Four Remote Packet-of-Death Vulnerabilities In The Linux Kernel
Just this morning the major VENOM security vulnerability was made public while a few hours later, a kernel developer has gone public with four "remote packet of death" vulnerabilities affecting a mainline Linux kernel WLAN driver.
Jason Donenfeld has discovered four remote packet-of-death vulnerabilities whereby attackers could send specially crafted packets to a machine using the OZWPAN kernel driver over the network and cause some issues. Donenfeld explained in his public announcement, "The ozwpan driver accepts network packets, parses them, and converts them into various USB functionality. There are numerous security vulnerabilities in the handling of these packets. Two of them result in a memcpy(kernel_buffer, network_packet, -length), one of them is a divide-by-zero, and one of them is a loop that decrements -1 until it's zero."
Jason has published proof-of-concept code for making these packets of death remotely. Besides the four vulnerabilities noted today, he's also mentioned there's other vulnerabilities in this driver that are worth investigating. The patches are now public for addressing the four "PoD" issues but have yet to be mainlined.
Details on these driver vulnerabilities can be found via this kernel mailing list post. OZWPAN is a USB HCD driver that uses WiFi to communicate with wireless peripherals.
Jason Donenfeld has discovered four remote packet-of-death vulnerabilities whereby attackers could send specially crafted packets to a machine using the OZWPAN kernel driver over the network and cause some issues. Donenfeld explained in his public announcement, "The ozwpan driver accepts network packets, parses them, and converts them into various USB functionality. There are numerous security vulnerabilities in the handling of these packets. Two of them result in a memcpy(kernel_buffer, network_packet, -length), one of them is a divide-by-zero, and one of them is a loop that decrements -1 until it's zero."
Jason has published proof-of-concept code for making these packets of death remotely. Besides the four vulnerabilities noted today, he's also mentioned there's other vulnerabilities in this driver that are worth investigating. The patches are now public for addressing the four "PoD" issues but have yet to be mainlined.
Details on these driver vulnerabilities can be found via this kernel mailing list post. OZWPAN is a USB HCD driver that uses WiFi to communicate with wireless peripherals.
This driver is a USB HCD driver that does not have an associated a physical device but instead uses Wi-Fi to communicate with the wireless peripheral. The USB requests are converted into a layer 2 network protocol and transmitted on the network using an ethertype (0x892e) registered to Ozmo Device Inc. This driver is compatible with existing wireless devices that use Ozmo Devices technology.
The devices connect to the host use Wi-Fi Direct so a network card that supports Wi-Fi direct is required. A recent version (0.8.x or later) version of the wpa_supplicant can be used to setup the network interface to create a persistent autonomous group (for older pre-WFD peripherals) or put in a listen state to allow group negotiation to occur for more recent devices that support WFD.
The protocol used over the network does not directly mimic the USB bus transactions as this would be rather busy and inefficient. Instead the chapter 9 requests are converted into a request/response pair of messages.
5 Comments