ndiswrapper-source: longs ESSIDs can expose security vulnerability

Debian Bug report logs - #504696
ndiswrapper-source: longs ESSIDs can expose security vulnerability

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Kel Modderman <kel@otaku42.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ndiswrapper-source: longs ESSIDs can expose security vulnerability

Date: Thu, 06 Nov 2008 20:48:42 +1000

Package: ndiswrapper-source
Version: 1.53-1
Severity: grave
Tags: security patch
Justification: user security hole

>From [0]:
Anders Kaseorg discovered that ndiswrapper did not correctly handle long
ESSIDs. For a system using ndiswrapper, a physically near-by attacker could
generate specially crafted wireless network traffic and execute arbitrary
code with root privileges. (CVE-2008-4395 [1])

Attached is the diff contrinuted by Anders Kaseorg to [2].

[0] http://www.ubuntu.com/usn/usn-662-1
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4395
[2] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/275860

Thanks, Kel.
---
diff --git a/ubuntu/ndiswrapper/iw_ndis.c b/ubuntu/ndiswrapper/iw_ndis.c
index b114ef6..01d3751 100644
--- a/ubuntu/ndiswrapper/iw_ndis.c
+++ b/ubuntu/ndiswrapper/iw_ndis.c
@@ -47,12 +47,7 @@ int set_essid(struct ndis_device *wnd, const char *ssid, int ssid_len)
 	req.length = ssid_len;
 	if (ssid_len)
 		memcpy(&req.essid, ssid, ssid_len);
-	DBG_BLOCK(2) {
-		char buf[NDIS_ESSID_MAX_SIZE+1];
-		memcpy(buf, ssid, ssid_len);
-		buf[ssid_len] = 0;
-		TRACE2("ssid = '%s'", buf);
-	}
+	TRACE2("ssid = '%.*s'", ssid_len, ssid);
 
 	res = mp_set(wnd, OID_802_11_SSID, &req, sizeof(req));
 	if (res) {
@@ -125,7 +120,6 @@ static int iw_get_essid(struct net_device *dev, struct iw_request_info *info,
 		EXIT2(return -EOPNOTSUPP);
 	}
 	memcpy(extra, req.essid, req.length);
-	extra[req.length] = 0;
 	if (req.length > 0)
 		wrqu->essid.flags  = 1;
 	else
@@ -1000,7 +994,7 @@ static int iw_set_nick(struct net_device *dev, struct iw_request_info *info,
 
 	if (wrqu->data.length > IW_ESSID_MAX_SIZE || wrqu->data.length <= 0)
 		return -EINVAL;
-	memset(wnd->nick, 0, sizeof(wnd->nick));
+	wnd->nick_len = wrqu->data.length;
 	memcpy(wnd->nick, extra, wrqu->data.length);
 	return 0;
 }
@@ -1010,7 +1004,7 @@ static int iw_get_nick(struct net_device *dev, struct iw_request_info *info,
 {
 	struct ndis_device *wnd = netdev_priv(dev);
 
-	wrqu->data.length = strlen(wnd->nick);
+	wrqu->data.length = wnd->nick_len;
 	memcpy(extra, wnd->nick, wrqu->data.length);
 	return 0;
 }
diff --git a/ubuntu/ndiswrapper/ndis.h b/ubuntu/ndiswrapper/ndis.h
index 27ba99e..65d6b0b 100644
--- a/ubuntu/ndiswrapper/ndis.h
+++ b/ubuntu/ndiswrapper/ndis.h
@@ -878,6 +878,7 @@ struct ndis_device {
 	unsigned long scan_timestamp;
 	struct encr_info encr_info;
 	char nick[IW_ESSID_MAX_SIZE];
+	size_t nick_len;
 	struct ndis_essid essid;
 	struct auth_encr_capa capa;
 	enum ndis_infrastructure_mode infrastructure_mode;
diff --git a/ubuntu/ndiswrapper/proc.c b/ubuntu/ndiswrapper/proc.c
index fd5f433..6feff23 100644
--- a/ubuntu/ndiswrapper/proc.c
+++ b/ubuntu/ndiswrapper/proc.c
@@ -97,10 +97,8 @@ static int procfs_read_ndis_encr(char *page, char **start, off_t off,
 	p += sprintf(p, "\n");
 
