The SSID of Evil —

Wi-Fi software security bug could leave Android, Windows, Linux open to attack

Crafted P2P SSID names could potentially be used to crash or execute code on targets.

In an e-mail today to the Open Source Software Security (oss-security) mailing list, the maintainer of wireless network client code used by Android, the Linux and BSD Unix operating systems, and Windows Wi-Fi device drivers sent an urgent fix to a flaw that could allow attackers to crash devices or even potentially inject malicious software into their memory. The flaw could allow these sorts of attacks via a malicious wireless peer-to-peer network name.

The vulnerability was discovered by the security team at Alibaba and reported to wpa_supplicant maintainer Jouni Malinen by the Google security team. The problem, Malinen wrote, is in how wpa_supplicant "uses SSID information parsed from management frames that create or update P2P peer entries" in the list of available networks. The vulnerability is similar in some ways to the Heartbleed vulnerability in that it doesn't properly check the length of transmitted data. But unlike Heartbleed, which let an attacker read contents out of memory from beyond what OpenSSL was supposed to allow, the wpa_supplicant vulnerability works both ways: it could expose contents of memory to an attacker, or allow the attacker to write new data to memory.

That's because the code fails to check the length of incoming SSID information and writes information beyond the valid 32 octets of data to memory beyond the range it was allocated. SSID information "is transmitted in an element that has a 8-bit length field and potential maximum payload length of 255 octets," Malinen wrote, and the code "was not sufficiently verifying the payload length on one of the code paths using the SSID received from a peer device. This can result in copying arbitrary data from an attacker to a fixed length buffer of 32 bytes (i.e., a possible overflow of up to 223 bytes). The overflow can override a couple of variables in the struct, including a pointer that gets freed. In addition, about 150 bytes (the exact length depending on architecture) can be written beyond the end of the heap allocation."

The end result is that an attacker could corrupt information in memory, causing wpa_supplicant and Wi-Fi service to crash; a crafted SSID could essentially be used as a denial-of-service attack on affected devices simply by sending out responses to Wi-Fi probe requests or P2P network Public Action messages. But it could also expose memory contents during the three-way handshake of a peer-to-peer network negotiation (the GO negotiation) or potentially allow for the attacker to execute code on the target.

For the most part, these vulnerabilities are difficult to exploit if the target isn't actively using P2P Wi-Fi connections. While it's possible that an "evil SSID" could cause denial of service without a P2P network, the greatest security risks involve peer-to-peer activity. A patch for the bug has been posted, and, based on Google's involvement, it will likely be part of an Android security update shortly. However, the distribution of that fix will depend on Android handset manufacturers and carriers to reach end users.

Channel Ars Technica