Info

Disclosure

Dec 08, 2006

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Dec 08, 2006

Description

A buffer overflow exists in MadWifi. The Atheros driver fails to validate data passed to the giwscan_cb() and encode_ie() functions resulting in a stack overflow. With a specially crafted 802.11 beacon or probe response frame, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

Classification

Location: Wireless Vector
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Upgrade
Exploit: Exploit Public
Disclosure: Vendor Verified, Vendor Verified, Coordinated Disclosure

Solution

Upgrade to version 0.9.2.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Madwifi

MadWifi

0.9.2

References

CVE ID: 2006-6332 (see also: NVD)
Bugtraq ID: 21486
Secunia Advisory ID: 23277 23335 23694
ISS X-Force ID: 30800
Metasploit ID: 31267
Milw0rm: 3389
Exploit Database: 3389
CERT VU: 925529
VUPEN Advisory: ADV-2006-4901
Mail List Post: http://archives.neohapsis.com/archives/dailydave/2006-q4/0291.html
http://archives.neohapsis.com/archives/dailydave/2006-q4/0298.html
http://whitestar.linuxbox.org/pipermail/exploits/2006-December/000076.html
Other Advisory URL: http://madwifi.org/wiki/news/20061207/release-0-9-2-1-fixes-critical-security-issue [ Link is 404 ]
http://www.ubuntu.com/usn/usn-404-1
Generic Exploit URL: http://whitestar.linuxbox.org/pipermail/exploits/2007-March/000134.html

Credit

Julien Tinnes - julien.tinnesfrancetelecom.com -
Laurent Butti -
Jerome Razniewski -

Direct URL: http://osvdb.org/31267