[ALICLOUDSEC-VUL2015-001]Android wpa_supplicant WLAN Direct remote buffer overflow

[xing_fang@xxxxxxxxxxxx]

1. Advisory Information
Advisory URL: http://security.alibaba.com/blog/blog.htm?spm=0.0.0.0.p1ECc3&id=19
Date published: 2015-04-23
Date of last update: 2015-04-23
2. Vulnerability Information
Class: heap overflow
Impact: memory information leak and remote code execution
Remote Exploitable: Yes
Local Exploitable: No
CVE Name: CVE-2015-1863
Vulnerability Information and Patch: http://w1.fi/security/2015-1/
3. Vulnerability Description
In Android, wpa_supplicant is designed to be a "daemon" program that runs in 
the background and acts as the backend component controlling the wireless 
connection.. When WLAN Direct function of wpa_supplicant is enabled, a 
malformed p2p invitation type packet with long ssid can trigger a heap overflow 
vulnerability. An attacker could launch a remote attack in the wireless device 
signal coverage, access to the victim's android device and execute native code 
with the corresponding user privileges (in the android is wifi user). The user 
has permission to read the saved WIFI password, change network configuration, 
hijacking all Wi-Fi traffic. When combined with a local privilege escalation 
vulnerability that allows an attacker to remotely control a host of victims, 
implant Trojans and other underlying implant systems.
4. Vulnerable Packages
         Android 4/Android 5
    wpa_supplicant 2.x
5. Credits
Smart hardware research group of Alibaba security team for discovering the 
vulnerability.
6. Technical Description
         wpa_supplicant malloc a p2p_device structure, the oper_ssid field size 
of which is 0x20 bytes. In the p2p invitation packet the size of ssid field is 
described with an octet, the max of which is 0xff. When copy to oper_ssid 
field, the length is not checked. When the size of ssid exceeds 0x20 bytes, it 
can overflow other fields of the p2p_device structure and overflow heap 
structure when exceeds 0x40 bytes.

    In the android version 5.1, the source is:
============ p2p_device structure（ 
wpa_supplicant/p2p/p2p_i.h)============
struct p2p_device {
    [???.]
    int oper_freq;
    u8 oper_ssid[32];  <----- fixed 0x20 bytes 
    size_t oper_ssid_len;
[???.]
    /**
    * go_neg_conf - GO Negotiation Confirmation frame
    */
    struct wpabuf *go_neg_conf;
    int sd_pending_bcast_queries;
};
=========&#65288;wpa_supplicant/p2p/p2p.c p2p_add_device ==============
int p2p_add_device(struct p2p_data *p2p, const u8 *addr, int freq,
          struct os_reltime *rx_time, int level, const u8 *ies,
          size_t ies_len, int scan_res)
{
    [???.]
    if (os_memcmp(addr, p2p_dev_addr, ETH_ALEN) != 0)
       os_memcpy(dev->interface_addr, addr, ETH_ALEN);
    if (msg.ssid &&
        (msg.ssid[1] != P2P_WILDCARD_SSID_LEN ||
         os_memcmp(msg.ssid + 2, P2P_WILDCARD_SSID, P2P_WILDCARD_SSID_LEN)
         != 0)) {
        os_memcpy(dev->oper_ssid, msg.ssid + 2, msg.ssid[1]);
//the dest buf is 0x20, but the size is controlled by user input, trigger 
buffer overflow 
       dev->oper_ssid_len = msg.ssid[1];
    }
[???.]
7. Vulnerability Impact Assessment&#65306;
    1&#65289;Affected product&#65306;Affect all devices of android version 
below 5.1 
    2&#65289;Default configuration exploitable analysis&#65306;Although much of 
android devices enable WLAN direct when user enters WLAN Direct UI, but: 
    We found some models of well-known mobile phone manufacturers (such as 
Xiaomi, Huawei), default to open the WLAN Direct. Even if the user never 
entered the WLAN Direct UI, the attacker can initiate a WLAN direct connection 
and trigger this vulnerability without user interaction. However, an attacker 
needs to know WLAN Direct MAC address, the address is the MAC address of user 
equipment with first byte OR 2, MAC address of the user equipment can acquire 
easily by WIFI packet sniffer, so you can calculate WLAN Direct MAC address, 
for example the user device MAC address 14: 12: 34: 56: 78: 90, then WLAN 
Direct MAC address is 16:12 : 34: 56: 78: 90, which means that some models of 
mobile phone, simply open the WIFI service, can suffer from the vulnerability 
attack.
For other models without WLAN Direct default enabled need to pay attention, 
because a lot of file transfer software use WLAN Direct feature and will enable 
it. And this feature once enabled, even if the user exits the WLAN Direct UI, 
the feature is enabled until the device reboot or WIFI restart. During this 
time the device is affected and can be attack remotely.
    3&#65289;Impact
    This vulnerability can leak information, use leaked information with ROP to 
bypass ASLR and DEP. Exploit this vulnerability successfully, attackers can 
execute native code with wifi user permission. Then with wifi user permission 
can change wifi configuration and hijack network traffic. 
    And this vulnerability can be exploited remotely, if composite a local 
privilege escalation vulnerability, attackers can implant trojan without 
physically touch victim devices. 
  So this vulnerability is high risk, especially for wlan direct enabled 
default devices. 
8. Poc and Coredump 
    See Advisory URL: 
http://security.alibaba.com/blog/blog.htm?spm=0.0.0.0.p1ECc3&id=19
9. Report Timeline
&#61548;  2015-4-3&#65306;send vulnerability report to android security team
&#61548;  2015-4-8&#65306;android security team acknowledges the vulnerability 
and forward it to wpa_supplicant maintainer
&#61548;   2015-4-8&#65306;wpa_supplicant maintainer acknowledges
&#61548;  2015-4-13&#65306;wpa_supplicant maintainer acknowledges timeline for 
release a fix
&#61548;  2015-4-22&#65306;wpa_supplicant maintainer publish the fix and 
security advisory
&#61548;  2015-4-23&#65306;The advisory is published