 	res = mp_query(wnd, OID_802_11_SSID, &essid, sizeof(essid));
-	if (!res) {
-		essid.essid[essid.length] = '\0';
-		p += sprintf(p, "essid=%s\n", essid.essid);
-	}
+	if (!res)
+		p += sprintf(p, "essid=%.*s\n", essid.length, essid.essid);
 	res = mp_query_int(wnd, OID_802_11_ENCRYPTION_STATUS, &encr_status);
 	if (!res) {
 		typeof(&wnd->encr_info.keys[0]) tx_key;
diff --git a/ubuntu/ndiswrapper/wrapndis.c b/ubuntu/ndiswrapper/wrapndis.c
index f6e5d46..35ef1cd 100644
--- a/ubuntu/ndiswrapper/wrapndis.c
+++ b/ubuntu/ndiswrapper/wrapndis.c
@@ -2028,7 +2028,7 @@ static wstdcall NTSTATUS NdisAddDevice(struct driver_object *drv_obj,
 	wnd->attributes = 0;
 	wnd->dma_map_count = 0;
 	wnd->dma_map_addr = NULL;
-	wnd->nick[0] = 0;
+	wnd->nick_len = 0;
 	init_timer(&wnd->hangcheck_timer);
 	wnd->scan_timestamp = 0;
 	init_timer(&wnd->iw_stats_timer);
---

Message #10 received at 504696@bugs.debian.org (full text, mbox, reply):

From: Kel Modderman <kel@otaku42.de>

To: 504696@bugs.debian.org

Subject: Re: Bug#504696: ndiswrapper-source: longs ESSIDs can expose security vulnerability

Date: Thu, 6 Nov 2008 21:10:56 +1000

Attached is debdiff, have uploaded a package to mentors.debian.net:
http://mentors.debian.net/debian/pool/main/n/ndiswrapper/ndiswrapper_1.53-2.dsc
---
diff -u ndiswrapper-1.53/debian/changelog ndiswrapper-1.53/debian/changelog
--- ndiswrapper-1.53/debian/changelog
+++ ndiswrapper-1.53/debian/changelog
@@ -1,3 +1,11 @@
+ndiswrapper (1.53-2) unstable; urgency=high
+
+  * Add debian/patches/CVE-2008-4395.patch to fix a vulnerability in handling
+    of long ESSIDs which allows execution of code as root via remote attacker.
+    (Closes: #504696)
+
+ -- Kel Modderman <kel@otaku42.de>  Thu, 06 Nov 2008 21:06:38 +1000
+
 ndiswrapper (1.53-1) unstable; urgency=low
 
   [ Kel Modderman ]
diff -u ndiswrapper-1.53/debian/patches/series ndiswrapper-1.53/debian/patches/series
--- ndiswrapper-1.53/debian/patches/series
+++ ndiswrapper-1.53/debian/patches/series
@@ -1,0 +2 @@
+CVE-2008-4395.patch
only in patch4:
unchanged:
--- ndiswrapper-1.53.orig/debian/patches/CVE-2008-4395.patch
+++ ndiswrapper-1.53/debian/patches/CVE-2008-4395.patch
@@ -0,0 +1,85 @@
+Anders Kaseorg discovered that ndiswrapper did not correctly handle long
+ESSIDs. For a system using ndiswrapper, a physically near-by attacker
+could generate specially crafted wireless network traffic and execute
+arbitrary code with root privileges. (CVE-2008-4395)
+
+https://bugs.launchpad.net/ubuntu/+source/linux/+bug/275860
+---
+--- a/driver/iw_ndis.c
++++ b/driver/iw_ndis.c
+@@ -47,12 +47,7 @@ int set_essid(struct ndis_device *wnd, c
+ 	req.length = ssid_len;
+ 	if (ssid_len)
+ 		memcpy(&req.essid, ssid, ssid_len);
+-	DBG_BLOCK(2) {
+-		char buf[NDIS_ESSID_MAX_SIZE+1];
+-		memcpy(buf, ssid, ssid_len);
+-		buf[ssid_len] = 0;
+-		TRACE2("ssid = '%s'", buf);
+-	}
++	TRACE2("ssid = '%.*s'", ssid_len, ssid);
+ 
+ 	res = mp_set(wnd, OID_802_11_SSID, &req, sizeof(req));
+ 	if (res) {
+@@ -125,7 +120,6 @@ static int iw_get_essid(struct net_devic
+ 		EXIT2(return -EOPNOTSUPP);
+ 	}
+ 	memcpy(extra, req.essid, req.length);
+-	extra[req.length] = 0;
+ 	if (req.length > 0)
+ 		wrqu->essid.flags  = 1;
+ 	else
+@@ -1000,7 +994,7 @@ static int iw_set_nick(struct net_device
+ 
+ 	if (wrqu->data.length > IW_ESSID_MAX_SIZE || wrqu->data.length <= 0)
+ 		return -EINVAL;
+-	memset(wnd->nick, 0, sizeof(wnd->nick));
++	wnd->nick_len = wrqu->data.length;
+ 	memcpy(wnd->nick, extra, wrqu->data.length);
+ 	return 0;
+ }
+@@ -1010,7 +1004,7 @@ static int iw_get_nick(struct net_device
+ {
+ 	struct ndis_device *wnd = netdev_priv(dev);
+ 
+-	wrqu->data.length = strlen(wnd->nick);
++	wrqu->data.length = wnd->nick_len;
+ 	memcpy(extra, wnd->nick, wrqu->data.length);
+ 	return 0;
+ }
+--- a/driver/ndis.h
++++ b/driver/ndis.h
+@@ -878,6 +878,7 @@ struct ndis_device {
+ 	unsigned long scan_timestamp;
+ 	struct encr_info encr_info;
+ 	char nick[IW_ESSID_MAX_SIZE];
++	size_t nick_len;
+ 	struct ndis_essid essid;
+ 	struct auth_encr_capa capa;
+ 	enum ndis_infrastructure_mode infrastructure_mode;
+--- a/driver/proc.c
++++ b/driver/proc.c
+@@ -97,10 +97,8 @@ static int procfs_read_ndis_encr(char *p
+ 	p += sprintf(p, "\n");
+ 
+ 	res = mp_query(wnd, OID_802_11_SSID, &essid, sizeof(essid));
+-	if (!res) {
+-		essid.essid[essid.length] = '\0';
+-		p += sprintf(p, "essid=%s\n", essid.essid);
+-	}
++	if (!res)
++		p += sprintf(p, "essid=%.*s\n", essid.length, essid.essid);
+ 	res = mp_query_int(wnd, OID_802_11_ENCRYPTION_STATUS, &encr_status);
+ 	if (!res) {
+ 		typeof(&wnd->encr_info.keys[0]) tx_key;
+--- a/driver/wrapndis.c
++++ b/driver/wrapndis.c
+@@ -2028,7 +2028,7 @@ static wstdcall NTSTATUS NdisAddDevice(s
+ 	wnd->attributes = 0;
+ 	wnd->dma_map_count = 0;
+ 	wnd->dma_map_addr = NULL;
+-	wnd->nick[0] = 0;
++	wnd->nick_len = 0;
+ 	init_timer(&wnd->hangcheck_timer);
+ 	wnd->scan_timestamp = 0;
+ 	init_timer(&wnd->iw_stats_timer);
---

Message #15 received at 504696-close@bugs.debian.org (full text, mbox, reply):

From: Kel Modderman <kel@otaku42.de>

To: 504696-close@bugs.debian.org

Subject: Bug#504696: fixed in ndiswrapper 1.53-2

Date: Thu, 06 Nov 2008 14:17:05 +0000

Source: ndiswrapper
Source-Version: 1.53-2

We believe that the bug you reported is fixed in the latest version of
ndiswrapper, which is due to be installed in the Debian FTP archive:

ndiswrapper-common_1.53-2_all.deb
  to pool/main/n/ndiswrapper/ndiswrapper-common_1.53-2_all.deb
ndiswrapper-source_1.53-2_all.deb
  to pool/main/n/ndiswrapper/ndiswrapper-source_1.53-2_all.deb
ndiswrapper-utils-1.9_1.53-2_amd64.deb
  to pool/main/n/ndiswrapper/ndiswrapper-utils-1.9_1.53-2_amd64.deb
ndiswrapper_1.53-2.diff.gz
  to pool/main/n/ndiswrapper/ndiswrapper_1.53-2.diff.gz
ndiswrapper_1.53-2.dsc
  to pool/main/n/ndiswrapper/ndiswrapper_1.53-2.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 504696@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kel Modderman <kel@otaku42.de> (supplier of updated ndiswrapper package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 06 Nov 2008 21:06:38 +1000
Source: ndiswrapper
Binary: ndiswrapper-common ndiswrapper-utils-1.9 ndiswrapper-source
Architecture: source all amd64
Version: 1.53-2
Distribution: unstable
Urgency: high
Maintainer: Julian Andres Klode <jak@jak-linux.org>
Changed-By: Kel Modderman <kel@otaku42.de>
Description: 
 ndiswrapper-common - Common scripts required to use the utilities for ndiswrapper
 ndiswrapper-source - Source for the ndiswrapper Linux kernel module
 ndiswrapper-utils-1.9 - Userspace utilities for the ndiswrapper Linux kernel module
Closes: 504696
Changes: 
 ndiswrapper (1.53-2) unstable; urgency=high
 .
   * Add debian/patches/CVE-2008-4395.patch to fix a vulnerability in handling
     of long ESSIDs which allows execution of code as root via remote attacker.
     (Closes: #504696)
Checksums-Sha1: 
 dd1fb5f41cfd88693257446beb03fd8fecc4365d 1150 ndiswrapper_1.53-2.dsc
 31b1dfb0ef191c5adb00e63f7398894ae5dd9e95 12051 ndiswrapper_1.53-2.diff.gz
 382c6e8153a33253c4fa347f6dc5e26d87cd6e89 20926 ndiswrapper-common_1.53-2_all.deb
 91918b26d2d8e9a4d5f2dccac82f3e500a811269 160538 ndiswrapper-source_1.53-2_all.deb
 5abe81b19cf511bd75bbebe9353cfee6643a82d0 36652 ndiswrapper-utils-1.9_1.53-2_amd64.deb
Checksums-Sha256: 
 1012883ac3ab1f78cacdfcf4b9bf692736b34a4b0a3f5b5299c105a908f41c9d 1150 ndiswrapper_1.53-2.dsc
 3666cef296fd69a365baca816388cf7c19e40d5c2fea6740bb8040e70d4af87d 12051 ndiswrapper_1.53-2.diff.gz
 dfb2857b1641419c38d781738610247234d648b489d5f06e6e86d1401c0678eb 20926 ndiswrapper-common_1.53-2_all.deb
 1153cf9cef77bf3fb391358b1e13a23ed2bf07a846b9600d8059223d4da97183 160538 ndiswrapper-source_1.53-2_all.deb
 770ec84e1bbcae2bd7ac2fa85f46609a7eea1b4c912be9f7de138f24c9559ecd 36652 ndiswrapper-utils-1.9_1.53-2_amd64.deb
Files: 
 77adee45a853283d511607c463605ff7 1150 misc optional ndiswrapper_1.53-2.dsc
 acd1dddba548553ceb140b0ea28a1caa 12051 misc optional ndiswrapper_1.53-2.diff.gz
 b2495ad3765d61a6fd56baa191caddb2 20926 misc optional ndiswrapper-common_1.53-2_all.deb
 d19395ffb21badc09514741f45ce45d2 160538 misc optional ndiswrapper-source_1.53-2_all.deb
 dabb97f1ffbfe45b57cffb7b5e41a486 36652 misc optional ndiswrapper-utils-1.9_1.53-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkS+DMACgkQrCpf/gCCPsK9kgCgg8ATbHIbdwd+KcNi8wNE9Gb4
6FMAn0skaBfE/1MB6yTRnCA5x5RshmXG
=6OFM
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.