A remote overflow exists in KisMAC. KisMAC fails to check boundary in the "WavePacket:parseTaggedData()" function when parsing the Cisco vendor tag for additional SSIDs in a received 802.11 management frame resulting in a stack-based buffer overflow. With a specially crafted set of management frames that are sent onto the wireless network while the user is performing a passive network scan or tricking the user into opening a malicious pcap file, an attacker can cause arbitrary code execution resulting in a loss of integrity, and/or availability.

Upgrade to version R73p or developer version 113 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• Bugtraq ID: 17198
• Secunia Advisory ID: 19354
• CVE ID: 2006-1385 (see also: NVD)
• ISS X-Force ID: 25422
• VUPEN Advisory: ADV-2006-1070
• Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-03/1453.html
• Vendor Specific News/Changelog Entry: http://kismac.de/_trac/changeset/113
• Other Advisory URL: http://www.hardened-php.net/advisory_032006.115.html

• Stefan Esser - sesserhardened-php.net - www.hardened-php.net