![]() ![]() I would rather report what I have as soon as possible.\n\nThis poc requires a linux machine with a wifi adaptor capable of 2.4Ghz injection. Note that the attacker\ndoesn't have to be connected to the same network.\n\nThe bug is that in IO80211AWDLPeer::populateBssSteeringMsgBlob if IO80211AWDLPeer::addPeerToUmiChain returns false (for example,\nif (as in this case) because the flag in bit 11 of the first flags value in the data_path_tlv payload is 0) then \npopulateBssSteeringMsgBlob frees _bssSteeringMsgBlob but fails to NULL out the pointer in the IO80211AWDLPeer object.\n\nNote that the other error paths in this method do NULL out _bssSteeringMsgBlob.\n\nWhen the peer structure is destroyed IO80211AWDLPeer::freeResources will be called which will free the _bssSteeringMsgBlob\na second time.\n\nNote that there can be a considerable and controllable time period between the two frees, and attacker-controlled data\nwill continue to be processed.\n\nREPRO:\nThis repro is pretty rough this is just a current dump of my work-in-progress exploit but it will trigger the vulnerability\nif you are unable to verify the issue from the source or your AWDL testing setup. ![]() , "cvelist":, "modified": "T00:00:00", "id": "1337DAY-ID-34609", "href": "", "sourceData": "#if 0\niOS/MacOS wifi proximity kernel double free in AWDL BSS Steering\n\nAs part of developing an exploit for CVE-2020-3843 (a heap overflow in AWDL) I've been looking at the code for \"BSS Steering\".\nIt just so happens that a pointer to a \"BSS Steering message blob\" directly follows the sync tree mac address inline buffer\nin the awdl peer that we can overflow out of.\n\nTo actually get a BSS Steering message blob allocated requires driving the the IO80211PeerBssSteeringManager state machine\nto BSS_STEERING_STATE_STEERING_SYNC_POST_EVAL and to set things up such that isRemotePeerSteeringNeeded will return true.\n\nThis will be the case if the target device is connected to a 5Ghz wifi network on a non-DFS channel.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |