasswd, or chsh with root privileges.
Ubuntu USN-308-1 shadow 2006-07-05

Comments (none posted)

SHOUTcast server: multiple vulnerabilities

Package(s):shoutcast CVE #(s):
Created:July 10, 2006 Updated:July 12, 2006
Description: The SHOUTcast server is vulnerable to a file disclosure when the server receives a specially crafted GET request. Furthermore it also fails to sanitize the input passed to the "Description", "URL", "Genre", "AIM", and "ICQ" fields. It also has multiple cross-site scripting vulnerabilities.
Gentoo 200607-05 shoutcast-server-bin 2006-07-09

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>

Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds