Journal in Computer Virology

, Volume 4, Issue 1, pp 25–37 | Cite as

Discovering and exploiting 802.11 wireless driver vulnerabilities

SSTIC 2007 Best Academic Papers

Abstract

802.11 Wireless local area networks are unfortunately notoriously infamous due to their many, critical security flaws. Last year, world-first 802.11 wireless driver vulnerabilities were publicly disclosed, making them a critical and recent threat. In this paper, we expose our research results on 802.11 driver vulnerabilities by focusing on the design and implementation of a fully featured 802.11 fuzzer that enabled us to find several critical implementation bugs that are potentially exploitable by attackers. Lastly, we will detail the successful exploitation of the first 802.11 remote kernel stack overflow under Linux (madwifi driver).

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    IEEE: local and metropolitan area networks, specific requirements, part 11: Wireless LAN Medium Access Control (MAC) and physical layer (PHY) specifications (1997–1999)Google Scholar
  2. 2.
    Cache, J., Maynor, D.: Device drivers, http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Cache.pdf (2006)
  3. 3.
    Black Hat Conference: http://www.blackhat.com
  4. 4.
    Cache, J., Maynor, D.: Hijacking a MacBook in 60 seconds. http://www.youtube.com/watch?v=chtQ1bcHLZQ (2006)
  5. 5.
    James, W.: Thompson’s blog, http://he-colo.netgate.com/archives/00000465.htm (2006)
  6. 6.
  7. 7.
    Maynor, D.: Its V-A day.... http://erratasec.blogspot.com/2007/02/its-v-day.html (2007)
  8. 8.
    Lemos, R.: Maynor reveals missing apple flaws http://www.securityfocus.com/news/11445 (2007)
  9. 9.
  10. 10.
  11. 11.
    Miller B.: Fuzz testing of application reliability, http://www.cs.wisc.edu/bart/fuzz/ (1990–2006)
  12. 12.
    Fuzzing Mailing List: The definition of what a fuzzer really is... is fuzzy, http://www.whitestar.linuxbox.org/pipermail/fuzzing/2006-May/000033.html (2006)
  13. 13.
    Month of Browser Bugs: http://browserfun.blogspot.com/ (2006)
  14. 14.
    Month of Kernel Bugs: http://kernelfun.blogspot.com/ (2006)
  15. 15.
    Month of Apple Bugs: http://applefun.blogspot.com/ (2007)
  16. 16.
    Month of PHP Bugs: http://www.php-security.org/ (2007)
  17. 17.
  18. 18.
    Jean Tourillhes: Wireless Tools for Linux, http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/Tools.html, 1996–2007
  19. 19.
    Dino, A., Zovi D., Macaulay, S.: Attacking automatic wireless network selection, http://www.theta44.org/karma/aawns.pdf (2005)
  20. 20.
    Toast: airpwn, http://sourceforge.net/projects/airpwn (2004–2006)
  21. 21.
    Blancher, C.: wifitap, http://sid.rstack.org/index.php/Wifitap (2005–2006)
  22. 22.
    Butti, L.: Raw Glue AP, http://rfakeap.tuxfamily.org/ (2005–2006)
  23. 23.
  24. 24.
    NetStumbler.com, NetStumbler, http://www.netstumbler.com/ (2001–2007)
  25. 25.
    Wright, J., Too, S.O., Kershaw, M.: 802.11b firmware-level attacks, http://802.11ninja.net/papers/firmware_attack.pdf (2006)
  26. 26.
    Multiband Atheros Driver for Wireless Fidelity: madwifi, http://www.madwifi.org/ (2004–2006)
  27. 27.
    Aircrack-ng: madwifi-ng injection patch, http://patches.aircrack-ng.org/madwifi-ng-r1816.patch (2006)
  28. 28.
    Wright, J., Kershaw, M.: Loss of radio connectivity, http://www.802.11mercenary.net/lorcon/ (2006–2007)
  29. 29.
    Cache, J., Moore, H.D.: skape, exploiting 802.11 wireless driver vulnerabilities on windows, http://www.uninformed.org/?v=6&a=2&t=sumry (2006)
  30. 30.
    Biondi, P.: Scapy, http://www.secdev.org/scapy (2003–2007)
  31. 31.
    Metasploit, L.L.C.: Metasploit, http://www.metasploit.com/, 2003–2007
  32. 32.
    Butti, L.: NetGear MA521 wireless driver long rates overflow (CVE-2006-6059), http://kernelfun.blogspot.com/2006/11/mokb-18-11-2006-netgear-ma521-wireless.html (2006)
  33. 33.
    Butti, L.: NetGear WG311v1 wireless driver long SSID overflow (CVE-2006-6125), http://kernelfun.blogspot.com/2006/11/mokb-22-11-2006-netgear-wg311v1.html (2006)
  34. 34.
    Butti, L.: D-link DWL-G650+ wireless driver long TIM overflow (CVE-2007-0933), http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0933 (2007)
  35. 35.
  36. 36.
    Butti, L., Razniewski, J., Tinnés, J.: Madwifi SIOCSIWSCAN vulnerability (CVE-2006-6332), http://archives.neohapsis.com/archives/dailydave/2006-q4/0291.html (2006)
  37. 37.
    Madwifi : Release 0.9.2.1 fixes critical security issue, http://kernelfun.blogspot.com/2006/11/mokb-22-11-2006-netgear-wg311v1.html (2006)
  38. 38.
  39. 39.
    Guillot, Y.: metasm, http://www.sstic.org/SSTIC07/programme.do#GUILLOT (2006–2007)

Copyright information

© Springer-Verlag France 2007

Authors and Affiliations

  1. 1.France Telecom Orange Labs, Network and Service Security LabsIssy-les-Moulineaux Cedex 9France

Personalised recommendations