From: SecuriTeam <support@securiteam.com.>
To: list@securiteam.com
Date: 26 Oct 2005 20:06:11 +0200
Subject: [UNIX] Linux Orinoco Drivers Information Leakage
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20051027085237.964BB584E@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Linux Orinoco Drivers Information Leakage
------------------------------------------------------------------------
SUMMARY
The <http://sourceforge.net/projects/orinoco>; Linux Orinoco driver,
included in the kernel since 2.4.3 and in David Hinds' pcmcia-cs package
since 3.1.30 supports a large number of wireless NICs based on the
Lucent/Agere Hermes, Symbol Spectrum24 and Intersil/Conexant Prism 2/2.5/3
chipsets.
Vulnerability in Orinoco Drivers allows Information Leakage.
DETAILS
Due to padding of Ethernet frames with uninitialized data, it is possible
to remotely obtain parts of memory which may contain sensitive
information.
Following sample dumps illustrate the problem:
13:21:58.901746 arp reply 192.168.0.179 is-at 00:09:5b:3e:ca:d4
0x0000: 0001 0800 0604 0002 0009 5b3e cad4 c0a8 ..........[>....
0x0010: 00b3 0012 f0bb 22ae c0a8 001f 6f73 743a ......".....ost:
0x0020: 7e20 2d20 5368 656c 6c20 4e6f 2e20 7353 ~.-.Shell.No..sS
0x0030: 8071 .q
13:21:17.811889 arp reply 192.168.0.179 is-at 00:09:5b:3e:ca:d4
0x0000: 0001 0800 0604 0002 0009 5b3e cad4 c0a8 ..........[>....
0x0010: 00b3 0012 f0bb 22ae c0a8 001f 2054 7261 ......"......Tra
0x0020: 636b 3035 2e6d 7033 2028 343a 3139 1b62 ck05.mp3.(4:19.b
0x0030: 6dd1 m.
Attacker can use arping(8) to send ARP requests to the target running
vulnerable orinoco drivers and observe contents of uninitialized memory in
the ARP replies.
Vendor status:
Developers of linux orinoco drivers where notified and the fix, which has
been incorporated into 2.6.13.4 kernel, was issued.
Fix / Patch:
<http://www.kernel.org/hg/linux-2.6/?cmd=filediff;node=feecb2ffde28639e60ede769c6f817dc536c677b;file=drivers/net/wireless/orinoco.c> http://www.kernel.org/hg/linux-2.6/ .... /wireless/orinoco.c
Disclosure Timeline:
04.10.05 - Issue discovered. Vendor notified.
04.10.05 - Vendor response received along with the patch to remedy the
problem.
10.10.05 - Confirmed that patch was incorporated into 2.6.13.4 kernel.
ADDITIONAL INFORMATION
The information has been provided by <http://o0o.nu/~meder>; Meder
Kydyraliev.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
